ARP traffic
Address Resolution Protocol (ARP) packets are vital to communication on a network and ARP support is enabled on FortiGate interfaces, by default. Normally, you want ARP packets to pass through a FortiGate, especially if it's sitting between a client and a server or between a client and a router.
ARP traffic can cause problems, especially in transparent mode where ARP packets arriving on one interface are sent to all other interfaces including VLAN subinterfaces. Some layer-2 switches become unstable when they detect the same MAC address originating on more than one switch interface or from more than one VLAN. This instability can occur if the layer-2 switch doesn't maintain separate MAC address tables for each VLAN. Unstable switches may reset and cause network traffic to slow down considerably.
The default ARP timeout value is 5 minutes (300 seconds). ARP entries are usually removed after 5 minutes. However, some conditions can cause ARP entries to remain on the list for a longer period of time. This isn't a value that you can configure. To view the ARP list, enter the get system arp
CLI command.
Proxy ARP extensions
You can extend the proxy ARP configuration to an IP address range instead of a single IP address. When you configure proxy-arp
, in addition to setting the IP address, you can also set the end-ip
address. If you don't set this, the proxy ARP will be a single address, as before. The following is an example CLI configuration, using the new setting:
config system proxy-arp
edit 1
set interface "internal"
set ip 192.168.1.100
set end-ip 192.168.1.102
next
end