Address Resolution Protocol

Sending IP packets on a multiaccess network requires mapping from an IP address to a MAC address (the physical or hardware address).

In an Ethernet environment, Address Resolution Protocol (ARP) is used to map a MAC address to an IP address. ARP dynamically binds the IP address (the logical address) to the correct MAC address. Before IP unicast packets can be sent, ARP discovers the MAC address used by the Ethernet interface where the IP address is configured.

Hosts that use ARP maintain a cache of discovered Internet-to-Ethernet address mappings to minimize the number of ARP broadcast messages. To keep the cache from growing too large, an entry is removed if it is not used within a certain period of time. Before sending a packet, the host searches its cache for Internet-to-Ethernet address mapping. If the mapping is not found, the host sends an ARP request.

Note: For information about MAC address validation, see MAC Address Validation.

How ARP Works

Figure 8 and Figure 9 show how ARP works where host 1 sends an IP packet to host 2 on a different subnet. To complete this transmission, host 1 needs the MAC address of router 1, to be used as the forwarding gateway.

A typical scenario is:

Host 1 broadcasts an ARP request to all devices on subnet 1, composed by a query with the IP address of router 1. The IP address of router 1 is needed because host 2 is on a different subnet.
All devices on subnet 1 compare their IP address with the enclosed IP address sent by host 1.
Having the matching IP address, router 1 sends an ARP response, which includes its MAC address, to host 1.
Figure 8: Sample ARP Process—1 through 3
Host 1 transmits the IP packet to layer 3 DA (host 2) using router 1’s MAC address.
Router 1 forwards IP packet to host 2. Router 1 might send an ARP request to identify the MAC of host 2. (See Figure 9.)
Figure 9: Sample ARP Process—4 and 5

ARP forces all receiving hosts to compare their IP addresses with the IP address of the ARP request. So if host 1 sends another IP packet to host 2, host 1 searches its ARP table for the router 1 MAC address.

If the default router/gateway becomes unavailable, then all the routing/packet forwarding to remote destinations ceases. Usually, manual intervention is required to restore connectivity, even though alternative paths may be available. Alternatively, Virtual Router Redundancy Protocol (VRRP) may be used to prevent loss of connectivity. See JunosE IP Services Configuration Guide.

arp

Use to add a static (permanent) entry in the ARP cache.
To add a static entry in the ARP cache, specify the ipAddress, interfaceType and interfaceSpecifier (as indicated in Interface Types and Specifiers in JunosE Command Reference Guide ), and an optional MAC address

You can issue this command only for Fast Ethernet interfaces, Gigabit Ethernet interfaces, 10-Gigabit Ethernet interfaces, and bridged Ethernet interfaces configured over ATM 1483.
Example
host1(config)#arp 192.56.20.1 gig 2/0 0090.1a00.0170
Use the no version to remove an entry from the ARP cache.
See arp

arp spoof-check

Use to configure the router to check for spoofed ARP packets received on an IP interface.
By default, E Series routers check all received ARP packets for spoofing and process only those ARP packets whose source IP address is outside the range of the network mask. ARP packets with a source IP address of 0.0.0.0 and the router IP address as the destination address are dropped because the router identifies them as spoofed packets.
In networks with digital subscriber line access multiplexers (DSLAMs), even if you configure the router to check for spoofed ARP packets, DSLAMs perform this task instead of the router. If you disable checking for spoofed ARP packets on the router in such networks, DSLAMs forward the received packets to the router for processing. You can, therefore, configure the router accordingly, depending on the way in which you want spoof-checking to be performed.
You cannot configure ARP spoof-checking on interfaces that do do support ARP, such as loopback interfaces and ATM point-to-point PVCs.
If you disable checking for spoofed ARP packets, all packets received by the router are processed.
You can reenable checking for spoofed ARP packets on an interface at any time by using the arp spoof-check command after disabling it.
Example—Shows how to disable spoof-checking for ARP packets received on a Gigabit Ethernet interface and then reenable it.
host1(config-if)#interface gigabitEthernet 1/1 host1(config-if)#no arp spoof-checkhost1(config-if)#arp spoof-check
Use the no version to disable checking for spoofed ARP packets received on a major IP interface or an IP subinterface.
See arp spoof-check.

arp timeout

Use to specify how long an entry remains in the ARP cache.

You can issue this command only for Fast Ethernet interfaces, Gigabit Ethernet interfaces, 10-Gigabit Ethernet interfaces, and bridged Ethernet interfaces configured over ATM 1483.
The default value is 21,600 seconds (6 hours). Use the show config command to display the current value.
If you specify a timeout of 0 seconds, entries are never cleared from the ARP cache.
Example
host1(config-if)#arp timeout 8000
Use the no version to restore the default value.
See arp timeout

clear arp

Use to clear dynamic entries from the ARP cache.
To clear a particular entry, specify all of the following:
- ipAddress—IP address in four-part dotted-decimal format corresponding to the local data link address
- interfaceType—Interface type; see Interface Types and Specifiers in JunosE Command Reference Guide
- interfaceSpecifier—Particular interface; format varies according to interface type; see Interface Types and Specifiers in JunosE Command Reference Guide
To clear all dynamic ARP entries, specify an asterisk (*).
Example
host1#clear arp
There is no no version.
See clear arp

ip proxy-arp

Use to enable proxy ARP on an Ethernet or bridge1483 interface.
Proxy ARP is enabled by default.
Example
host1(config-if)#ip proxy-arp unrestricted
Use the no version to disable proxy ARP on the interface.
See ip proxy-arp

MAC Address Validation

MAC address validation is a verification process performed on each incoming packet to prevent spoofing on IP Ethernet-based interfaces, including bridged Ethernet interfaces. When an incoming packet arrives on a layer 2 interface, the validation table is used to compare the packet’s source IP address with its MAC address. If the MAC address and IP address match, the packet is forwarded; if it does not match, the packet is dropped.

Note: MAC address validation for bridged Ethernet interfaces is supported only on OC12 ATM line modules on ERX routers and on OC3/OC12 ATM IOAs on the E120 and E320 routers.

MAC address validation on the E Series router can be accomplished in two ways:

You can statically configure it on a physical interface via the arp validate command
You can enable DHCP to perform the function independently and dynamically. See JunosE Link Layer Configuration Guide .

The arp validate command adds the IP-MAC address pair to the validation table maintained on the physical interface.

If the validation is added statically via the CLI, the IP address–MAC address pairs are stored in NVS. The entries are used for MAC validation only if MAC validation is enabled on the interface via the ip mac-validate command.

Caution: When you configure an interface using the arp validate command, you cannot overwrite the ARP values that were added by DHCP.

You can enable or disable MAC address validation on a per interface basis by issuing the ip mac-validate command. See JunosE Physical Layer Configuration Guide or JunosE Link Layer Configuration Guide for information.

A dynamic IP subscriber interface inherits the MAC address validation state (enabled or disabled) configured for its parent static primary IP interface. See Configuring Subscriber Interfaces in the JunosE Broadband Access Configuration Guide for information.

arp validate

Use to add IP address–MAC address validation pairs. When validation is enabled, all packets with the source IP address received on this IP interface are validated against the IP-MAC entries.
To add a validation pair, specify one of the following:
- ipAddress and macAddress of the interface
- ipAddress, interfaceType and interfaceSpecifier (as indicated in Interface Types and Specifiers in JunosE Command Reference Guide ), and an optional MAC address
You can issue this command only for an IP Ethernet-based interface.
For subscriber interface configurations, the IP address–MAC address pair must have a matching source prefix that already exists on the subscriber interface. If the matching source prefix does not exist, the IP–MAC address pair is rejected. See Configuring Subscriber Interfaces in the JunosE Broadband Access Configuration Guide for information about using subscriber interfaces.
Example 1—Packets originating from host 192.56.20.1 and validated at Gigabit Ethernet interface with the MAC address 0090.1a00.0170
host1(config)#arp 192.56.20.1 gig 2/0 0090.1a00.0170 validate
Example 2—Subscriber interface MAC address validation enabled
host1(config)#arp 192.168.32.0 ip subsc1 000.0001.8100
Use the no version to remove an entry from the ARP cache.
See arp