Chapter 20 arp local proxy configuration, 1 introduction to arp local proxy function, Ntroduction to – QTECH QSW-8300 Инструкция по настройке User Manual
Page 153: Ocal, Roxy function
+7(495) 797-3311 www.qtech.ru
Москва, Новозаводская ул., 18, стр. 1
152
Chapter 20 ARP Local Proxy Configuration
20.1 Introduction to ARP Local Proxy function
In a real application environment, the switches in the aggregation layer are required to
implement local ARP proxy function to avoid ARP cheating. This function will restrict the
forwarding of ARP messages in the same vlan and thus direct the L3 forwarding of the data
flow through the switch.
192.168.1.1
192.168.1.100
192.168.1.200
PC1
PC2
As shown in the figure above, PC1 wants to send an IP message to PC2, the overall
procedure goes as follows (some non-arp details are ignored)
1. Since PC1 does not have the ARP of PC2, it sends and broadcasts ARP request.
2. Receiving the ARP message, the switch hardware will send the ARP request to CPU instead
of forwarding this message via hardware, according to new ARP handling rules.
3. With local ARP proxy enabled, the switch will send ARP reply message to PC1 (to fill up its
mac address)
4. After receiving the ARP reply, PC1 will create ARP, send an IP message, and set the
destination MAC of the Ethernet head as the MAC of the switch.
5. After receiving the ip message, the switch will search the router table (to create router cache)
and distribute hardware entries.
6. If the switch has the ARP of PC2, it will directly encapsulate the Ethernet head and send the
message (the destination MAC is that of PC2)
7. If the switch does not have the ARP of PC2, it will request it and then send the ip message.
This function should cooperate with other security functions. When users configure local ARP
proxy on an aggregation switch while configuring interface isolation function on the layer-2
switch connected to it, all ip flow will be forwarded on layer 3 via the aggregation switch. And
due to the interface isolation, ARP messages will not be forwarded within the vlan, which
means other PCs will not receive it.