Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

ARP

Static address resolution protocol (ARP) table entries are reponded to by default when the destination address of the ARP is on the local network. These static ARP addresses can be configured for Ethernet or Gigabit Ethernet interfaces. The topics below discuss the overview of static ARP table entries, restricted and unrestricted proxy ARP, configuration details to map the IP addresses to the MAC addresses.

Static ARP Table Entries Overview

For Fast Ethernet, Gigabit Ethernet, Tri-Rate Ethernet copper, and 10-Gigabit Ethernet interfaces, you can configure static ARP table entries, defining mappings between IP and MAC addresses.

Configuring Static ARP Table Entries For Mapping IP Addresses to MAC Addresses

By default, the device responds to an Address Resolution Protocol (ARP) request only if the destination address of the ARP request is on the local network of the incoming interface. For Fast Ethernet or Gigabit Ethernet interfaces, you can configure static ARP entries that associate the IP addresses of nodes on the same Ethernet subnet with their media access control (MAC) addresses. These static ARP entries enable the device to respond to ARP requests even if the destination address of the ARP request is not local to the incoming Ethernet interface.

Also, unlike dynamically learned ARP entries, static ARP entries do not age out. You can also configure static ARP entries in a troubleshooting situation or if your device is unable to learn a MAC address dynamically.

Note:

By default, an ARP policer is installed that is shared among all the Ethernet interfaces on which you have configured the family inet statement. By including the arp statement at the [edit interfaces interface-name unit logical-unit-number family inet policer] hierarchy level, you can apply a specific ARP-packet policer to an interface. This feature is not available on EX Series switches.

To configure static ARP entries:

  1. In the configuration mode, at the [edit] hierarchy level, configure the router interface on which the ARP table entries for the router is configured.
  2. Configure the protocol family, the logical unit of the interface, and the interface address of the router interface at the [edit interfaces interface-name] hierarchy level. While configuring the protocol family, specify inet as the protocol family.
    Note:

    When you need to conserve IP addresses, you can configure an Ethernet interface to be unnumbered by including the unnumbered-address statement at the [edit interfaces interface-name unit logical-unit-number family inet] hierarchy level.

  3. Configure a static ARP entry by specifying the IP address and the MAC address that are to be mapped to each other. The IP address specified must be part of the subnet defined in the enclosing address statement. The MAC address must be specified as hexadecimal bytes in the following formats: nnnn.nnnn.nnnn or nn:nn:nn:nn:nn:nnformat. For instance, you can use either 0011.2233.4455 or 00:11:22:33:44:55.
  4. Configure another static ARP entry by specifying the IP address and the MAC address that are to be mapped to each other. You can also associate a multicast MAC address with a unicast IP address by including the multicast-mac option with the arp statement. You can optionally configure the router to respond to ARP requests for the specified IP address by using the publish option with the arp statement.
    Note:

    For unicast MAC addresses only, if you include the publish option, the router or switch replies to proxy ARP requests.

Note:

The Junos OS supports the IPv6 static neighbor discovery cache entries, similar to the static ARP entries in IPv4.

Restricted and Unrestricted Proxy ARP Overview

By default, the Junos OS responds to an Address Resolution Protocol (ARP) request only if the destination address of the ARP request is local to the incoming interface.

For Ethernet Interfaces, you can configure the router or switches to proxy-reply to the ARP requests using the restricted or unrestricted proxy ARP configuration.

You might want to configure restricted or unrestricted proxy ARP for routers that act as provider edge (PE) devices in Ethernet Layer 2 LAN switching domains.

Note:

From Junos OS Release 10.0 onward, Junos OS does not respond to proxy ARP requests with the default route 0.0.0.0. This behavior is in compliance with RFC 1027.

Restricted Proxy ARP

Restricted proxy ARP enables the router or switch to respond to the ARP requests in which the physical networks of the source and target are not the same and the router or switch has an active route to the target address in the ARP request. The router does not reply if the target address is on the same subnet and the same interface as the ARP requestor.

Unrestricted Proxy ARP

Unrestricted proxy ARP enables the router or switch to respond to any ARP request, on condition that the router has an active route to the destination address of the ARP request. The route is not limited to the incoming interface of the request, nor is it required to be a direct route.

Warning:

If you configure unrestricted proxy ARP, the proxy router replies to ARP requests for the target IP address on the same interface as the incoming ARP request. This behavior is appropriate for cable modem termination system (CMTS) environments, but might cause Layer 2 reachability problems if you enable unrestricted proxy ARP in other environments.

When an IP client broadcasts the ARP request across the Ethernet wire, the end node with the correct IP address responds to the ARP request and provides the correct MAC address. If the unrestricted proxy ARP feature is enabled, the router response is redundant and might fool the IP client into determining that the destination MAC address within its own subnet is the same as the address of the router.

Note:

While the destination address can be remote, the source address of the ARP request must be on the same subnet as the interface upon which the ARP request is received. For security reasons, this rule applies to both unrestricted and restricted proxy ARP.

Topology Considerations for Unrestricted Proxy ARP

In most situations, you should not configure the router or switch to perform unrestricted proxy ARP. Do so only for special situations, such as when cable modems are used. Figure 1 and Figure 2 show examples of situations in which you might want to configure unrestricted proxy ARP.

In Figure 1, the edge device is not running any IP protocols. In this case, you configure the core router to perform unrestricted proxy ARP. The edge device is the client of the proxy.

In Figure 2, the Broadband Remote Access Server (B-RAS) routers are not running any IP protocols. In this case, you configure unrestricted proxy ARP on the B-RAS interfaces. This allows the core device to behave as though it is directly connected to the end users.

Figure 1: Edge Device Case for Unrestricted Proxy ARPEdge Device Case for Unrestricted Proxy ARP
Figure 2: Core Device Case for Unrestricted Proxy ARPCore Device Case for Unrestricted Proxy ARP

Configuring Restricted and Unrestricted Proxy ARP

To configure restricted or unrestricted proxy ARP, include the proxy-arp statement:

You can include this statement at the following hierarchy levels:

  • [edit interfaces interface-name unit logical-unit-number ]

  • [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

To return to the default—that is, to disable restricted or unrestricted proxy ARP—delete the proxy-arp statement from the configuration:

You can track the number of restricted or unrestricted proxy ARP requests processed by the router or switch by issuing the show system statistics arp operational mode command.

Note:

When proxy ARP is enabled as default or unrestricted, the router or switch responds to any ARP request as long as the device has an active route to the target address of the ARP request. This gratuitous ARP behavior can result in an error when the receiving interface and target response interface are the same and the end device (for example, a client) performs a duplicate address check. To prevent this error, configure the router or switch interface with the no-gratuitous-arp-reply statement. See Configuring Gratuitous ARP for information about how to disable responses to gratuitous ARP requests.

Configuring Gratuitous ARP

Gratuitous Address Resolution Protocol (ARP) requests help detect duplicate IP addresses. A gratuitous ARP is a broadcast request for a router’s own IP address. If a router or switch sends an ARP request for its own IP address and no ARP replies are received, the router- or switch-assigned IP address is not being used by other nodes. However, if a router or switch sends an ARP request for its own IP address and an ARP reply is received, the router- or switch-assigned IP address is already being used by another node.

Gratuitous ARP replies are reply packets sent to the broadcast MAC address with the target IP address set to be the same as the sender’s IP address. When the router or switch receives a gratuitous ARP reply, the router or switch can insert an entry for that reply in the ARP cache. By default, updating the ARP cache on gratuitous ARP replies is disabled on the router or switch.

To enable updating of the ARP cache for gratuitous ARPs:

  1. In configuration mode, go to the [edit interfaces interface-name] hierarchy level.
  2. Include the gratuitous-arp-reply statement.

To restore the default behavior, that is, to disable updating of the ARP cache for gratuitous ARP, delete the gratuitous-arp-reply statement from the configuration:

By default, the router or switch responds to gratuitous ARP requests. However, on Ethernet interfaces, you can disable responses to gratuitous ARP requests.

To disable responses to gratuitous ARP requests:

  1. In configuration mode, go to the [edit interfaces interface-name] hierarchy level.

  2. Include the no-gratuitous-arp-request statement.

To return to the default—that is, to respond to gratuitous ARP requests—delete the no-gratuitous-arp-request statement from the configuration: