Proxy Arp - D-Link NetDefend DFL-210 User Manual

4.2.3. Proxy ARP

• Sample - The number of polling attempts used as a sample size for calculating the Percentage
Loss and the Average Latency.
• Max Number of Failed Attempts - The maximum permissable number of polling attempts that
fail. If this number is exceeded then the host is considered unreachable.
• Max Average Latency - The maximum number of milliseconds allowable for a response to be
received by the host. If this threshold is exceeded then the host is considered unreachable. Aver-
age Latency is calculated by averaging the response times from the host. If a polling attempt re-
ceives no response then it is not included in the averaging calculation.
The Reachability Required option
An important option that can be enabled for a host is the Reachability Required option. When this
is selected, the host must be determined as accessible in order for that route to be considered to be
functioning. Even if other hosts are accessible, this option says that the accessibility of a host with
this option set is mandatory.
Where multiple hosts are specified for host monitoring, more than one of them could have Reach-
ability Required enabled. If NetDefendOS determines that any host with this option enabled is not
reachable, Route Failover is initiated.
4.2.3. Proxy ARP
As explained previously in Section 3.4, "ARP", the ARP protocol facilitates a mapping between an
IP address and the MAC address of a node on an Ethernet network. However situations may exist
where a network running Ethernet is separated into two parts with a routing device such as an in-
stalled D-Link Firewall, in between. In such a case, NetDefendOS itself can respond to ARP re-
quests directed to the network on the other side of the D-Link Firewall using the feature known as
Proxy ARP.
For example, host A on one subnet might send an ARP request to find out the MAC address of the
IP address of host B on another separate network. The proxy ARP feature means that NetDefendOS
responds to this ARP request instead of host B. The NetDefendOS sends its own MAC address in-
stead in reply, essentially pretending to be the target host. After receiving the reply, Host A then
sends data directly to NetDefendOS which, acting as a proxy, forwards the data on to host B. In the
process the device has the opportunity to examine and filter the data.
The splitting of an Ethernet network into two distinct parts is a common application of D-Link Fire-
wall's Proxy ARP feature, where access between the parts needs to be controlled. In such a scenario
NetDefendOS can monitor and regulate all traffic passing between the two parts.
Note
It is only possible to have Proxy ARP functioning for Ethernet and VLAN interfaces.
75
Chapter 4. Routing