ARP Processing [Документация VAS Experts]
Документация VAS Experts Документация VAS Experts-mobile
in

Settings

  • Show page
  • Old revisions
  • Export to PDF
  • Fold/unfold all
  • Backlinks
  • Show page
  • Old revisions
  • Export to PDF
  • Fold/unfold all
  • Backlinks

    • Differences

    This shows you the differences between two versions of the page.

    Link to this comparison view

    en:dpi:bras_bng:bras_l2_vlan:bras_l2_vlan_arp_proxy [2024/09/26 15:29] – created - external edit 127.0.0.1en:dpi:bras_bng:bras_l2_vlan:bras_l2_vlan_arp_proxy [2025/09/22 08:07] (current) elena.krasnobryzh
    Line 1: Line 1:
    -====== ARP proxy ======+====== ARP Processing ======
     {{indexmenu_n>3}} {{indexmenu_n>3}}
    -ARP-requests handling is enabled by the '' bras_arp_proxy '' configuration option which represents a set of bit flags: 
    -  * 0 - ARP proxy mode is disabled. In this mode, BRAS responds only to ARP requests being sent from an IP address specified in ''bras_arp_ip'' option; 
    -  * 0x0001 - specifies to respond to subscriber ARP-requests: if the desired IP-address is the subscriber address and the subscriber session status is not equal to "the session is closed"; 
    -  * 0x0002 - specifies to respond to ARP requests being sent from user subnet gateways. The gateway addresses are extracted from the DHCP subscriber traffic. 
    -  * 0x0004 [in router mode] - respond if there is a route to the requested IP. This flag works only if the router mode is enabled. If a subscriber requests ARP for an address with a known route, fastDPI will respond with its own MAC address ''bras_arp_mac''. 
      
    -When the ARP proxy is enabled, BRAS responds with its MAC address (specified in the configuration [[en:dpi:bras_bng:general_setup#fastdpi_l2_bras_setup|bras_arp_mac]]) optionNote that fastDPI responds with the same MAC address to all the  ARP requests with different IP addresses, it should be taken into account when you will configure network.+ARP request processing is enabled with the configuration parameter ''bras_arp_proxy'', which is a set of bit flags: 
     +  * 0 - ARP proxy mode is disabledIn this mode, the BRAS only responds to ARP requests for the IP address equal to bras_arp_ip. 
     +  * 0x0001 - respond to subscriber ARP requests: if the requested IP address belongs to a subscriber and the subscriber’s session status is not "closed" 
     +  * 0x0002 - respond to ARP requests for subscriber subnet gateways. Gateway addresses are extracted from subscriber DHCP traffic. 
     +  * 0x0004 [in router mode] - respond if there is route to the requested IP. This flag only works if router mode is enabled. If a subscriber requests ARP for an IP address with a known route, fastDPI responds with its own MAC address ''bras_arp_mac''.
      
    -The fastDPI BRAS checks the correctness of IP address of the ARP request source in accordance with [[en:dpi:bras_bng:bras_l2_options:bras_l2_vlan_ipsg|IP source guard]] before to start the ARP request processing.+When ARP proxy is enabled, the BRAS responds with its own MAC address (configured in [[en:dpi:bras_bng:general_setup#fastdpi_l2_bras_setup|bras_arp_mac]]). Note that fastDPI responds with the same MAC address to all ARP requests for different IP addresses, which should be taken into account when configuring the network.
      
    -The fastDPI BRAS does not respond to gratuitous/announcement ARP requests.+Before processing an ARP request, fastDPI BRAS checks the validity of the source IP address of the ARP request in accordance with [[en:dpi:bras_bng:bras_l2_options:bras_l2_vlan_ipsg|IP source guard]].
      
    -<note important>No ARP requests are forwarded outside, i.e. the fastDPI BRAS either responds to themor drops it.</note>+<note important>fastDPI BRAS does not respond to self-addressed ARPs (gratuitous/announcement ARP). No ARP requests are sent outside – fastDPI BRAS either responds to them itself or drops them.</note>
      
    -=== External ARP requests handling (from the boarder side) ===+ARP request handling between subscribers – from subscriber A “who has target subscriber B IP”: 
     +|                    ^  target subscriber IP                                                                                                                      ^^^ 
     +^ source subscriber IP  ^ no VLAN                                                            ^ VLAN                                                                                  ^ QinQ       ^ 
     +| **no VLAN**        |  ''drop'' (since subscribers \\ can communicate with each other directly | ''reply''                                                                            | ''reply'' 
     +| **VLAN**            ''reply''                                                           | ''drop'' if ''srcIP vlan == dstIP vlan''; \\ ''reply'' if ''srcIP vlan !dstIP vlan''  | ''reply'' 
     +| **QinQ**            ''reply''                                                           | ''reply''                                                                            | ''reply''  |
      
    -To ensure that the boarder ARP table is not filled in with identical records the VAS Experts DPI does not respond using its MAC address to the ARP requests being sent from the subscriber IP addresses. A transit route through the VAS Experts DPI has to be defined for all the subscribers subnets served by the DPI, instead. It should be used value specified by the ''bras_arp_ip'' option as a destination address for all such routes.+**drop** - SSG silently drops the ARP request \\ 
     +**reply** - SSG responds to the ARP request with its virtual MAC address ''bras_arp_mac''
      
    -<note important>The only ARP request type the BRAS responds is its IP address (specified in the '' bras_arp_ip '' option) request .</note>+In SSG 10.3, switch mode support was added – segmentation of subscribers in a shared VLAN on the access network. In this mode, subscribers in the same VLAN are isolated from each other at the switch, so SKAT must respond to ARP requests between subscribers in the same VLAN. This is enabled with the parameter in ''fastdpi.conf'': 
     +<code> 
     +    # Flag for subscriber segmentation in a shared VLAN on the access network 
     +    # (subscriber isolation at the switch, i.e. traffic is not delivered between subscribers even within the same VLAN) 
     +    # Considered only when bit 1 is set in bras_arp_proxy for ARP requests from one subscriber to another. 
     +    # off (typical case) - subscribers A and B in the same VLAN can communicate directly, SSG 
     +    #     does not process ARP requests from subscriber A "who has subscriber B IP" 
     +    # on - switch enables isolation of subscribers within the same VLAN, so SSG must respond 
     +    #     to ARP requests from subscriber A "who has target subscriber B IP" 
     +#bras_arp_vlan_segmentation=off 
     +</code> 
     +When ''bras_arp_vlan_segmentation=on'' is enabled, ARP request processing between subscribers will be: 
     +|              target subscriber IP  ^^^ 
     +^ source subscriber IP ^ no VLAN        ^ VLAN      ^ QinQ    ^ 
     +|**no VLAN**            |    ''drop'' (since subscribers \\ can communicate directly)    | ''reply'' | ''reply'' 
     +|**VLAN**                  ''reply''   | ''reply'' | ''reply'' 
     +|**QinQ**                  ''reply''   | ''reply'' | ''reply'' 
     + 
     + 
     +===== ARP Processing from Outside (border side) ===== 
     + 
     +To prevent the border ARP table from being filled with redundant entries, SSG does not respond to the border with its MAC address for ARP requests for subscriber IPs.\\  
     +Instead, the border should have a transit route through SSG for all subscriber subnets it serves. \\ 
     +The destination address for such routes should be the value defined by the parameter ''bras_arp_ip''
     + 
     +<note important>The only type of ARP that BRAS responds to is a request for its own IP address ''bras_arp_ip''.</note>