SRX

Hi everybody,

 

Please consider following scenarios:

 

 

CASE1

    Host)10.10.10.10/24----10.10.10.1/24 F1 SRX F2 /1.1.1.1/24---1.1.1.2/24 PE-Internet

 

Above we are using STATIC NAT, so whenever Host 10.10.10.10 talks to someone across Internet, SRC IP 10.10.10.10 is replaced by 199.199.199.1.

Similarly, all traffic from Internet arriving on F2 on SRX destined to 199.199.199.1, have their destination IP replaced with 10.10.10.10

 

In above scenario, we do not need enable proxy arp for 199.199.199.1 under F2, because we will never receive ARP request for 199.199.199.1 from PE, because as far as PE is concerned 199.199.199.1 lies behind 1.1.1.1 since PE does not see 199.199.199.1 as directly connected so it will not send any ARP for 199.199.199.1

Am I correct?

 

CASE2:

  Host)10.10.10.10/24----10.10.10.1/24 F1 SRX F2 /1.1.1.1/24---1.1.1.2/24 PE-Internet

Above we are using STATIC NAT, all traffic from 10.10.10.10 destined to Internet, will have SRC IP 10.10.10.10 replaced by 1.1.1.3.

Similarly all traffic from Internet, arriving on F2, destined to 1.1.1.3 will have DEST IP replaced by 10.10.10.10

For this case, we have to enable proxy ARP for 1.1.1.3 as PE sees 1.1.1.3 directly connected thus will send ARP for 1.1.1.3 if it receives any packet for 1.1.1.3

Am I correct?

 

 

Thanks and have a good day!!!

My opinion is that arp proxy be enabled on all. This is because the internal Network will utilize it. Second I think that this nat will convert the arp requests. It isn't a dime box like say a hotbrick lb2 which can create a different subnet other than it's default vlan(ip and all). The lb2 will however will nat the 1.1.1.1 address and send it across all domains.

Thanks for your response,

 

Could you please explain  when you said:

 

This is because the internal Network will utilize it. Second I think that this nat will convert the arp requests.

 

In my example i.e  case 1 , how  internal network can benefit if enable proxy arp as you suggested.

Secondly, NAT translation is between IPS not arp as ARP is layer 2 and has no IP header available  for NAT translation.

 

 

Please share your thoughts.

 

 

 

Stumbled upon tthis link:

 

http://www.juniper.net/documentation/en_US/junos11.2/information-products/topic-collections/security/software-all/security/index.html?topic-42830.html

 

 

It does say for SX, Proxy ARP must be explicity enabled but it did not exaplain why.

 

For example case 1, I do not the need to enable PROXY ARP as NATTED IP is not within Subnet used between SRX and PE.  

 

  Based on the above link, Proxy ARP should not be enabled but since it is SRX it has to be enabled, but why as NATTED IP is not within subnet used between SRX and PE?

 

 

Thanks

Yes, you were correct int the first post.

 

Documentation says proxy arp must be explicitly enabled because in Junos it's never enabled automatically. Some firewall vendors enable proxy arp automatically when NAT requires it.

 

Regards, Wojtek

 

CASE1
    Host)10.10.10.10/24----10.10.10.1/24 F1 SRX F2 /1.1.1.1/24---1.1.1.2/24 PE-Internet
 
Above we are using STATIC NAT, so whenever Host 10.10.10.10 talks to someone across
Internet, SRC IP 10.10.10.10 is replaced by 199.199.199.1.
Similarly, all traffic from Internet arriving on F2 on SRX
destined to 199.199.199.1, have their destination IP replaced with 10.10.10.10
 
In above scenario, we do not need enable proxy arp for 199.199.199.1 under F2,
because we will never receive ARP request for 199.199.199.1 from PE, because as
far as PE is concerned 199.199.199.1 lies behind 1.1.1.1 since PE does not see
199.199.199.1 as directly connected so it will not send any ARP for 199.199.199.1
Am I correct?

This is correct as described.  There is no proxy arp required because there is no layer 2 communications for the 199.199199.1 ip address subnet thus no arp required.

 

All that is required is that upstream device on 1.1.1.2 must have a route that forwards the 199.199.199.1 address to the next hop of 1.1.1.1 on the SRX.

 

CASE2:
  Host)10.10.10.10/24----10.10.10.1/24 F1 SRX F2 /1.1.1.1/24---1.1.1.2/24 PE-Internet
Above we are using STATIC NAT, all traffic from 10.10.10.10 destined to Internet, will
 have SRC IP 10.10.10.10 replaced by 1.1.1.3.
Similarly all traffic from Internet, arriving on F2, destined to 1.1.1.3 will have
DEST IP replaced by 10.10.10.10
For this case, we have to enable proxy ARP for 1.1.1.3 as PE sees 1.1.1.3 directly
connected thus will send ARP for 1.1.1.3 if it receives any packet for 1.1.1.3
Am I correct?

This is also correct, since there is a layer 2 adjacency then arp will need to occur for the forwarding of the traffic to happen.  And as you see in the linked documentation this is a manual configuration on the SRX.  There are no automatic proxy-arp configurations made when nat is configured.

 

http://www.juniper.net/documentation/en_US/junos11.2/information-products/topic-collections/security/software-all/security/index.html?topic-42830.html

 

The other documentation you might find helpful for this is the nat examples guide.

 

https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

 

 

Thanks , very much appreciated!!

Just because the subnet doesn't respond to pings doesn't mean it isn't nat'ed.

I lost you here please explain .

Third, traffic will degrade if you don't arp it.

Considering my first example, please expound on :

 

Third, traffic will degrade if you don't arp it.

If you are using proxy arp on any of your subnet you might want to use it on all of them because your flow will even out. That's how it will benefit. The more you segment your net with different protocols the more you must think about even flow. It could be a negative(but maybe not) if you have a great deal of segmented traffic. Traffic should prune out. Your addressing is vital if you are going to use proxy arp.

NDP proxy are required together.

Arp proxy and NDP proxy are required together. My mistake on last post....

Says "not required".....

eugene1973, not sure why you want to configure something that is both unnecessary and will never be used.  There is no point n bloating a configuration with commands that are not needed.

 

In order to do a proxy arp the interface MUST have a configured ip address in the same subnet as the address you want to proxy arp for.  If there is no address in that subnet there is noone who can proxy the arp for the configured address.

 

Arp is only used at all in a layer 2 segment.  If the address is layer 3 routed to the next hop of the segment there is no arp done at all.  The packet is simply forwarded.

 

So adding the proxy arp will be accepted in the configuration but never used "not required" as the documentation says.

🙂