Proxy ARP and Static NAT on JunOS
Saturday, May 22 2010 @ 09:03 AM MST
Contributed by: admin
Imagine if you had multiple physical networks connected to several dumb switches which were physically segregated, or that they were segregated via separate VLANs on a normal Layer 2 switch, and that you needed to move a machine from one subnet to another, but for its old IP address to be routed to it.
It seems impossible at first. The main reasons being that:
1. Any device on the old subnet which needs to contact the old address will not send the traffic to the core router to be routed, it will send an ARP broadcast and wait for a response.
2. Any device on another subnet will not send an ARP, it will pass the traffic to the router if the destination is not in its own subnet.
The easiest solution to this (and least destructive) is Proxy ARP combined with Static NAT.
What Proxy ARP does is that it will listen on the network for an ARP broadcast. If it receives a broadcast for an address which it has in its tables it will answer. Then, depending on how Static NAT is set up, it can pass the traffic on to another device in a different subnet provided that it is on a different interface.
Of course, just fixing the applications is a better solution in the long run, however, this solution will work in the interim to ensure that if you have missed anything the application will still work.
NOTE: Static NAT will only work between two unique interfaces. You cannot NAT for devices on the same Interface.
First set up Static NAT (NOTE: Items in bold indicate dynamic Items that you need to change)
set security nat static rule-set IP_Mapping from zone old_network
set security nat static rule-set IP_Mapping rule server_name match destination address 22.214.171.124/32
set security nat static rule-set IP_Mapping rule server_name then static-nat prefix 126.96.36.199/32
Now that you have set up Static NAT you can begin to accept queries for ARP for the old address
set security nat proxy-arp interface reth0.0 address 188.8.131.52/32
You will then need to create an inter-zone security policy to allow the traffic to pass.
NOTE: Without Static NAT the SRX will not know where to send the traffic. It will still respond to ARP but will send the traffic literally nowhere