Proxy ARP for Manual NAT – (local.arp file)
Proxy ARP is a mechanism that allows the configuration of a Gateway to respond to ARP requests on behalf of other hosts. For more information about Proxy ARP configuration, see sk30197.
To configure the proxy ARP mechanism on the 61000/41000 Security System:
- Add these to
$FWDIR/conf/local.arp on the local SGM:- The IPs for which the 61000/41000 Security System should answer to ARP requests
- The respective MAC addresses to be advertised
Note: The interface VMAC is different between Chassis when working on a Dual Chassis setup. When editing local.arp , MAC values must be taken from the local SGM.
For example, to reply to ARP requests for IP 192.168.10.100 on interface eth2-01 with MAC address 00:1C:7F:82:01:FE, add the following entry to local.arp :
192.168.10.100 00:1C:7F:82:01:FE
- Distribute the updated
local.arp to all SGMs:# local_arp_update
This command distributes local.arp to all SGMs in the system, and automatically changes the MAC values for SGMs on another Chassis.
- Enable the option in .
- Install policy to apply the updated proxy ARP entries.
Notes:
- When you add an SGM to a system with proxy ARP configured, the
local.arp file is automatically copied to the new SGM from the SMO. - When you change
local.arp on a Virtual System, the changes apply to that Virtual System only. - Proxy ARP is also required when configuring Connect Control on the 61000/41000 Security System.
Verification:
To make sure that all the entries in local.arp are applied correctly on the system, run:
# asg_local_arp_verifier
To compare the entries manually, run:
# g_fw ctl arp
|
|