Proxy Arp - D-Link NetDefend DFL-210 User Manual

4.2.5. Proxy ARP

HTTP Parameters
If the HTTP polling method is selected then two further parameters can be entered:
• Request URL
The URL which is to be requested.
• Expected Response
The text that is expected back from querying the URL.
Testing for a specific response text provides the possibility of testing if an application is offline.
If, for example, a web page response from a server can indicate if a specific database is
operational with text such as "Database OK", then the absence of that response can indicate that
the server is operational but the application is offline.
A Known Issue When No External Route is Specified
With connections to an Internet ISP, an external network route should always be specified. This
external route specifies on which interface the network which exists between the D-Link Firewall
and the ISP can be found. If only an all-nets route is specified to the ISP's gateway, route failover
may, depending on the connected equipment, not function as expected.
This issue rarely occurs but the reason why it occurs is that ARP queries arriving on a disabled route
will be ignored.
4.2.5. Proxy ARP
Overview
As discussed previously in Section 3.4, "ARP", the ARP protocol facilitates a mapping between an
IP address and the MAC address of a node on an Ethernet network. However, situations may exist
where a network running Ethernet is separated into two parts with a routing device such as an
installed D-Link Firewall, in between. In such a case, NetDefendOS itself can respond to ARP
requests directed to the network on the other side of the D-Link Firewall using the feature known as
Proxy ARP.
The splitting of an Ethernet network into distinct parts so that traffic between them can be controlled
is a common usage of the proxy ARP feature. NetDefendOS can then be used to monitor and
regulate traffic passing between the parts.
A Typical Scenario
For example, host A on one subnet might send an ARP request to find out the MAC address of the
IP address of host B on another separate network. The proxy ARP feature means that NetDefendOS
responds to this ARP request instead of host B. The NetDefendOS sends its own MAC address
instead in reply, essentially pretending to be the target host. After receiving the reply, Host A then
sends data directly to NetDefendOS which, acting as a proxy, forwards the data on to host B. In the
process the device has the opportunity to examine and filter the data.
Transparent Mode as an Alternative
Transparent Mode is an alternative and preferred way of splitting ethernet networks. The setup is
simpler than using proxy ARP since the administrator need only define the appropriate switch
routes.
135
Chapter 4. Routing