ARP

Address Resolution Protocol (ARP) allows the mapping of a network layer protocol (OSI layer 3) address to a data link layer hardware address (OSI layer 2). In data networks it is used to resolve
an IPv4 address into its corresponding Ethernet address.

The ARP Cache in network equipment, such as switches and security gateways, is an important component in the implementation of ARP. It consists of a dynamic table that stores the mappings between IP addresses and Ethernet MAC addresses. The content of ARP cache can be displayed by following command:

Device:/> arp -show
ARP cache of iface lan
Dynamic 10.4.0.1 = 1000:0000:4009 Expire=196
Publish    10.4.0.165 = 0002:a529:1f65 Expire=506

The default expiration time for dynamic ARP entries is 900 seconds (15 minutes). The Expire outputs from CLI you see above are in seconds. Publish means static ARP entry.,

You can flush arp table by command below.

Device:/> arp -flush
ARP cache of all interfaces flushed.

ARP Publish

cOS Core supports the publishing of IP addresses on interfaces other than the one the IP address is actually connected to. This can optionally be done along with a specific MAC address instead of the publishing interface’s MAC address. cOS Core will then send out ARP replies for ARP requests received on the interface for the published IP addresses. This feature is referred to in cOS Core as ARP Publish.

ARP publishing is enabled in one of two ways:

  • An ARP object can be created for any interface by defining a single address which is to be ARP published on that interface.
  • When a static route is created for an IPv4 address or network, the route option called Proxy ARP can be used to publish the address or network on all or selected interfaces.

ARP Object Properties

ARP object can be in these 3 modes. Static, Publish, XPublish.

Static is not for publishing the address for external devices but rather for telling cOS Core itself how to reach external devices. The most frequent use of static ARP objects is in situations where some external network device is not responding to ARP requests correctly and is reporting an incorrect MAC address. Some network devices, such as wireless modems, can have these problems.

Publish and XPublish, both publish an IP address on a particular MAC address. What is the difference? When you set Publish the FW reply with same MAC as MAC of interface sending reply. When you set XPubilsh the FW can reply with different MAC than interface MAC. In other words, XPublish „lies“ about the source address of the ARP response.

Unsolicited ARP Replies

It is possible for a host on a connected network to send an ARP reply to cOS Core even though a corresponding ARP request was not issued. This is known as an unsolicited ARP reply. According to the ARP specification, the recipient should accept these types of ARP replies. However, because this could be a malicious attempt to hijack a connection, cOS Core will, by default, drop and log unsolicited ARP replies. This behavior can be changed by modifying the advanced setting Unsolicited ARP Replies.

ARP Requests

The ARP specification states that a host should update its ARP Cache with data from ARP requests received from other hosts. However, as this procedure can facilitate hijacking of local connections, cOS Core will normally not allow this. To make the behavior compliant with the RFC 826 specification, the administrator can modify the setting ARP Requests. Even if this is set to Drop (meaning that the packet is discarded without being stored), cOS Core will reply to it provided that other rules approve the request.