Proxy Arp - D-Link NetDefend DFL-210 User Manual

4.2.5. Proxy ARP

4.2.5. Proxy ARP
Overview
As discussed previously in Section 3.4, "ARP", the ARP protocol facilitates a mapping between an
IP address and the MAC address of a node on an Ethernet network. However, situations may exist
where a network running Ethernet is separated into two parts with a routing device such as an
installed NetDefend Firewall, in between. In such a case, NetDefendOS itself can respond to ARP
requests directed to the network on the other side of the NetDefend Firewall using the feature known
as Proxy ARP.
The splitting of an Ethernet network into distinct parts so that traffic between them can be controlled
is a common usage of the proxy ARP feature. NetDefendOS can then be used to monitor and
regulate traffic passing between the parts.
A Typical Scenario
For example, host A on one subnet might send an ARP request to find out the MAC address of the
IP address of host B on another separate network. The proxy ARP feature means that NetDefendOS
responds to this ARP request instead of host B. The NetDefendOS sends its own MAC address
instead in reply, essentially pretending to be the target host. After receiving the reply, Host A then
sends data directly to NetDefendOS which, acting as a proxy, forwards the data on to host B. In the
process the device has the opportunity to examine and filter the data.
Transparent Mode as an Alternative
Transparent Mode is an alternative and preferred way of splitting ethernet networks. The setup is
simpler than using proxy ARP since the administrator need only define the appropriate switch
routes.
Using switch routes is fully explained in Section 4.7, "Transparent Mode". In HA clusters, switch
routes cannot be used and proxy ARP is the only way to implement transparent mode functionality.
Note
It is only possible to have Proxy ARP functioning for Ethernet and VLAN interfaces.
145
Chapter 4. Routing