homesite mapcontact search
Newsroom   
Careers   
Solutions     
Products & Services    
Support    
Whitepapers     
Case Studies    
Alliances     
Sales     
Offices     

Support
Datacryptor®
 
Datacryptor® proxy arp

This document describes how to configure the Datacryptor® to perform proxy arp.

What is Proxy Arp?

Proxy arp is used when you wish to segment a broadcast domain. In the diagram below we have two IP hosts with addresses 192.168.0.1 and 192.168.0.254. Based on the subnet mask they use (255.255.255.0) they both believe each other to be in the same network segment as each other. When 192.168.0.1 wishes to contact 192.168.0.254 it will send an arp broadcast asking for the MAC address of 192.168.0.254. But because 192.168.0.254 is on a different network segment it will not see the arp broadcast.


Click on picture thumbnail to view diagram

However, the proxy arp device sees the broadcast on interface A and, because it knows that the destination address is located on the same network as its interface B, it replies to the arp broadcast with its own interface A MAC address. Now 192.168.0.1 has an arp table entry which associates 192.168.0.254 with the MAC address of interface A. PC 192.168.0.1 believes that the proxy arp device IS 192.168.0.254 and does not know proxy arp is taking place.

By doing this the amount of broadcast traffic is reduced. Proxy arp is useful for LAN segmentation when you don't particularly want to use routing to divide up the network - the proxy arp device in the network above could sit between two buildings separated by a fibre link where all the IP hosts are part of the same logical subnet. It is important to understand that the proxy arp device does not just forward the arp (as this would defeat the whole point of having it there), it just replies on behalf of the other device.

Datacryptor® and Proxy Arp

With the same setup two Datacryptor® are now introduced and a tunnel configured between them as pictured below.


Click on picture thumbnail to view diagram


There are two important issues about how the Datacryptor® are configured:

  • The host and network ports of the Datacryptor® must have addresses that are all in the same range. As you can see in the diagram above all the addresses are in the range 192.168.0.x. Proxy arp will not work unless it is configured in this way.
  • Take care when configuring the Private Network Selectors - the two Datacryptor® must be configured to know which addresses are at the local end of the tunnel and which ones are at the remote end of the tunnel. The best way to do this is to configure the PNS as range selectors as has been done here.

Now, when 192.168.0.1 arps for the MAC address of 192.168.0.254 the Datacryptor® on the left will reply with its own MAC address. 192.168.0.1 will now send any packets destined for 192.168.0.254 to the Datacryptor®'s host port.

Another important issue to understand here is this; If I were to change the address of the 192.168.0.1 PC to 192.168.0.200 I will be informed of an IP address conflict. Why? When you change the IP address of the PC it does an arp to see if anything else is using that address - this is a safety net to stop you configuring devices with duplicate IP addresses. If there is a device with the same address on the network it will reply to the arp and your PC will flag up a conflict. So when we configure our PC to have the address 192.168.0.200 it does an arp for this address and the Datacryptor® replies (because it is in proxy arp mode and it believes that this address exists at the other end of its tunnel) and a conflict occurs. It is important to understand that this happens even if the 192.168.0.200 address does not exist at the other end of the tunnel. This can be irksome but it is legitimate behaviour by the Datacryptor® to stop you misconfiguring your network - this highlights the importance of configuring your PNS carefully.

Questions?

  • Can I turn proxy arp off? No, there is no way to turn it on or off - it is enabled implicitly when you configure the Datacryptor® in the manner discussed above - if you don't want proxy arp to work then change the configuration by making the network/host port addresses not in the same range. For example in the configuration above we could change the network addresses of the two Datacryptor® to 10.10.10.1 and 10.10.10.2. The rest of the network could remain unchanged and proxy arp would no longer operate.
  • What modes does proxy arp mode work in? All modes - tunnel, transport, trunk and passthrough.


 

 
 


 
 
 
 
           © Thales 2007         Legal Notice