Proxy ARP and High Availability Clusters
In HA clusters, switch routes cannot be used and transparent mode is therefore not an option.
However, proxy ARP does function with HA and is consequently the only way to implement
transparent mode functionality with a cluster.
Note: Not all interfaces can make use of Proxy ARP
It is only possible to have Proxy ARP functioning for Ethernet and VLAN interfaces. Proxy
ARP is not relevant for other types of NetDefendOS interfaces since ARP is not involved.
Automatically Added Routes
Proxy ARP cannot be enabled for automatically added routes. For example, the routes that
NetDefendOS creates at initial startup for physical interfaces are automatically added routes. The
reason why Proxy ARP cannot be enabled for these routes is because automatically created
routes have a special status in the NetDefendOS configuration and are treated differently.
If Proxy ARP is required on an automatically created route, the route should first be deleted and
then manually recreated as a new route. Proxy ARP can then be enabled on the new route.
4.2.7. Broadcast Packet Forwarding
Broadcast packets are those packets which have the highest IP address in their network and will
have an associated MAC address of FF:FF:FF:FF:FF:FF. For example, a broadcast packet for the
network 192.168.1.0/24 will have the IPv4 address 192.168.1.255.
By default, NetDefendOS will drop all such broadcast packets arriving at an interface. In some
situations, particularly when using transparent mode, it is desirable for NetDefendOS to forward
these packets to another interface by doing a route lookup and also applying IP rules/policies to
determine if the traffic should be forwarded.
Enabling Broadcast Packet Forwarding
To enable broadcast packet forwarding, the administrator should perform the following steps:
• Enable the Forward Broadcast Traffic property on a Route object (the BroadcastFwd property
in the CLI). However, this must always be done on the routes for both the packet's source and
destination interface.
• For non-transparent mode traffic only, the global IP setting Direct Broadcast must be enabled
for broadcast forwarding to work. The setting's value is DropLog by default and it must be set
to Ignore or Log for broadcast packets to be forwarded.
Even with broadcast packet forwarding enabled, NetDefendOS will still perform a check on
broadcast packets arriving at an interface to ensure that a broadcast IPv4 address matches with a
FF:FF:FF:FF:FF:FF MAC address. Packets with a mismatch are dropped.
Using Address Translation with Broadcast Forwarding
The following should be noted if address translation is used with broadcast forwarded traffic.
• SAT
Chapter 4: Routing
304
To Next Page
Loading...
