Technical Documentation

Example: Configuring Unrestricted Proxy ARP on an EX Series Switch

You can configure unrestricted proxy ARP on your switch to increase security by forcing hosts to send and receive communications through the switch rather than exchange communications directly.

This example shows how to configure unrestricted proxy ARP on an access switch:

Requirements

This example uses the following hardware and software components:

  • JUNOS Release 9.6 or later for EX Series switches
  • One EX Series switch

Before you set up unrestricted proxy ARP, ensure that you have:

Note: You do not need to configure multiple VLANs to use unrestricted proxy ARP. You can choose to configure unrestricted proxy ARP when only a single VLAN (the default configuration) is being used on the switch. This example, however, uses two VLANs to emphasize the fact that unrestricted proxy ARP applies globally on the switch. Even when two VLANs are configured, setting a single interface within one VLAN to use unrestricted proxy ARP automatically applies that setting to all interfaces within both VLANs on the switch.

Overview and Topology

When you enable proxy ARP on an EX Series switch, it operates in unrestricted mode. This is the only mode available and this setting applies globally to all interfaces on the switch. Therefore, when proxy ARP is enabled, even hosts within the same VLAN must send and receive communications through the switch.

Note: If you enable proxy ARP for one of the interfaces on the switch, this setting applies to all the interfaces on the switch.

The topology for this example consists of one EX Series switch, which has been configured with two VLANs. One VLAN, called sales, is for the sales and marketing group, and a second, called engineering, is for the engineering development team. The VLANs belong to different subnets.

When a host wants to communicate with another host, it broadcasts an ARP request for the MAC address of the destination host:

  • When proxy ARP is not enabled, a host that shares the same IP address replies directly to the ARP request, providing its MAC address, and future transmissions are sent directly to the destination host MAC address.
  • When unrestricted proxy ARP is enabled, the switch responds to all ARP requests, providing the switch’s MAC address—even when the destination IP address is the same as the source IP address. Thus, all communications must be sent through the switch and then routed through the switch to the appropriate destination.

This example includes disabling interfaces from responding to gratuitous ARP requests. If you do not disable gratuitous ARP requests, the switch responds to all ARP messages including gratuitous ARP requests. When a switch receives a gratuitous ARP request, it might interpret that as an indication of an IP conflict.

Table 1 shows the components of this topology.

Table 1: Components of the Unrestricted Proxy ARP Switch

Property Settings

Switch hardware

EX Series switch

VLAN names and tag IDs

sales, tag 100
engineering, tag 200

VLAN subnets

sales: 192.0.2.0/25 (addresses 192.0.2.1 through 192.0.2.126)
engineering: 192.0.2.128/25 (addresses 192.0.2.129 through 192.0.2.254)

Interfaces in VLAN sales

ge-0/0/3 through ge-0/0/21

Interfaces in VLAN engineering

ge-0/0/25 through ge-0/0/47

Note: By default, if you enable proxy ARP, it works in unrestricted mode and applies globally to all the interfaces on the switch. You should disable gratuitous ARP requests on all the interfaces. (Disabling gratuitous ARP is not a global setting.) To keep the example simple, the configuration steps show how to disable gratuitous ARP requests on only a few interfaces in each of the VLANs. Use the same configuration procedure to configure more interfaces.

Configuration

Configure unrestricted proxy ARP:

CLI Quick Configuration

To quickly configure unrestricted proxy ARP, copy the following commands and paste them into the switch terminal window:


[edit]
set interfaces ge-0/0/3 unit 0 proxy-arp
set interfaces ge-0/0/3 no-gratuitous-arp-request
set interfaces ge-0/0/4 no-gratuitous-arp-request
set interfaces ge-0/0/5 no-gratuitous-arp-request
set interfaces ge-0/0/25 no-gratuitous-arp-request
set interfaces ge-0/0/26 no-gratuitous-arp-request
set interfaces ge-0/0/27 no-gratuitous-arp-request

Step-by-Step Procedure

Configure one interface for proxy ARP:

  1. Configure one interface for proxy ARP:

    [edit interfaces]
    user@switch# set ge-0/0/3 unit 0 proxy-arp
  2. Disable gratuitous ARP on all the interfaces in the sales VLAN:

    [edit interfaces]
    user@switch# set ge-0/0/3 no-gratuitous-arp-request
    user@switch# set ge-0/0/4 no-gratuitous-arp-request
    user@switch# set ge-0/0/5 no-gratuitous-arp-request
  3. Disable gratuitous ARP on all the interfaces in the engineering VLAN:

    [edit interfaces]
    user@switch# set ge-0/0/25 no-gratuitous-arp-request
    user@switch# set ge-0/0/26 no-gratuitous-arp-request
    user@switch# set ge-0/0/27 no-gratuitous-arp-request

Results

Display the results of the configuration:

user@switch> show configuration
interfaces {
ge-0/0/3 {
no-gratuitous-arp-request;
unit 0 {
description sales;
proxy-arp;
family ethernet-switching {
vlan {
members sales;
}
}
}
}
ge-0/0/4 {
no-gratuitous-arp-request;
unit 0 {
description sales;
family ethernet-switching {
vlan {
members sales;
}
}
}
}
ge-0/0/5 {
no-gratuitous-arp-request;
unit 0 {
description sales;
family ethernet-switching {
vlan {
members sales;
}
}
}
}
ge-0/0/25 {
no-gratuitous-arp-request;
unit 0 {
description engineering;
family ethernet-switching {
vlan {
members engineering;
}
}
}
}
ge-0/0/26 {
no-gratuitous-arp-request;
unit 0 {
description engineering;
family ethernet-switching {
vlan {
members engineering;
}
}
}
}
ge-0/0/27 {
no-gratuitous-arp-request;
unit 0 {
description engineering;
family ethernet-switching {
vlan {
members engineering;
}
}
}
}

Verification

Verify that the switch is sending proxy ARP messages:

Verifying That the Switch Is Sending Proxy ARP Messages:

Purpose

Verify that the switch is sending proxy ARP messages.

Action

List the system statistics for ARP messages:


arp:
        198319 datagrams received
        45 ARP requests received
        12 ARP replys received
        2 resolution requests received
        2 unrestricted proxy requests
        0 restricted proxy requests
        0 received proxy requests
        0 proxy requests not proxied
        0 restricted-proxy requests not proxied
        0 with bogus interface
        0 with incorrect length
        0 for non-IP protocol
        0 with unsupported op code
        0 with bad protocol address length
        0 with bad hardware address length
        0 with multicast source address
        0 with multicast target address
        0 with my own hardware address
        168705 for an address not on the interface
        0 with a broadcast source address
        0 with source address duplicate to mine
        29555 which were not for me
        0 packets discarded waiting for resolution
        4 packets sent after waiting for resolution
        27 ARP requests sent
        47 ARP replys sent
        0 requests for memory denied
        0 requests dropped on entry
        0 requests dropped during retry
        0 requests dropped due to interface deletion
        0 requests on unnumbered interfaces
        0 new requests on unnumbered interfaces
        0 replies for from unnumbered interfaces
        0 requests on unnumbered interface with non-subnetted donor
        0 replies from unnumbered interface with non-subnetted donor

Meaning

The statistics show that two unrestricted proxy requests were received and proxy requests not proxied indicates that all the unproxied ARP requests received have been proxied by the switch.

Published: 2009-07-23