D-Link DFL-260E User Manual for DFL-260E - Page 180
Proxy ARP, Consecutive success, Gratuitous ARP on fail
View all D-Link DFL-260E manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 180 highlights
4.2.6. Proxy ARP Chapter 4. Routing Consecutive success The number of consecutive successes that must occur before a route is marked as being available. Default: 5 Gratuitous ARP on fail Send a gratuitous ARP on HA failover to alert hosts of the changes in interface Ethernet and IP addresses. Default: Enabled 4.2.6. Proxy ARP Overview As discussed previously in Section 3.5, "ARP", the ARP protocol facilitates a mapping between an IP address and the MAC address of a host on an Ethernet network. However, situations may exist where a network running Ethernet is separated into two parts with a routing device such as a NetDefend Firewall in between. In such a case, NetDefendOS itself can respond to ARP requests directed to the network on the other side of the NetDefend Firewall using the feature known as Proxy ARP. The splitting of an Ethernet network into distinct parts so that traffic between them can be controlled is a common usage of the proxy ARP feature. NetDefendOS rule sets can then be used to impose security policies on the traffic passing between the different network parts. A Typical Scenario As an example of a typical proxy ARP scenario, consider a network split into two sub-networks with a NetDefend Firewall between the two. Host A on one sub-network might send an ARP request to find out the MAC address for the IP address of host B on the other sub-network. With the proxy ARP feature configured, NetDefendOS responds to this ARP request instead of host B. NetDefendOS sends its own MAC address in reply, pretending to be the target host. After receiving the reply, Host A then sends data directly to NetDefendOS which forwards the data to host B. In the process NetDefendOS checks the traffic against the configured rule sets. Setting Up Proxy ARP Setting up proxy ARP is done by specifying the option for a route in a routing table. Let us suppose we have a network and it is divided into two parts which are called net_1 and net_2. The network net_1 is connected to the interface if1 and the network net_2 is connected to the interface if2. In NetDefendOS there will be a route configured that says net_1 can be found on if1. This might be called route_1. For route_1 it is possible to specify the option that this network should be proxy ARP'ed on interface if2.. Now any ARP request issued by a net_2 host connected to if2 looking for an IP address in net_1 will get a positive response from NetDefendOS. In other words, NetDefendOS will pretend that the net_1 address is found on if2 and will forward data traffic to net_1. In the same way, net_2 could be published on the interface if1 so that there is a mirroring of routes 180