Proxy ARP Learning Byte

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome to Juniper learning months my name is Zack Gibbs I am a curriculum developer in the content development department and we'll be discussing proxy ARP in this segment we will need to discuss what proxy ARP is and why it might be needed but first let's briefly review how Ethernet works this will set the stage for explaining a use case for proxy ARP on an Ethernet broadcast segment layer 2 communication must occur before any layer 3 communication can take place and as you probably already know this layer 2 communication begins by using ARP packets ARP allows IP enabled devices to link the layer 2 address which is a MAC address of a host with the associated layer 3 address if this process fails or if the process just never occurs layer 3 communication cannot happen on an ethernet broadcast segment well now that we have reviewed the basic functions of Ethernet and how ARP link layer 2 and layer 3 addresses together let's discuss what proxy ARP is and discuss a situation where it might be useful to use proxy our proxy ARP allows an Ethernet interface to respond to our requests for IP addresses that are not currently applied to an Ethernet interface and at this point you may be asking yourself why in the world would you ever want an interface to respond to an ARP request for an IP address that it does not own in a typical Ethernet network you really do not want a device spoofing or telling other hosts in the network that it owns an IP address when it actually does not this could possibly lead to a very unstable Network however there are some very specific situations where it might be necessary very for an interface to respond to our requests for IP addresses that it does not own let's take a closer look at the network diagram we have here the SRX device in the middle is providing Internet access for the internal network which consists of host 1 through host 3 that internal network is using the IP address range of 10 1.10 slash 24 and this SRX device is connected to an ISP router which is assigning the SRX device the public address range of 67.1 10/28 now as you might know a slash 28 prefix range provides 14 IP addresses but we can't use all 14 IP addresses in our scenario I need to talk about source now before I start talking about them ok going to start over kind of get it right this is done let's take a closer look at the network diagram we have here in the middle we have an SRX device which is providing Internet access for the internal network which consists of host 1 through host 3 those hosts are in or within the private IP address range of 10.1 10 / 24 and to provide that internet access that they need the SRX device must be performing a source net and to accommodate source net the ISP router has assigned the IP address range of 67.1 10/28 which means that we have 14 available addresses in that IP are inside that address range and as you might know a slash 28 may provide 14 addresses but we can't use all 14 in our source snap pool because one address has to be used for the SRX s Giggy 0:04 interface and another address has to be used for the isp routers interface which is connecting with the SRX so this leads us with a source net range of 67.1 dot 10.32 67.1 1014 which as you can see in our little network here it's more than enough so for our scenario we are going to turn off port translation or path and so so what are our internal hosts will now want to do is to communicate with the outside world they'll actually need to communicate with an FTP server that is located somewhere in the Internet it's a using the public IP address of sixty seven one one one and so let's let's jump to the router prompt right now and try that let's see what happens when these hosts attempt to communicate with the FTP server so here at the router prompt we're on the SRX device we're under the security net hierarchy level and I will just show you the configuration there as you can see we have the a source pull defined with the address range that we specified Pat has been turned off with the port no translation command and then we have a rule set that is doing the the source net you can see it's from zone trust to the untrust own or matching on that internal prefix that we talked about and then we're providing or we're attempting source NAT with the pull that we specified up here so pretty basic and we're going to jump to host one host one is going to attempt to FTP to the FTP server and it may not be terribly surprising but ah it's not happening host one is not able to communicate with the FTP server so we'll go ahead and cancel that operation we'll jump back to the SRX device and can you determine maybe guess what's going on here it may be a little difficult first this is a situation that is kind of hard to troubleshoot because we really don't know what's going off the router let's start back up that FTP session that isn't working and what we'll do is we'll examine the router will examine the security of flows for FTP and as you can see there's a uh there's a security floor there's a flow for this session that is happening and as you can see that it's coming in the gig e8 interface and going out the GigE for Giggy zero zero four interface and you can see that the traffic that the SRX device is expecting back with a destination address of 67th one ten seven this tells us that NAT is occurring let's look at the NAP pull just specify all we only have one full configure well as you can see we've had some translation hits here which tells us that that the translation is occurring the dress is no longer being used which means that there's no need to leave that session open on host one and so that is occurring but communication is not happening let's discuss the exact flow as it happens starting a host one going to the FTP server and we also have to keep in mind about the return traffic this is actually where the problem is is actually with the return traffic so let's look at our network diagram host one here is starting FTP traffic e saying hey we're going to go 267 1.1.1 he initiates the traffic it goes to the SRX device the SRX device changes the source IP address 267 110 seven which is within our net full range it goes to here it goes through the internet router goes to the internet hits the FTP server the FTP services okay let's start this let's start this connection up it response 267 127 hits this I speed router this is P router says hey I haven't communicated with 67.1 27 I need to send an ARP request on this on this broadcast Ethernet segment well he sends this ARP request it's the only other host on here is the SRX device it's that ARP request hits the SRX device on the GigE 0:04 interface will that interface the only address applied there is 60 70 110 - there's no dot seven applied on that interface that interface looks at it and says must not be me there must be another host on this ethernet broadcast segment that has dot seven and so he doesn't respond to the traffic he has no idea that's actually meant for him and so this is the perfect instance where proxy ARP is necessary so let's jump back to the SRX device let's a configure proxy arm that's right we have to specify the interface first very important step actually I'll jump into the interface so the the text doesn't wrap around the screen there and something important to note here notice that when I specified interface giggy's zeros or four it actually can the higher hierarchy change to Giggy zero zero 4.0 since I didn't specify a unit the the Junos software assumed unit zero keep that in mind if you need to specify a different unit if you're working with a different unit other than zero for an interface you need to specify it or you're going to be configuring for unit zero and it's not going to work all right let's set the address range dot three to six seven one ten one four jump up two more or one more as you can see there's the proxy our configuration with the entire NAT configuration as well so we'll commit that configuration and while this configuration commits it's important to note a little caveat that you can't specify your specifying proxy up for an interface you can't specify that interface address in the range that you specify because it's unnecessary the routers are already going to respond to that interface address if you do that the you'll get a configuration error you'll just have to change your configuration just just a little tip to speed things up when figuring proxy ARP in this manner and so let's let's try that communication again how would you look at there it works just fine and so let's let's examine the let's examine the router again look at the security flows for the session for FTP as you can see looks exactly the same other than we are using dot four and let's look at the the source pool specify all as you can see we have translation hits and we're using an available address communication is occurring we'll go ahead and and abort that session there and while we're doing that what's section yeah well actually as you can see the proxy ARP is comes into play here it's very key to allow communication in an instance like this and what I showed you here with the proxy ARP in this scenario this is how it is configured under the security NAT hierarchy there's actually another form of proxy up that can be configured that I'll show you next but there's some special considerations to be aware of it's actually configured on the interface so let's do delete proxy ARP under the security section and let's jump to the actual interface now as I configure this I'm well before I mentioned there's some special caveats to be aware of and this is more of how Ethernet works in general because what we're going to do here is we're going to specify proxy ARP and use the unrestricted keyword what this is going to do this is going to allow the Giggy for interface giggy's 0:04 interface on the SRX device to respond to any ARP request any ARP request gets it's going to respond to which is fantastic for our situation we're only going to respond to our requests that come on on this interface we're the only host that can possibly respond to these are requests keep in mind this is a very important you have to be very careful with this if there's other hosts on an Ethernet broadcast segment with the security configuration we can specify the range if you have more than one host I would highly recommend that you use the security NAT configuration to configure proxy ARP because you can specify the actual range of addresses with the proxy using the unrestricted command with proxy ARP however I would recommend that you only use it when this one the when the host you're configuring for is the only host that can respond for that broadcaster net segment if you have other hosts that can possibly possibly respond and you use the proxy are unrestricted command under an interface like this you will have major troubles in your network and so just keep that in mind as you go about using proxy ARP well right now since I've given you that strict warning let's jump to the host and let's try a the FTP connection again and as you can see we get a login a prompt things look beautiful let's jump to the SRX device let's look at this security sessions specify FTP for the application again and as you can see this is happening again we are getting a security flow and notice that before we use dot for now we're using dots where you 67.1 10.3 and so you can see that four different addresses for each each address that is used the eye speed device will have to send out an arp request and this is important because if we actually use the dot for address again the ISP router would not need to send out an ARP request if it was soon enough that the are per quiet are that the it's our table didn't timeout for the specific MAC address we wouldn't have to worry about that but since we're using dot three the ISP router had to send out another ARP to fill in its MAC table as you can see communication is happening on the dot three address and so things appear good here look at the source pool as you can see we've got translation heads we got an available address being used so everything is working as designed keep in mind this is a difficult issue to troubleshoot if you don't understand how your network is configured exactly what our requests are going out because all the output that would possibly provide information is about the same whether it's working or not and so this concludes the proxy arp section of Juniper learning bytes thank you for viewing this presentation and I hope this information we covered it in this section will be helpful to you visit the Juniper education Services website to learn more about courses view our full range of classroom online and e-learning courses learning paths industry segments and technology specific training paths juniper Networks certification program the ultimate demonstration of your competence and the training community from forums to social media join the discussion

Info

Channel: JuniperNetworks

Views: 15,008

Rating: 4.5662651 out of 5

Keywords: juniper, juniper networks, proxy, arp, nat, srx, learning byte

Id: D4SgRJhBCOw

Channel Id: undefined

Length: 17min 48sec (1068 seconds)

Published: Thu Sep 05 2013