Hi Alex,
Thanks for the reply.
I tjhought I already had configured proxy arp?
proxy-arp {
interface reth0.0 {
address {
109.3.4.88/32;
}
}
}
I tried the command to make it restricted but the copmmand doesn't seem to exist.
Re not responding to ARPs if the source IP is from a different subnet, I hear this a lot, but the RFC 826 for ARP actually operates at layer 2 and knows nothing of routing. I tested this by adding a second IP to the interface instead of using proxy ARP and it still refuses to respond to ARP requests. (Sure the ARP won't pass through a router, but if the ARP requester is on the same broadcast domain, that's not an issue.) All the RFC says is "if you have this IP, respond." If Juniper actually have logic that says "if you have this IP AND you are in the same IP subnet as me, respond", I would propose that they are not RFC compliant because they are assuming that each IP subnet is segragated by a router and therefore act as separate broadcast domains, but of course that's not a requirement. Sure, it may not be good network design to have many IP subnets on the same ethernet segment if at all possible, but I am not aware of any RFCs that say they must be separate. (That said, I've only read a small percentage of them!)
Anyway, I'll fiddle with set interfaces reth0.0 proxy-arp restricted and also unrestricted once I have the syntax right and let you know how it goes.
EDIT: Ah - I see that proxy ARP can't be set on reth, only fe. Should I do that on both interfaces instead?
EDIT: OK I tried this:
set interfaces fe-0/0/0 unit 0 proxy-arp restricted
set interfaces fe-1/0/0 unit 0 proxy-arp restricted
No joy 
set interfaces fe-0/0/0 unit 0 proxy-arp unrestricted
set interfaces fe-1/0/0 unit 0 proxy-arp unrestricted
No joy
If you can point me at an RFC that says that it is OK to not reply to ARP requests if the source if from a different subnet, that would be good because I can take that to the guys that manage the upstream router.