Proxy ARP Explained

Hi Laz / Rene Sir ,
The Title networking is in plain english is absolute right , whatever you mentioned about the concept is easily understand and mind blowing , A big salute to your team .

Thanku so much Sir again

Regards
Shivam Chahal

1 Like

Hi Lagz Sir ,

I have a quick question above mentioned topic ,kindly share your point of view in this .

Suppose , we have two host which are in different network and connected with a router via switch , and provide default gateway on each of the interface of router .

My question is if we disabled the proxy arp on router , then how host know about the destination mac address if H1 ping to H2 as in case of lan where arp normally works .

As i studied thoroughly in different network arp is not performed because router block broadcast domain , arp request and Arp reply is not possible , it is only possible within the same sub -net means arp request reach to default gateway and provide the mac address itself then how can i get it the destination mac of particular host if we ping from the device which are in different network .

Regards
Shivam Chahal

Hi Laz Sir

Please confirm while doing show arp command on both H1 and H2 Host , Hardware address of router is same , but the interface ip address is different , one is server interface ip and other is router interface ip . What was the reason behind this ?

Regards
Shivam Chahal

Hello Shivam

In order to respond to your question, take a look at the following topology, as you described it in your post:
image
Let’s say Host 1 wants to send a packet to Host 2. Let’s also assume that proxy ARP is disabled on the router. The process is as follows:

  1. Host 1 will encapsulate the transport layer segment into an IP packet with the destination IP of 10.10.10.20.
  2. This IP packet is then encapsulated into a frame. The source MAC address is that of Host 1. It must determine the destination MAC using the destination IP.
  3. Now Host 1 knows that the destination IP is in a different subnet. It knows this by looking at its own address and subnet mask. This means that the Host must forward the frame to the configured default gateway.
  4. Therefore it will do an ARP request not of the destination IP, but of the default gateway IP. It will obtain its MAC address, place it in the destination MAC address field of the Ethernet header, and send it.
  5. The router will receive this packet, read the destination MAC, decapsulate it, and read the destination IP.
  6. It will look up the destination IP of 10.10.20.10 on the routing table, and find that it is within the subnet on its directly connected interface.
  7. it will re-encapsulate the IP packet in a new Ethernet frame, with its own source MAC address.
  8. The router will send out a new ARP request for the destination IP of 10.10.20.10, and Host 2 will respond to this.
  9. The router will receive the MAC address of Host 2, populate the destination MAC field, and send the frame to Host 2
  10. Host 2 will receive it and process it normally.

So you see, in this case, it is the routing functionality of the router that gets the packet to its destination. All ARP requests in this scenario remain within the network segment and are not forwarded.

Note that even if Proxy ARP were enabled on the router, the above procedure would still take place. Proxy ARP would only be used if the Host 1 had no default gateway configured. Only then would it send an ARP request asking for the MAC address of 10.10.20.0. If it has a default gateway configured, it will prefer using that, and sending an ARP request for the IP of the default gateway.

I hope this has been helpful! Stay healthy and safe!

Laz

Hello Shivam

If I understood correctly, what you are saying is that the ARP table has the same MAC address for both the router as well as the other host? If that is the case, then this is to be expected. Take a look at this topology again.
image
Let’s assume this time that the hosts are not configured with default gateways, and that the router has proxy ARP enabled.

If Host 1 pings Host 2, Proxy ARP will be used to get the Layer 2 addressing information to achieve connectivity. This means that from Host 1 will have the following entries in the ARP table:

C:\Users\user>arp -a

Interface: 10.10.10.10 --- 0xd
  Internet Address      Physical Address      Type
  10.10.10.1            aa-aa-aa-aa-aa-aa     dynamic
  10.10.20.10           aa-aa-aa-aa-aa-aa     dynamic

You would see that both the router Interface, and Host 2 correspond to the same MAC address. This is because one of those (the router) has been provided via ARP, while the other (Host2) has been provided via Proxy ARP. But both are the same, because Proxy ARP returns the MAC address of the local gateway as that corresponding to the destination IP address.

Note also, that Proxy ARP will always give you an IP address in a different subnet than your own.

I hope this has been helpful! Stay safe and healthy!

Laz

Hi lag Sir ,
I understand your point but I need one help .I want to configure above topology in gns3 .So that I can find major difference practically .What are the change has been done there .
Theoretically I understand dere is default routing configured to host and disabled proxy arp .
Please share the configuration and whireshrk snap of packet capture .

Rgds
Shivam Chaudhary

Hello Shivam

The lesson here provides a good and comprehensive description of how Proxy ARP works. You can duplicate this lesson in GNS3, and include the debugs to see Proxy ARP in action. You can also attempt to remove the default gateways from the hosts, and see the results as well.

You can find the detailed configurations in the lesson itself.

I hope this has been helpful! Stay safe and healthy!

Laz

Hi Laz /Rene Sir ,

Appolozie but I post here again ,I understand this concept and I aware how it work but as I know real packet flow where I don’t give proxy arp it create confusion in this .
Please help and clear my doubt again .

1)How can a host s differentiate whether they are in same subnet (NETWORK ) or different subnet(NETWORK) if they are provide with a classless or classfull Ip .Kindly give me some examples and how to check and verify it .Please share the process.

2 ) As I know about default gateway ,it is used if a host want to reach to another host which are in different network .I want to know why default gateway is provide to host in case of proxy arp not given to proxy router .

3).What happen in both cases if default gateway is provided to router not to host

Router (Proxy enabled ) Case 1.
Router (Proxy disabled ) Case 2.

This question created confusion while doing lab .Hope you understand it .

I invested day and time to understand this topic but may be something is lack due to above question pending .

Please help in here .

Thanks
Shivam Chahal.

Hello Shivam

No need to apologize for posting again, that’s what we’re here for!

A host “knows” if a destination IP is on the same subnet as itself, or on a different subnet because it knows its own subnet mask. If my PC has an IP address of 192.168.55.24 and a subnet mask of 255.255.255.0 then it can calculate (using binary ANDing) the whole range of IP addresses that belong to the same subnet. So if my PC wants to send something to 192.168.55.99, it will first AND its own IP address, and then the IP address of the destination like so:

192.168.55.24 AND 255.255.255.0 = 192.168.55.0
192.168.55.99 AND 255.255.255.0 = 192.168.55.0

The result is the same network address, which means the destination is on the same subnet. So any communication with this destination takes place without the default gateway.

In the lesson, H2 is given the following IP address parameters:

IP address: 10.1.1.2
Subnet mask: 255.0.0.0
Gateway: 10.1.1.254

Now when H2 pings the server at 10.2.2.100, it does the AND check like shown above:

10.1.1.2 AND 255.0.0.0 = 10.0.0.0
10.2.2.100 AND 255.0.0.0 = 10.0.0.0

So the network address is the same, so it doesn’t try to use the default gateway, because it believes that the destination is on the same subnet. So it sends an ARP request not for the default gateway, but for the destination IP. The result is the local router, which knows that the destination IP is actually in another subnet served by another one of its interfaces, sends out the proxy ARP.

In the lesson, H1 uses the default gateway because it determines that the destination IP is not in the same subnet, while H2 uses ARP (which turns into proxy ARP by the router) because it believes, based on its own subnet mask, that the destination IP is in the same subnet. If proxy ARP was disabled, then H1 would successfully communicate with the server, but H2 would fail.

I hope this has been helpful!

Laz

1 Like

Hi Rene,

Is it possible to monitor and manage an L2 switch with out configuring default-gateway or default-route for the management Vlan. For example, If I have monitoring tool like solarwinds on a different network, Will proxy arp on the management interface on the router or management VLAN SVI on a L3 switch respond with mac-address information for SNMP, SSH or TELNET traffic?

Hello Rajeev

Yes, you can do this, but you have to configure the subnet mask of the IP address of the device to include the IP address of the monitoring tool. This way, the device will believe that the monitoring tool is on the same subnet (even though it isn’t) and will not send traffic to the default gateway, but will send out an ARP request for the MAC address information. The router on the network will receive this and using proxy ARP, should relay the request.

You can find out more detailed information about this at the following Cisco documentation:

I hope this has been helpful!

Laz

1 Like

Please explain gratuitous arp. It’s significance and uses.

Hello Ajinkya

Take a look at this post:

If you have any further questions, feel free to ask!

I hope this has been helpful!

Laz

I have tested in Packet Tracer, I am able to ping a 10.2.2.100 which is hops away with proxy-arp. Router0 has a static route for the 10.2.2.0 subnet. What I Understood is router will route to any destination if it has a route in the routing table. But the Above comments say that it will work only for the directly connected subnet.! Please elaborate.PacketTracer7_6LuZ7lARef

Hello Haris

From my understanding, you have proxy-arp enabled on both routers, and you have a static route on router0 that points to the 10.2.2.0/24 subnet, correct? I tried recreating that in packet tracer, but I was unable to get the ping to work. The ping reached PC1 but on its way back, it failed when it reached Router1. Can you elaborate more on your configuration so that we can help you further?

Looking forward to hearing from you…

Laz

On Router1 I have again static route pointing to Router R0. Is it supposed to work without static Routing? The Fact that PC1 is sending traffic to R0 without Default GW being set should prove that R0 is acting as proxy ARP. For the reverse traffic, we need to add a static route on R1 for it to work, Just like we added on R0 for forwarding taraffice. Please elaborate if my understanding is wrong.

Hello Haris

Yes, that change did indeed cause the ping to start working. And yes, your understanding is correct.

If you use the Simulation feature on Packet tracer, you will be able to follow the proxy ARP process as well. You will find that PC0 sends an ARP to router0, and router0 finds that it has no ARP entry for that IP address, so it, in turn, sends an ARP request to Router1. Router 1 in turn will send an ARP request to PC1. Once this is done, the ICMP packet can traverse the path from end to end.

Take a look at this event list from packet tracer.
image
You can see that there are three sets of three ARP events.

  • The first is an ARP request from PC0 to Router0
  • The second is an ARP request from Router0 to Router1
  • The third is an ARP request from Router1 to PC1

So Proxy ARP will take place over multiple hops only if you have static routing that will allow the return journey.

I hope this has been helpful!

Laz

Hello.
Should it be FastEthernet0/3 ?

1 Like

Hello Vadim

You are correct. It seems that the diagram is incorrect because Rene refers to Fa0/1 throughout the lesson. The diagram should read Fa0/1 instead of Fa0/3 for R1. I will let Rene know to make the change. Thanks for pointing that out!

Laz

1 Like