Technical Documentation
New
Related Documentation
Address Resolution Protocol
This topic describes Address Resolution Protocol (ARP).
ARP Overview
Sending IP packets on a multiaccess network requires mapping from an IP address to a media access control (MAC) address (the physical or hardware address).
In an Ethernet environment, ARP is used to map a MAC address to an IP address. ARP dynamically binds the IP address (the logical address) to the correct MAC address. Before IP unicast packets can be sent, ARP discovers the MAC address used by the Ethernet interface where the IP address is configured.
Hosts that use ARP maintain a cache of discovered Internet-to-Ethernet address mappings to minimize the number of ARP broadcast messages. To keep the cache from growing too large, an entry is removed if it is not used within a certain period of time. Before sending a packet, the host searches its cache for Internet-to-Ethernet address mapping. If the mapping is not found, the host sends an ARP request.
Understanding How ARP Works
Figure 1 and Figure 2 show how ARP works where host 1 sends an IP packet to host 2 on a different subnet. To complete this transmission, host 1 needs the MAC address of router 1, to be used as the forwarding gateway.
A typical scenario is:
- Host 1 broadcasts an ARP request to all devices on subnet 1, composed by a query with the IP address of router 1. The IP address of router 1 is needed because host 2 is on a different subnet.
- All devices on subnet 1 compare their IP address with the enclosed IP address sent by host 1.
- Having the matching IP address, router 1 sends an ARP
response, which includes its MAC address, to host 1.
Figure 1: Sample ARP Process—1 through 3
- Host 1 transmits the IP packet to layer 3 DA (host 2) using router 1’s MAC address.
- Router 1 forwards IP packet to host 2. Router 1 might
send an ARP request to identify the MAC of host 2. (See Figure 2.)
Figure 2: Sample ARP Process—4 and 5
ARP forces all receiving hosts to compare their IP addresses with the IP address of the ARP request. So if host 1 sends another IP packet to host 2, host 1 searches its ARP table for the router 1 MAC address.
If the default router/gateway becomes unavailable, then all the routing/packet forwarding to remote destinations ceases. Usually, manual intervention is required to restore connectivity, even though alternative paths may be available. Alternatively, Virtual Router Redundancy Protocol (VRRP) may be used to prevent loss of connectivity. See JunosE IP Services Configuration Guide.
Configuring ARP
ARP can be configured on an E Series router with the following tasks:
- Adding a Static Entry in the ARP Cache
- Checking for Spoofed ARP Packets
- Configuring ARP Cache Entry Timeout
- Clearing Dynamic Entries from the ARP Cache
Adding a Static Entry in the ARP Cache
You can add a static (permanent) entry in the ARP cache using the arp command.
You can specify the ipAddress, interfaceType and interfaceSpecifier (as indicated in Interface Types and Specifiers in JunosE Command Reference Guide ), and an optional MAC address.
To add a static entry in the ARP cache:
- Issue the arp command in Global
Configuration mode.host1(config)#arp 192.56.20.1 gig 2/0 0090.1a00.0170
Note: You can issue this command only for Fast Ethernet interfaces, Gigabit Ethernet interfaces, 10-Gigabit Ethernet interfaces, and bridged Ethernet interfaces configured over ATM 1483.
Use the no version to remove an entry from the ARP cache.
Checking for Spoofed ARP Packets
You can configure the router to check for spoofed ARP packets received on an IP interface or an IP subinterface using the arp spoof-check command.
By default, E Series routers check all received ARP packets for spoofing and process only those ARP packets whose source IP address is outside the range of the network mask. ARP packets with a source IP address of 0.0.0.0 and the router IP address as the destination address are dropped because the router identifies them as spoofed packets.
In networks with digital subscriber line access multiplexers (DSLAMs), even if you configure the router to check for spoofed ARP packets, DSLAMs perform this task instead of the router. If you disable checking for spoofed ARP packets on the router in such networks, DSLAMs forward the received packets to the router for processing. You can, therefore, configure the router accordingly, depending on the way in which you want spoof-checking to be performed.
You cannot configure ARP spoof-checking on interfaces that do not support ARP, such as loopback interfaces and ATM point-to-point PVCs.
If you disable checking for spoofed ARP packets, all packets received by the router are processed. You can reenable checking for spoofed ARP packets on an interface at any time by using the arp spoof-check command after disabling it.
|
|
To enable spoof-checking for ARP packets received on an interface:
- Issue the arp spoof-check command
in Interface Configuration mode.host1(config-if)#arp spoof-check
Use the no version to disable checking for spoofed ARP packets received on a major IP interface or an IP subinterface.
Configuring ARP Cache Entry Timeout
You can specify how long an entry remains in the ARP cache using the arp timeout command. The default value is 21,600 seconds (6 hours). You can use the show config command to display the current value. If you specify a timeout of 0 seconds, entries are never cleared from the ARP cache.
|
|
To specify how long an entry remains in the ARP cache:
- Issue the arp timeout command
in Interface Configuration mode.host1(config-if)#arp timeout 8000
Note: You can issue this command only for Fast Ethernet interfaces, Gigabit Ethernet interfaces, 10-Gigabit Ethernet interfaces, and bridged Ethernet interfaces configured over ATM 1483.
Use the no version to restore the default value.
Clearing Dynamic Entries from the ARP Cache
You can clear a particular dynamic entry from the ARP cache using the clear arp command by specifying all of the following options:
- ipAddress—IP address in four-part dotted-decimal format corresponding to the local data link address
- interfaceType—Interface type; see Interface Types and Specifiers in JunosE Command Reference Guide
- interfaceSpecifier—Particular interface; format varies according to interface type; see Interface Types and Specifiers in JunosE Command Reference Guide
You can clear all dynamic entries from the ARP cache using the clear arp command with an asterisk (*).
To clear all dynamic entries:
- Issue the clear arp command
with an asterisk (*) in Privileged Exec
mode.host1#clear arp
Enabling Proxy ARP
You can enable proxy ARP on an Ethernet or bridge1483 interface using the ip proxy-arp command. Proxy ARP is enabled by default.
|
|
To enable proxy ARP on an interface:
- Issue the ip proxy-arp command
in Interface Configuration mode.host1(config-if)#ip proxy-arp unrestricted
Use the no version to disable proxy ARP on the interface.
MAC Address Validation Overview
MAC address validation is a verification process performed on each incoming packet to prevent spoofing on IP Ethernet-based interfaces, including bridged Ethernet interfaces. When an incoming packet arrives on a layer 2 interface, the validation table is used to compare the packet’s source IP address with its MAC address. If the MAC address and IP address match, the packet is forwarded; if it does not match, the packet is dropped.
| Note: MAC address validation for bridged Ethernet interfaces is supported only on OC12 ATM line modules on ERX routers and on OC3/OC12 ATM IOAs on the E120 and E320 routers. |
MAC address validation on the E Series router can be accomplished in two ways:
- You can statically configure it on a physical interface via the arp validate command
- You can enable Dynamic Host Configuration Protocol (DHCP) to perform the function independently and dynamically. See JunosE Link Layer Configuration Guide .
The arp validate command adds the IP-MAC address pair to the validation table maintained on the physical interface.
If the validation is added statically via the command-line interface (CLI), the IP address–MAC address pairs are stored in nonvolatile storage (NVS). The entries are used for MAC validation only if MAC validation is enabled on the interface via the ip mac-validate command.
 | Caution: When you configure an interface using the arp validate command, you cannot overwrite the ARP values that were added by DHCP. |
You can enable or disable MAC address validation on a per interface basis by issuing the ip mac-validate command. See JunosE Physical Layer Configuration Guide or JunosE Link Layer Configuration Guide for information.
A dynamic IP subscriber interface inherits the MAC address validation state (enabled or disabled) configured for its parent static primary IP interface. See Configuring Subscriber Interfaces in the JunosE Broadband Access Configuration Guide for information.
Adding IP Address-MAC Address Validation Pairs
You can add IP address–MAC address validation pairs using the arp command with the validate keyword. When validation is enabled, all packets with the source IP address received on this IP interface are validated against the IP-MAC entries.
You can add a validation pair by specify one of the following:
- ipAddress and macAddress of the interface.
- ipAddress, interfaceType and interfaceSpecifier (as indicated in Interface Types and Specifiers in JunosE Command Reference Guide ), and an optional MAC address.
|
|
To add a validation pair:
- Issue the arp command with
the validate keyword in Global Configuration
mode.host1(config)#arp 192.56.20.1 gig 2/0 0090.1a00.0170 validate
Use the no version to remove an entry from the ARP cache.
