Proxy Arp - D-Link NetDefendOS User Manual

Chapter 4: Routing
Grace time
The length of time in seconds between startup or reconfigure and monitoring start.
Default: 30
consecutive fails
The number of consecutive failures that occurs before a route is marked as being unavailable.
Default: 5
Consecutive success
The number of consecutive successes that must occur before a route is marked as being
available.
Default: 5
Gratuitous ARP on fail
Send a gratuitous ARP on HA failover to alert hosts of the changes in interface Ethernet and IP
addresses.
Default: Enabled

4.2.6. Proxy ARP

Overview
As discussed previously in Section 3.5, "ARP", the ARP protocol facilitates a mapping between an
IP address and the MAC address of a host on an Ethernet network.
However, situations may exist where a network running Ethernet is separated into two parts with
a routing device such as a NetDefend Firewall in between. In such a case, NetDefendOS itself can
respond to ARP requests directed to the network on the other side of the NetDefend Firewall
using the feature known as Proxy ARP.
The splitting of an Ethernet network into distinct parts so that traffic between them can be
controlled is a common usage of the proxy ARP feature. NetDefendOS rule sets can then be used
to impose security policies on the traffic passing between the different network parts.
A Typical Scenario
As an example of a typical proxy ARP scenario, consider a network split into two sub-networks
with a NetDefend Firewall between the two.
Host A on one sub-network might send an ARP request to find out the MAC address for the IP
address of host B on the other sub-network. With the proxy ARP feature configured,
NetDefendOS responds to this ARP request instead of host B. NetDefendOS sends its own MAC
address in reply, pretending to be the target host. After receiving the reply, Host A then sends
data directly to NetDefendOS which forwards the data to host B. In the process NetDefendOS
checks the traffic against the configured rule sets.
302