Configuring the ProxySG so only the interface on which an IP is configured responds to ARP requests for that IP address
search cancel

Configuring the ProxySG so only the interface on which an IP is configured responds to ARP requests for that IP address

book

Article ID: 165606

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

The ProxySG is responding to ARP requests on interfaces that don't have the IP address bound.
This is causing problems with load balancers to not work correctly.
Is there a way to disable this feature?

 

Resolution

By default, the ProxySG will answer to ARP requests received on any interface as long as there is an IP address configured on the proxy that matches the request. For example assume the ProxySG has 2 interfaces configured:

Interface "0" is configured with 10.1.1.1
Interface "1" is configured with 192.168.1.1

If an ARP request for 10.1.1.1 is received on interface "1", even if the IP is for another interface, the ProxySG will answer the ARP request. This behavior might cause problems with some load-balancers.

The ProxySG has a hidden command to change this default behavior.  To change this setting, please SSH or go to the serial console of the ProxySG and run the following commands

ProxySG>enable
Enable Password:
ProxySG#config t
Enter configuration commands, one per line.  End with CTRL-Z.
ProxySG#(config)tcp-ip arp-strict-matching enable
ProxySG#(config)show arp-strict-matching
  ARP response on matching interface only: enabled
ProxySG# (config) exit
ProxySG# 

With this option enabled, an interface will only response to ARP request for its own IP address.

To revert back to default behavior:

ProxySG#(config)tcp-ip arp-strict-matching disable
ProxySG#(config)show arp-strict-matching
  ARP response on matching interface only: disabled

This command was added in SGOS 5.3.3.1 and SGOS 5.4.1.1

This configuration is kept in the registry and retained through restart. However, since it is a hidden command, it will not appear in the Sysinfo and it will not be part of the archived configuration. In the event where the configuration is copied over to another ProxySG, the command to change the ARP response behavior will  have to be manually entered.