Networking, Juniper, Cisco, BGP, OpenBSD Blog

Topics

User Functions






Lost your password?

Sponsors

Older Stories

Saturday 22-May


Friday 21-May

Welcome to Ken's Geeklog
Monday, June 17 2013 @ 11:58 PM MST

Proxy ARP and Static NAT on JunOS

Saturday, May 22 2010 @ 09:03 AM MST

Contributed by: admin

Views: 5,673

Geeklog

Imagine if you had multiple physical networks connected to several dumb switches which were physically segregated, or that they were segregated via separate VLANs on a normal Layer 2 switch, and that you needed to move a machine from one subnet to another, but for its old IP address to be routed to it.

It seems impossible at first. The main reasons being that:

1. Any device on the old subnet which needs to contact the old address will not send the traffic to the core router to be routed, it will send an ARP broadcast and wait for a response.
2. Any device on another subnet will not send an ARP, it will pass the traffic to the router if the destination is not in its own subnet.

The easiest solution to this (and least destructive) is Proxy ARP combined with Static NAT.

What Proxy ARP does is that it will listen on the network for an ARP broadcast. If it receives a broadcast for an address which it has in its tables it will answer. Then, depending on how Static NAT is set up, it can pass the traffic on to another device in a different subnet provided that it is on a different interface.

Of course, just fixing the applications is a better solution in the long run, however, this solution will work in the interim to ensure that if you have missed anything the application will still work.

NOTE: Static NAT will only work between two unique interfaces. You cannot NAT for devices on the same Interface.

First set up Static NAT (NOTE: Items in bold indicate dynamic Items that you need to change)


set security nat static rule-set IP_Mapping from zone old_network

set security nat static rule-set IP_Mapping rule server_name match destination address 169.1.1.1/32

set security nat static rule-set IP_Mapping rule server_name then static-nat prefix 169.1.2.2/32

Now that you have set up Static NAT you can begin to accept queries for ARP for the old address

set security nat proxy-arp interface reth0.0 address 169.1.1.1/32

You will then need to create an inter-zone security policy to allow the traffic to pass.

NOTE: Without Static NAT the SRX will not know where to send the traffic. It will still respond to ARP but will send the traffic literally nowhere

What's Related

Story Options

Trackback

Trackback URL for this entry: /geeklog/public_html/trackback.php?id=20100522090304271

No trackback comments for this entry.
Proxy ARP and Static NAT on JunOS | 0 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.

 Copyright © 2001 - 2013 Ken's Geeklog
 All trademarks and copyrights on this page are owned by their respective owners. 		Powered by Geeklog 
Created this page in 0.32 seconds