ARP Processing

ARP request processing is enabled with the configuration parameter bras_arp_proxy, which is a set of bit flags:

0 - ARP proxy mode is disabled. In this mode, the BRAS only responds to ARP requests for the IP address equal to bras_arp_ip.
0x0001 - respond to subscriber ARP requests: if the requested IP address belongs to a subscriber and the subscriber’s session status is not "closed"
0x0002 - respond to ARP requests for subscriber subnet gateways. Gateway addresses are extracted from subscriber DHCP traffic.
0x0004 [in router mode] - respond if there is a route to the requested IP. This flag only works if router mode is enabled. If a subscriber requests ARP for an IP address with a known route, fastDPI responds with its own MAC address bras_arp_mac.

When ARP proxy is enabled, the BRAS responds with its own MAC address (configured in bras_arp_mac). Note that fastDPI responds with the same MAC address to all ARP requests for different IP addresses, which should be taken into account when configuring the network.

Before processing an ARP request, fastDPI BRAS checks the validity of the source IP address of the ARP request in accordance with IP source guard.

fastDPI BRAS does not respond to self-addressed ARPs (gratuitous/announcement ARP). No ARP requests are sent outside – fastDPI BRAS either responds to them itself or drops them.

ARP request handling between subscribers – from subscriber A “who has target subscriber B IP”:

source subscriber IP	no VLAN	VLAN	QinQ
	target subscriber IP
no VLAN	`drop` (since subscribers can communicate with each other directly)	`reply`	`reply`
VLAN	`reply`	`drop` if `srcIP vlan == dstIP vlan`; `reply` if `srcIP vlan != dstIP vlan`	`reply`
QinQ	`reply`	`reply`	`reply`

drop - SSG silently drops the ARP request
reply - SSG responds to the ARP request with its virtual MAC address bras_arp_mac

In SSG 10.3, switch mode support was added – segmentation of subscribers in a shared VLAN on the access network. In this mode, subscribers in the same VLAN are isolated from each other at the switch, so SKAT must respond to ARP requests between subscribers in the same VLAN. This is enabled with the parameter in fastdpi.conf:

    # Flag for subscriber segmentation in a shared VLAN on the access network
    # (subscriber isolation at the switch, i.e. traffic is not delivered between subscribers even within the same VLAN)
    # Considered only when bit 1 is set in bras_arp_proxy for ARP requests from one subscriber to another.
    # off (typical case) - subscribers A and B in the same VLAN can communicate directly, SSG
    #     does not process ARP requests from subscriber A "who has subscriber B IP"
    # on - switch enables isolation of subscribers within the same VLAN, so SSG must respond
    #     to ARP requests from subscriber A "who has target subscriber B IP"
#bras_arp_vlan_segmentation=off

When bras_arp_vlan_segmentation=on is enabled, ARP request processing between subscribers will be:

source subscriber IP	no VLAN	VLAN	QinQ
	target subscriber IP
no VLAN	`drop` (since subscribers can communicate directly)	`reply`	`reply`
VLAN	`reply`	`reply`	`reply`
QinQ	`reply`	`reply`	`reply`

ARP Processing from Outside (border side)

To prevent the border ARP table from being filled with redundant entries, SSG does not respond to the border with its MAC address for ARP requests for subscriber IPs.
Instead, the border should have a transit route through SSG for all subscriber subnets it serves.
The destination address for such routes should be the value defined by the parameter bras_arp_ip.

The only type of ARP that BRAS responds to is a request for its own IP address bras_arp_ip.