Proxy ARP
Understanding Proxy ARP
You can configure proxy Address Resolution Protocol (ARP) to enable the switch to respond to ARP queries for network addresses by offering its own Ethernet media access control (MAC) address. With proxy ARP enabled, the switch captures and routes traffic to the intended destination.
Proxy ARP is useful in situations where hosts are on different physical networks and you do not want to use subnet masking. Because ARP broadcasts are not propagated between hosts on different physical networks, hosts will not receive a response to their ARP request if the destination is on a different subnet. Enabling the switch to act as an ARP proxy allows the hosts to transparently communicate with each other through the switch. Proxy ARP can help hosts on a subnet reach remote subnets without your having to configure routing or a default gateway.
Benefits of Using Proxy ARP
Enables the switch to respond to ARP queries for network addresses by offering its own Ethernet media access control (MAC) address.
Enables the switch to act as an ARP proxy allows the hosts to transparently communicate with each other through the switch.
Helps hosts on a subnet reach remote subnets without your having to configure routing or a default gateway.
What Is ARP?
Ethernet LANs use ARP to map Ethernet MAC addresses to IP addresses. Each device maintains a cache containing a mapping of MAC addresses to IP addresses. The switch maintains this mapping in a cache that it consults when forwarding packets to network devices. If the ARP cache does not contain an entry for the destination device, the host (the DHCP client) broadcasts an ARP request for that device's address and stores the response in the cache.
Proxy ARP Overview
When proxy ARP is enabled, if the switch receives an ARP request for which it has a route to the target (destination) IP address, the switch responds by sending a proxy ARP reply packet containing its own MAC address. The host that sent the ARP request then sends its packets to the switch, which forwards them to the intended host.
For security reasons, the source address in an ARP request must be on the same subnet as the interface on which the ARP request is received.
You can configure proxy ARP for each interface. You can also configure proxy ARP for an integrated routing and bridging (IRB) interface named irb or a routed VLAN interface (RVI) named vlan. (On EX Series switches that use Juniper Networks Junos operating system (Junos OS) with support for the Enhanced Layer 2 Software (ELS) configuration style, the feature is known as an IRB interface. On EX Series switches that use Junos OS that does not support ELS, the feature is known as an RVI.)
Two modes of proxy ARP are supported: restricted and unrestricted. Both modes require that the switch have an active route to the destination address of the ARP request.
Restricted—The switch responds to ARP requests in which the physical networks of the source and target are different and does not respond if the source and target IP addresses are on the same subnet. In this mode, hosts on the same subnet communicate without proxy ARP. We recommend that you use this mode on the switch.
Unrestricted—The switch responds to all ARP requests for which it has a route to the destination. This is the default mode (because it is the default mode in Juniper Networks Junos operating system (Junos OS) configurations other than those on the switch). We recommend using restricted mode on the switch.
Best Practices for Proxy ARP
We recommend these best practices for configuring proxy ARP on the switches:
Set proxy ARP to restricted mode.
Use restricted mode when configuring proxy ARP on RVIs or IRB interfaces.
If you set proxy ARP to unrestricted, disable gratuitous ARP requests on each interface enabled for proxy ARP.
Configuring Proxy ARP on Devices with ELS Support
This task uses Junos OS for EX Series switches and QFX3500 and QFX3600 switches with support for the Enhanced Layer 2 Software (ELS) configuration style.If your switch runs software that does not support ELS, see Configuring Proxy ARP on Switches or Configuring Proxy ARP. For ELS details, see Using the Enhanced Layer 2 Software CLI.
You can configure proxy Address Resolution Protocol (ARP) on your switch to enable the switch to respond to ARP queries for network addresses by offering its own media access control (MAC) address. With proxy ARP enabled, the switch captures and routes traffic to the intended destination.
To configure proxy ARP on a single interface:
[edit interfaces] user@switch# set interface-name unit logical-unit-number proxy-arp (restricted | unrestricted)
We recommend that you configure proxy ARP in restricted mode. In restricted mode, the switch does not act as a proxy if the source and target IP addresses are on the same subnet. If you decide to use unrestricted mode, disable gratuitous ARP requests on the interface to avoid a situation wherein the switch’s response to a gratuitous ARP request appears to the host to be an indication of an IP conflict.
To configure proxy ARP on an integrated routing and bridging (IRB) interface:
[edit interfaces] user@switch# set irb.logical-unit-number proxy-arp restricted
Configuring Proxy ARP on Switches
This task uses Junos OS for EX Series switches that does not support the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that supports ELS, see Configuring Proxy ARP on Devices with ELS Support. For ELS details, see Using the Enhanced Layer 2 Software CLI.
You can configure proxy Address Resolution Protocol (ARP) on your EX Series switch to enable the switch to respond to ARP queries for network addresses by offering its own media access control (MAC) address. With proxy ARP enabled, the switch captures and routes traffic to the intended destination.
To configure proxy ARP on a single interface:
[edit interfaces] user@switch# set ge-0/0/3 unit 0 proxy-arp restricted
We recommend that you configure proxy ARP in restricted mode. In restricted mode, the switch is not a proxy if the source and target IP addresses are on the same subnet. If you use unrestricted mode, disable gratuitous ARP requests on the interface to avoid the situation of the switch’s response to a gratuitous ARP request appearing to the host to be an indication of an IP conflict:
To configure proxy ARP on a routed VLAN interface (RVI):
[edit interfaces] user@switch# set vlan unit 100 proxy-arp restricted
See Also
Configuring Proxy ARP
You can configure proxy Address Resolution Protocol (ARP) to enable the switch to respond to ARP queries for network addresses by offering its own media access control (MAC) address. With proxy ARP enabled, the switch captures and routes traffic to the intended destination.
To configure proxy ARP on a single interface:
[edit interfaces] user@switch# set xe-0/0/3 unit 0 proxy-arp restricted
We recommend that you configure proxy ARP in restricted mode. In restricted mode, the switch is not a proxy if the source and target IP addresses are on the same subnet. If you use unrestricted mode, disable gratuitous ARP requests on the interface to avoid the situation of the switch’s response to a gratuitous ARP request appearing to the host to be an indication of an IP conflict:
To configure proxy ARP on a routed VLAN interface (RVI):
[edit interfaces] user@switch# set vlan unit 100 proxy-arp restricted
See Also
Verifying That Proxy ARP Is Working Correctly
Purpose
Verify that the switch is sending proxy ARP messages.
Action
List the system statistics for ARP:
user@switch> show system statistics arp
arp:
90060 datagrams received
34 ARP requests received
610 ARP replies received
2 resolution request received
0 unrestricted proxy requests
0 restricted proxy requests
0 received proxy requests
0 unrestricted proxy requests not proxied
0 restricted proxy requests not proxied
0 datagrams with bogus interface
0 datagrams with incorrect length
0 datagrams for non-IP protocol
0 datagrams with unsupported op code
0 datagrams with bad protocol address length
0 datagrams with bad hardware address length
0 datagrams with multicast source address
0 datagrams with multicast target address
0 datagrams with my own hardware address
0 datagrams for an address not on the interface
0 datagrams with a broadcast source address
294 datagrams with source address duplicate to mine
89113 datagrams which were not for me
0 packets discarded waiting for resolution
0 packets sent after waiting for resolution
309 ARP requests sent
35 ARP replies sent
0 requests for memory denied
0 requests dropped on entry
0 requests dropped during retry
0 requests dropped due to interface deletion
0 requests on unnumbered interfaces
0 new requests on unnumbered interfaces
0 replies for from unnumbered interfaces
0 requests on unnumbered interface with non-subnetted donor
0 replies from unnumbered interface with non-subnetted donor
Meaning
The statistics show that two proxy ARP requests were
received. The unrestricted proxy requests not proxied and restricted proxy requests not proxied fields indicate that
all the unproxied ARP requests received have been proxied by the switch.