Advanced Network Settings Overview
In the Advanced Network screens, you can configure the following network settings:
Configuring ARP Cache Entries
Use the ARP option to manually add entries to the Address Resolution Protocol (ARP) cache. The ARP cache contains associations of IP addresses to physical machine addresses known as media access control (MAC) addresses. The ARP normally resolves unknown IP addresses and updates its cache automatically. You can manually add ARP cache entries, if necessary, for testing or troubleshooting purposes.
To add an ARP cache entry:
Click the Add icon in the ARP configuration screen.
Specify the IP address, interface, and MAC address for the ARP entry.
For more detailed explanation about configuring ARP entries on security devices, see the arp commands in the NetScreen CLI Reference Guide.
Configuring VIP Options
A virtual IP (VIP) address maps traffic received at one IP address to another address based on the destination port number in the TCP or UDP segment header. You can only set a VIP on an interface in the Untrust zone. The IP address for the VIP must be in the same subnet as an interface in the Untrust zone. (On some security devices, the IP address for the VIP can be the same address as the Untrust zone interface.) In addition, you need the following information to define a VIP:
The IP addresses for the servers that process the requests
The type of service you want the security device to forward from the VIP to the IP address of the host
Use the VIP Options configuration screen to set multiple port entries for VIPs. A single VIP can support custom services with multiple port entries by creating multiple service entries under that VIP. To use multiple-port services in a VIP, you need to enable multiple port services, and then reset the security device.
For more detailed explanation about configuring VIPs on security devices, see the “Fundamentals” volume in the Concepts & Examples ScreenOS Reference Guide.
Configuring DIP Options
Use DIP Options to set DIP translation operation.
When DIP is configured on an interface, the security device normally assigns a different source IP address for each session, even when a single host initiates several sessions that require NAT using the DIP pool. This random address assignment can be problematic for services that create multiple sessions that require the same source IP address for each session.
For example, it is important to have the same IP address for multiple sessions when using the AOL Instant Messaging (AIM) client. You create one session when you log in, and another for each chat. For the AIM server to verify that a new chat belongs to an authenticated user, it must match the source IP address of the login session with that of the chat session. If they are different—possibly because they were randomly assigned from a DIP pool during the NAT process—the AIM server rejects the chat session.
To ensure that the device assigns the same IP address from a DIP pool to a host for multiple concurrent sessions, select DIP Translation Stickiness.
For more detailed explanation about configuring DIP options on security devices, see the “Fundamentals” volume in the Concepts & Examples ScreenOS Reference Guide.
For details about creating a DIP group, see Example: Configuring DIP Groups (NSM Procedure).