Netscreen `set arp always-on-dest` command

By default, Netscreen (ScreenOS versions 6.0.0 or below) will cache the source MAC address from the initial packet for a new session. It will then use this MAC address for the return traffic.

This can cause problems with external routers running VRRP where traffic is sent using a Virtual IP but a physical MAC address is used as the source MAC. If the router fails over and the security device has learned the MAC from the source MAC in the incoming frame, it would then direct return traffic to the wrong location.
This can also cause problems with Track-IP were once a failover has occurred the failed MAC address is still cached and traffic is sent to the wrong location.

On entering the command `set arp always-on-dest` the Netscreen will always perform an ARP lookup to learn a destination MAC address instead of using the source MAC address of the originating ethernet frame.
By doing an ARP lookup for the destination MAC, the security device can properly send traffic to the location of the new physical MAC address.

For further information on ScreenOS versions 6.0.0 or later please see click here.



Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial