====== ARP Processing ======
{{indexmenu_n>3}}
ARP request processing is enabled with the configuration parameter ''bras_arp_proxy'', which is a set of bit flags:
* 0 - ARP proxy mode is disabled. In this mode, the BRAS only responds to ARP requests for the IP address equal to bras_arp_ip.
* 0x0001 - respond to subscriber ARP requests: if the requested IP address belongs to a subscriber and the subscriber’s session status is not "closed"
* 0x0002 - respond to ARP requests for subscriber subnet gateways. Gateway addresses are extracted from subscriber DHCP traffic.
* 0x0004 [in router mode] - respond if there is a route to the requested IP. This flag only works if router mode is enabled. If a subscriber requests ARP for an IP address with a known route, fastDPI responds with its own MAC address ''bras_arp_mac''.
When ARP proxy is enabled, the BRAS responds with its own MAC address (configured in [[en:dpi:bras_bng:general_setup#fastdpi_l2_bras_setup|bras_arp_mac]]). Note that fastDPI responds with the same MAC address to all ARP requests for different IP addresses, which should be taken into account when configuring the network.
Before processing an ARP request, fastDPI BRAS checks the validity of the source IP address of the ARP request in accordance with [[en:dpi:bras_bng:bras_l2_options:bras_l2_vlan_ipsg|IP source guard]].
fastDPI BRAS does not respond to self-addressed ARPs (gratuitous/announcement ARP). No ARP requests are sent outside – fastDPI BRAS either responds to them itself or drops them.
ARP request handling between subscribers – from subscriber A “who has target subscriber B IP”:
| ^ target subscriber IP ^^^
^ source subscriber IP ^ no VLAN ^ VLAN ^ QinQ ^
| **no VLAN** | ''drop'' (since subscribers \\ can communicate with each other directly) | ''reply'' | ''reply'' |
| **VLAN** | ''reply'' | ''drop'' if ''srcIP vlan == dstIP vlan''; \\ ''reply'' if ''srcIP vlan != dstIP vlan'' | ''reply'' |
| **QinQ** | ''reply'' | ''reply'' | ''reply'' |
**drop** - SSG silently drops the ARP request \\
**reply** - SSG responds to the ARP request with its virtual MAC address ''bras_arp_mac''
In SSG 10.3, switch mode support was added – segmentation of subscribers in a shared VLAN on the access network. In this mode, subscribers in the same VLAN are isolated from each other at the switch, so SKAT must respond to ARP requests between subscribers in the same VLAN. This is enabled with the parameter in ''fastdpi.conf'':
# Flag for subscriber segmentation in a shared VLAN on the access network
# (subscriber isolation at the switch, i.e. traffic is not delivered between subscribers even within the same VLAN)
# Considered only when bit 1 is set in bras_arp_proxy for ARP requests from one subscriber to another.
# off (typical case) - subscribers A and B in the same VLAN can communicate directly, SSG
# does not process ARP requests from subscriber A "who has subscriber B IP"
# on - switch enables isolation of subscribers within the same VLAN, so SSG must respond
# to ARP requests from subscriber A "who has target subscriber B IP"
#bras_arp_vlan_segmentation=off
When ''bras_arp_vlan_segmentation=on'' is enabled, ARP request processing between subscribers will be:
| ^ target subscriber IP ^^^
^ source subscriber IP ^ no VLAN ^ VLAN ^ QinQ ^
|**no VLAN** | ''drop'' (since subscribers \\ can communicate directly) | ''reply'' | ''reply'' |
|**VLAN** | ''reply'' | ''reply'' | ''reply'' |
|**QinQ** | ''reply'' | ''reply'' | ''reply'' |
===== ARP Processing from Outside (border side) =====
To prevent the border ARP table from being filled with redundant entries, SSG does not respond to the border with its MAC address for ARP requests for subscriber IPs.\\
Instead, the border should have a transit route through SSG for all subscriber subnets it serves. \\
The destination address for such routes should be the value defined by the parameter ''bras_arp_ip''.
The only type of ARP that BRAS responds to is a request for its own IP address ''bras_arp_ip''.