fir3net
PPS-Firenetbanner-780.5x190-30-03-17

Netscreen - What does the command `set arp always-on-dest` do ?

By default, Netscreen (ScreenOS versions 6.0.0 or below) will cache the source MAC address from the initial packet for a new session. It will then use this MAC address for the return traffic. 

This can cause problems with external routers running VRRP where traffic is sent using a Virtual IP but a physical MAC address is used as the source MAC. If the router fails over and the security device has learned the MAC from the source MAC in the incoming frame, it would then direct return traffic to the wrong location.
This can also cause problems with Track-IP were once a failover has occurred the failed MAC address is still cached and traffic is sent to the wrong location.

On entering the command `set arp always-on-dest` the Netscreen will always perform an ARP lookup to learn a destination MAC address instead of using the source MAC address of the originating ethernet frame.
By doing an ARP lookup for the destination MAC, the security device can properly send traffic to the location of the new physical MAC address.

For further information on ScreenOS versions 6.0.0 or later please see click here.

 

 

Tags: Netscreen

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001