Proxy ARP Explained


(Rene Molenaar) #1

This topic is to discuss the following lesson:


(Rene Molenaar) #2

“R1 receives an ARP request from R1 who is looking for the IP address of its default gateway and replies with its MAC address.”

I think the second R1 should be Host A.


(Rene Molenaar) #3

You are right, just fixed it! Thanks for letting me know.


(Donald S) #4

Rene

Is proxy arp used only if the destination ip address is detected to to be on a subnet that is not reachable by normal arp requests? When you changed the mask of host B to /8 it assumes the destination was local even though it was remote?

Thanks


(Rene Molenaar) #5

Hi Donald,

That’s right. Since host B has a /8 mask, it thinks it can reach anything in the 10.x.x.x range locally by using ARP requests. The router answers the ARP requests “on behalf” of the devices on the other side so that host B can reach them, otherwise it would fail.

Still, it’s a misconfiguration issue. Proxy ARP is disabled by default.

Rene


(Harmit V) #6

Hi Rene,

Got a question:

If R1 has proxy arp enabled on interface facing HostA and HostB. Will it still reply to arp from Host B if R1 (if we assume)-has no route to destination ? Please clarify this for me?

Thanks


(Rene Molenaar) #7

Hi Harmit,

No it won’t, the router requires an interface with a subnet in the range. If it receives any other ARP requests then it will just ignore them.

Rene


(William M) #8

So in other words (or layman’s term) the router answers the ping request and not the actual server / device? Giving a false belief that the server or device on the other end of the pings is working when it couldn’t be.

Thanks


(Rene Molenaar) #9

Hi Will,

That’s right. In this example, it’s a misconfiguration on the host that you can “fix” by enabling proxy ARP on the router.

Rene


(William M) #10

Then, going one step further (or backwards), turning OFF Proxy ARP will then force the device itself to answer the ping and not the Router / L3 device? I’ve run into this issue a couple times at work and get lost and what & why turning OFF Proxy ARP does.

Thanks for the info …

Bill


(Rene Molenaar) #11

If you turn off proxy ARP then this scenario won’t work anymore. Keep in mind that ARP is a broadcast so the router will not forward it on its other interfaces. The device on the other end will never hear the ARP…


(William M) #12

Thanks and this is my LAST Proxy Arp question or post. I’ve run into a couple issues where Proxy Arp was turned on at a SVI or Cisco ASA interface and gave a false belief that a server or device was reachable when it wasn’t. Is it best practice to “Turn off” Proxy ARP everywhere??

Thanks again’


(Rene Molenaar) #13

Hi William,

In my opinion, it is best practice to disable proxy ARP. In a “normal” network, it’s only helpful to solve the issue where hosts have configured the wrong subnet mask. Instead of using proxy ARP, it’s better to fix the subnet masks.

The only reason why you might use it is if you want to do some crazy things like NAT hairpinning. For example:

Cisco ASA NAT hairpin internal server

Rene


(Deepak M) #14

Hi Rene,

so just configuring gateway address to Router interface , would auto enable proxy -arp ?! but again for the router it would be getting an ARP request to same destination subnet right ?


(Rene Molenaar) #15

Hi Deepak,

By default, proxy ARP is enabled. If you configure an IP address on a router interface then the router can respond to ARPs.

Rene


(Deepak M) #16

Hi Rene , Thanks.


(Ananth Maruti M) #17

Hi Rene,

i have a question. Do each interface in router has different mac addresses ? If the router has 5 interfaces , whether it will have 5 mac addresses ( one for each port) along with router base mac address. In the above example I see 10.1.1.254 and 10.2.2.254 has different mac address. what is the advantage of having a router base mac address.

Also for layer 2 switches , how the mac address will be. If it is a 24 port switch , how many mac addresses it will have in addition to the base mac address. i am asking this because when we see how switches learn mac address , the mac address of the host machine alone is described and not the mac address of the port.

Can you pls clarify?


(Rene Molenaar) #18

Hi Ananth,

Each router interface has a different MAC address yes. Unlike switches, they don’t have a “base” MAC address.

Switches have a different MAC address for each of their interfaces. They also have a base MAC address that is used for certain protocols (like STP).

Rene


(Ananth Maruti M) #19

Thanks, Rene.

But I have a question here. If switches have different mac address for their interfaces , then during mac learning only the mac of the host is learnt in the mac address table. What is the significance of the mac address of the switch ports? If a host with mac AAA is connected to port 1/1 , what about the mac address of port 1/1 and how it actually participates in mac learning?

Ananth


(Lazaros Agapides) #20

Hello Ananth!

MAC address learning that occurs on a switch involves the learning of the MAC addresses that are attached to the specific interface. For example, if interface Fa0/1 is connected to PC1 with MAC Address A:B:C:D:E:F, then this MAC address will be used to populate the MAC address table. The Fa0/1 interface does not need to learn its own MAC address. What happens if interface Fa0/1 is connected to interface Fa0/2 of another switch. Won’t the MAC address of Fa0/2 of that switch be included in the MAC table of the first switch? It depends.

It is important to understand that the creation of the MAC address table in a switch is done via the Source MAC address found in the incoming frames on an interface. If the other switch is never the destination of a frame, then this MAC address will not be included in any MAC address table. MAC addresses of specific switch interfaces will not enter the MAC tables of other switches unless the switches themselves are the sources (or destinations) of frames.

I hope this has been helpful.

Laz