Proxy ARP is indeed often associated with poor or misconfigured network designs, as it can lead to various network issues such as broadcast storms and increased network traffic. However, it can also be useful in certain scenarios, such as when network devices are not in the same network but need to communicate as if they were. Sometimes the simplicity of implementation outweighs the negative impacts of security, especially in smaller networks.
As for Local Proxy ARP, it is a variation of Proxy ARP that works within the same network or VLAN. In a standard Proxy ARP situation, a router responds to ARP requests intended for another network, essentially āpretendingā to be the destination host and then forwarding the traffic appropriately. With Local Proxy ARP, the router responds to ARP requests even if the hosts are on the same network. This can be useful in situations where hosts on the same network are not allowed to communicate directly for security reasons, such as when private VLANs are deployed.
Hi Rene,
Slightly philosophical question - if it is (as it seems) really only useful in glossing over config errors (which feels like a BAD thing to do, why not find and fix the config errors instead?), why is it included as a default? Is this yet another of the āitās like this because of historyā things? It seems incredibly marginal! Itās also just cost me a day of fiddling to find out what was going on with my MikroTik-to-Cisco dhcp relay which wasnāt working until I disabled proxy-arpā¦ (given how much I learned from it Iām not actually feeling too grumpy )
You bring up a great point. Proxy ARP, like many other features, is included as a default setting due to historical reasons and specific use-case scenarios. Itās not necessarily about glossing over config errors, but more about providing flexibility in the network by default.
Proxy ARP can be useful in situations where hosts are not on the same subnet but need to communicate as if they are. It can also be used in scenarios where routing is not possible for specific reasons.
However, as youāve discovered, it can sometimes cause issues if itās not properly understood or managed. In some cases, it can result in unnecessary ARP traffic, or even cause problems like the one you had with your MikroTik-to-Cisco DHCP relay.
So, while itās included as a default, itās not always the best option for every situation. It may have been more useful in the past, but in most modern networks, it shouldnāt really be necessary. Itās important to understand what it does and how it affects your network before deciding whether to use it or not.
Iām glad to hear that you learned a lot from this experience. Thatās one of the great things about working in networking - thereās always something new to learn, and that is quite valuable.