Technical Documentation

Configuring Unrestricted Proxy ARP (CLI Procedure)

You can configure unrestricted proxy ARP on your EX Series switch to increase security by forcing hosts to send and receive communications through the switch rather than exchange communications directly. When you enable proxy ARP on an EX Series switch, it operates in unrestricted mode. This is the only mode available, and this setting applies globally to all interfaces on the switch. Therefore, when proxy ARP is enabled, even hosts within the same VLAN must send and receive communications through the switch.

Best Practice: We recommend that you disable gratuitous ARP requests on each of the interfaces on the switch. If gratuitous ARP requests are not disabled, the switch responds to all ARP requests, including gratuitous ARP requests.

The following procedure shows the configuration of only a few interfaces. Typically you would disable gratuitous ARP on all switch interfaces. It is sufficient to configure unrestricted proxy ARP on a single interface, because it applies globally to all the interfaces. However, you must disable gratuitous ARP on all the interfaces that you want to use for unrestricted proxy ARP messages.

To configure unrestricted proxy ARP:

  1. Configure proxy ARP on a single interface:

    user@switch# set interfaces ge-0/0/3 unit 0 proxy-arp
  2. Disable gratuitous ARP on each of the interfaces:

    [edit interfaces]
    user@switch# set ge-0/0/3 no-gratuitous-arp-request
    user@switch# set ge-0/0/4 no-gratuitous-arp-request
    user@switch# set ge-0/0/5 no-gratuitous-arp-request
    user@switch# set ge-0/0/25 no-gratuitous-arp-request
    user@switch# set ge-0/0/26 no-gratuitous-arp-request
    user@switch# set ge-0/0/27 no-gratuitous-arp-request

Published: 2009-07-23