Fortinet black logo

Handbook

ARP traffic

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:952549
Download PDF

ARP traffic

Address Resolution Protocol (ARP) packets are vital to communication on a network and ARP support is enabled on FortiGate interfaces, by default. Normally, you want ARP packets to pass through a FortiGate, especially if it's sitting between a client and a server or between a client and a router.

ARP traffic can cause problems, especially in transparent mode where ARP packets arriving on one interface are sent to all other interfaces including VLAN subinterfaces. Some layer-2 switches become unstable when they detect the same MAC address originating on more than one switch interface or from more than one VLAN. This instability can occur if the layer-2 switch doesn't maintain separate MAC address tables for each VLAN. Unstable switches may reset and cause network traffic to slow down considerably.

The default ARP timeout value is 5 minutes (300 seconds). ARP entries are usually removed after 5 minutes. However, some conditions can cause ARP entries to remain on the list for a longer period of time. This isn't a value that you can configure. To view the ARP list, enter the get system arp CLI command.

Proxy ARP extensions

You can extend the proxy ARP configuration to an IP address range instead of a single IP address. When you configure proxy-arp, in addition to setting the IP address, you can also set the end-ip address. If you don't set this, the proxy ARP will be a single address, as before. The following is an example CLI configuration, using the new setting:

config system proxy-arp

edit 1

set interface "internal"

set ip 192.168.1.100

set end-ip 192.168.1.102

next

end

ARP traffic

Address Resolution Protocol (ARP) packets are vital to communication on a network and ARP support is enabled on FortiGate interfaces, by default. Normally, you want ARP packets to pass through a FortiGate, especially if it's sitting between a client and a server or between a client and a router.

ARP traffic can cause problems, especially in transparent mode where ARP packets arriving on one interface are sent to all other interfaces including VLAN subinterfaces. Some layer-2 switches become unstable when they detect the same MAC address originating on more than one switch interface or from more than one VLAN. This instability can occur if the layer-2 switch doesn't maintain separate MAC address tables for each VLAN. Unstable switches may reset and cause network traffic to slow down considerably.

The default ARP timeout value is 5 minutes (300 seconds). ARP entries are usually removed after 5 minutes. However, some conditions can cause ARP entries to remain on the list for a longer period of time. This isn't a value that you can configure. To view the ARP list, enter the get system arp CLI command.

Proxy ARP extensions

You can extend the proxy ARP configuration to an IP address range instead of a single IP address. When you configure proxy-arp, in addition to setting the IP address, you can also set the end-ip address. If you don't set this, the proxy ARP will be a single address, as before. The following is an example CLI configuration, using the new setting:

config system proxy-arp

edit 1

set interface "internal"

set ip 192.168.1.100

set end-ip 192.168.1.102

next

end