Scribd
Upload
334 views4 pages

Example - Configuring Restricted and Unrestric

This document provides an example of how to configure restricted and unrestricted proxy ARP on a Juniper SRX device. It explains that SRX devices do not respond to proxy ARP requests by default if the source and target IP addresses are on different networks. It then demonstrates configuring restricted proxy ARP to allow responses only when the source and target are on different networks, as well as showing the ARP requests and responses seen on the interface with and without the configuration.

Uploaded by

Li Kang
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
334 views4 pages

Example - Configuring Restricted and Unrestric

This document provides an example of how to configure restricted and unrestricted proxy ARP on a Juniper SRX device. It explains that SRX devices do not respond to proxy ARP requests by default if the source and target IP addresses are on different networks. It then demonstrates configuring restricted proxy ARP to allow responses only when the source and target are on different networks, as well as showing the ARP requests and responses seen on the interface with and without the configuration.

Uploaded by

Li Kang
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

2020/11/11 Example - Configuring restricted and unrestricted proxy ARP on an SRX device - Juniper Networks

Example - Con guring restricted and unrestricted proxy ARP


on an SRX device
 0  0 Article ID: KB26906 KB Last Updated: 30 Jun 2020 Version: 2.0

SUMMARY:
This article provides information on how to con gure restricted and unrestricted proxy
ARPs on a SRX device.

SYMPTOMS:
SRX devices do not respond to proxy ARP requests from remote peers, if the source IP
addresses, which are present in the ARP request packets, do not belong to the same
network segments as that of the interface that receives the ARP requests.

SOLUTION:

Topology:
Source------10. 246.65.243/23[ge-0/0/12](SRX)10.246.69.1/24-----Destination
10.246.64.41/21 10.246.69.10/24

To con gure restricted or unrestricted proxy ARP, include the proxy-arp statement:

proxy-arp (restricted |unrestricted);

You can include this statement at the following hierarchy levels:

[edit interfaces interface-name unit logical-unit-number ]


[edit logical-systems logical-system-name interfaces interface-name unit logical-unit-
number]

Options:
none - The router or switch will respond to any ARP request for a local or remote
address, if the router or switch has a route to the target IP address.
restricted (optional) - The router or switch will respond to ARP requests, in which the
physical networks of the source and target are different and does not respond, if the
source and target IP addresses are in the same subnet. The router or switch must also
have a route to the target IP address.
unrestricted (optional) - The router or switch responds to any ARP request for a local or
remote address, if the router or switch has a route to the target IP address.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB26906&cat=SRX_SERIES&actp=LIST 1/4
2020/11/11 Example - Configuring restricted and unrestricted proxy ARP on an SRX device - Juniper Networks

The default is unrestricted. To return to the default option, that is, to disable restricted or
unrestricted proxy ARP, delete the proxy-arp statement from the con guration:

[edit]user@host# delete interfaces interface-name unit logical-unit-number


proxy-arp

You can track the number of restricted or unrestricted proxy ARP requests that are
processed by the router or switch by issuing the show system statistics arp operational
mode command.

Con guration Example:


With the following con guration on SRX:

root@SRX240HM-8# show | match ge-0/0/12 | display set


set interfaces ge-0/0/12 unit 0 family inet address 10.246.65.252/23
set security zones security-zone ARP interfaces ge-0/0/12.0 host-inbound-
traffic system-services all
set security zones security-zone ARP interfaces ge-0/0/12.0 host-inbound-
traffic protocols all

Here what happens to the ARP request:

[edit]
root@SRX240HM-8# run monitor traffic interface ge-0/0/12
verbose output suppressed, use <detail> or <extensive> for full protocol
decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup
delay.
Address resolution timeout is 4s.
Listening on ge-0/0/12, capture size 96 bytes

Reverse lookup for 10.246.69.10 failed (check DNS reachability).


Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.

20:17:01.688956 In arp who-has 10.246.69.10 tell 10.246.64.41


20:17:02.594916 In arp who-has 10.246.69.10 tell 10.246.64.41
20:17:03.300404 In arp who-has 10.246.69.10 tell 10.246.64.41
20:17:03.905087 In arp who-has 10.246.69.10 tell 10.246.64.41
20:17:04.812153 In arp who-has 10.246.69.10 tell 10.246.64.41
20:17:05.723088 In arp who-has 10.246.69.10 tell 10.246.64.41
20:17:06.327252 In arp who-has 10.246.69.10 tell 10.246.64.41
20:17:07.234327 In arp who-has 10.246.69.10 tell 10.246.64.41
20:17:08.040390 In arp who-has 10.246.69.10 tell 10.246.64.41
https://kb.juniper.net/InfoCenter/index?page=content&id=KB26906&cat=SRX_SERIES&actp=LIST 2/4
2020/11/11 Example - Configuring restricted and unrestricted proxy ARP on an SRX device - Juniper Networks

20:17:08.644876 In arp who-has 10.246.69.10 tell 10.246.64.41


20:17:09.757774 In arp who-has 10.246.69.10 tell 10.246.64.41
^C
12 packets received by filter
0 packets dropped by kernel

[edit]
root@SRX240HM-8#

When the following command is added, the ARP reply is sent:

root@SRX240HM-8# set interfaces ge-0/0/12 unit 0 proxy-arp restricted

[edit]
root@SRX240HM-8# show | match ge-0/0/12 | display set
set interfaces ge-0/0/12 unit 0 proxy-arp unrestricted
set interfaces ge-0/0/12 unit 0 family inet address 10.246.65.252/23
set security zones security-zone ARP interfaces ge-0/0/12.0 host-inbound-
traffic system-services all
set security zones security-zone ARP interfaces ge-0/0/12.0 host-inbound-
traffic protocols all

[edit]

[edit]
root@SRX240HM-8# run monitor traffic interface ge-0/0/12
verbose output suppressed, use <detail> or <extensive> for full protocol
decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup
delay.
Address resolution timeout is 4s.
Listening on ge-0/0/12, capture size 96 bytes

Reverse lookup for 10.246.69.10 failed (check DNS reachability).


Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.

20:19:11.017490 In arp who-has 10.246.69.10 tell 10.246.64.41


20:19:11.017821 Out arp reply 10.246.69.10 is-at a8:d0:e5:a9:e4:8c <<<< ARP
REPLY SENT
^C
2 packets received by filter
0 packets dropped by kernel
https://kb.juniper.net/InfoCenter/index?page=content&id=KB26906&cat=SRX_SERIES&actp=LIST 3/4
2020/11/11 Example - Configuring restricted and unrestricted proxy ARP on an SRX device - Juniper Networks

[edit]
root@SRX240HM-8#

MODIFICATION HISTORY:
2020-06-30: Article reviewed for accuracy; no changes required.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB26906&cat=SRX_SERIES&actp=LIST 4/4

You might also like