| Home Prev |  cOS Stream 4.00.03 Administration Guide
|
Next |
|---|
To change the way ARP is handled on an interface, the administrator can create ARP objects, each of which has the following properties:
The type of ARP object. This can be one of:
The local physical interface for the ARP object.
The IPv4 address for the MAC/IP mapping.
The MAC address for the MAC/IP mapping.
Static ARP Objects
A static ARP object can be used to insert a particular MAC/IP address mapping into the ARP cache.The most frequent use of static ARP objects is in situations where some external network device is not responding to ARP requests correctly and is reporting an incorrect MAC address. Some network devices, such as wireless modems, can have such problems.
A frequent source of confusion is that this mode is not for publishing the address for external devices. Instead, static entries allow the administrator to tell cOS Stream how to reach external devices. The entry tells cOS Stream that a specific IPv4 address can be reached through a specific interface using a specific MAC address. This means, that when the firewall needs to communicate with the address it consults the ARP table static entries and can determine it can be reached at a specific MAC address on a specific interface.
This feature may also be used to lock an IP address to a specific MAC address for increasing security or to avoid denial-of-service if there are rogue users in a network. However, such protection only applies to packets being sent to that IP address. It does not apply to packets being sent from the IP address since the source MAC address can be forged.
Example 4.7. Creating a Static ARP Entry
This example will create a static mapping between IPv4 address 192.168.10.15 and MAC address 4b:86:f6:c5:a2:14 on the if2 interface:
Command-Line Interface
First, change the context to be ARPEntries:
System:/> cc ARPEntries
Next, add an ARPEntry object to ARPEntries:
System:/ARPEntries> add ARPEntry
Interface=if2
IP=192.168.10.15
Mode=Static
MACAddress=4b-86-f6-c5-a2-14
Finally return to the default, root context:
System:/ARPEntries>ccSystem:/>
This can be done for a number of reasons:
To give the impression that an interface has more than one IP address.
This is useful if there are several separate IP spans on a single LAN. The hosts on each IP span may then use a gateway in their own span when these gateway addresses are published on the corresponding firewall interface.
Another use is publishing multiple addresses on an external interface, enabling cOS Stream to statically address translate traffic to these addresses and send it onwards to internal servers with private IPv4 addresses.
A less common purpose is to aid nearby network equipment responding to ARP in an incorrect manner.
Example 4.8. Publishing an ARP Entry
This example will create an ARPEntry that publishes the IPv4 address 192.168.10.1 on the if1 interface:
Command-Line Interface
As in the previous example, change the context to be ARPEntries:
System:/> cc ARPEntries
Next, add an ARPEntry object to ARPEntries:
System:/ARPEntries> add ARP Interface=if1 IP=192.168.10.1 Mode=Publish
Finally return to the default, root context:
System:/ARPEntries>ccSystem:/>
Other ARP States
For troubleshooting purposes it is useful to understand some other possible ARP states. These can appear when using the ARP snoop feature, in log messages and also when looking at the ARP cache. Below is a summary:Reslvng
Processing an ARP request. A host with this IP has not yet been found.
Unknown
No host with the IP was found.
Dynamic
A host with the IP address was found.
Probing
Currently testing that the host with the IP address is still available.
