arp reply restricted
Freshman Member
Previous to the Flex100H Series routers we were able to run the "arp reply restricted" cli command. Is there a way to do this on the H Series routers?
The reason why we need this is because it is responding to arp request on the wan interface for IP's on the LAN interfaces.
Old Community post that references this is below.
Accepted Solution
Master Member
All Replies
-
Hi @crispy
I checked the CLI guide and the device, seems like no similar command. Please allow us to check further and I will update you once I get further info.
Zyxel Melen0 -
Hi @crispy
Please help to use this command to reach your goal in current firmware:
system network-stack ipv4 arp-ignore check-interface-and-subnet
Here is the configure steps:
usgflex700h> edit running usgflex700h running config# system network-stack arpseal enabled false usgflex700h running config# system network-stack ipv4 arp-ignore check-interface-and-subnet usgflex700h running config# commit usgflex700h running config# copy running startup Overwrite startup configuration? [y/N] y
P.S. We will update the CLI reference guide in the future. You may follow Security Gateway New Release - Zyxel Community category to receive the news.
Zyxel Melen1 -
According to the FLEX H CLI Reference_v1.37, the arp-seal command is for arp spoofing prevention, which is not the same as the functionality provided by the 'arp reply restricted' command on ZLD-based firewalls.
Admittedly, it is a somewhat confusing (and uncommon) scenario that causes our issue which was previously mitigated by the 'arp reply restricted' command….but I will attempt to explain:
-When setting up a brand-new firewall which is to be installed at a customer's site at a later date, we will connect the WAN port of the new firewall to our companies' internal 'customer staging' VLAN.
—The 'customer staging' VLAN has an interface IP of 192.168.10.1/24, and a sub-interface/secondary-ip of 10.10.1.1/24
—The 'brand-new' firewall has ge1/WAN connected to the 'staging' network with an IP of 192.168.10.xxx/24
—The 'brand-new' firewall also has 10.10.1.1/24 configured on its ge3/LAN interface
—The 'brand-new' firewall responds to ARP requests for the 10.10.1.0/24 subnet on its ge1/WAN interface
This causes communication issues with other devices in the 'customer staging' sub-interface since these devices now have the MAC of the 'brand-new' firewall in their ARP table
'arp reply restricted' command stops this behavior, so the firewall does not respond to ARP requests on its WAN port for the subnets that are present on its LAN/internal interfaces
0 -
-
Thanks a bunch for sharing this @zyman2008! Works perfectly!!!
I guess I should have spent more time poking around in the cli…I see there are many undocumented options to play with😁
0
Zyxel Employee
Categories
- All Categories
- 442 Beta Program
- 2.9K Nebula
- 220 Nebula Ideas
- 128 Nebula Status and Incidents
- 6.5K Security
- 605 USG FLEX H Series
- 344 Security Ideas
- 1.7K Switch
- 84 Switch Ideas
- 1.4K Wireless
- 52 Wireless Ideas
- 7K Consumer Product
- 298 Service & License
- 482 News and Release
- 92 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.8K FAQ
- 34 Documents
- 87 About Community
- 105 Security Highlight
