Proxy ARP
Today I am going to talk about the Proxy ARP. Proxy-ARP is used on routers by default. The idea is that it permits devices on 2 different subnets to exchange information to each other without configuring a default gateway.
Let’s have this verified by a LAB. This lab was setup on GNS3. Router NB_R1 and NB_R3 are routers, however, we are going to imitate them as hosts by restricting ip routing. So imagine this as 2 hosts (NB_R1 & NB_R3) connecting to 1 router (NB_R2).
 |
| Fig 1.1- Proxy ARP |
NB_R1#no ip routing
interface FastEthernet0/0
ip address 192.168.0.2 255.255.255.0
NB_R1#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.0.2 - cc00.0e1c.0000 ARPA FastEthernet0/0
NB_R2#
interface FastEthernet0/0
description connections to R1
ip address 192.168.0.1 255.255.255.0
interface FastEthernet0/1
description connections to R3
ip address 10.10.10.1 255.255.255.0
NB_R2#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.10.1 - cc01.0e1c.0001 ARPA FastEthernet0/1
Internet 192.168.0.1 - cc01.0e1c.0000 ARPA FastEthernet0/0
NB_R3#
no ip routing
interface FastEthernet0/1
ip address 10.10.10.2 255.255.255.0
NB_R3#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.10.2 - cc02.116c.0001 ARPA FastEthernet0/1
So let’s try and ping from NB_R1 to NB_R3 without a default gateway configured either side.
NB_R1#ping 10.10.10.2
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 28/32/40 ms
NB_R1#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.10.2 - cc01.0e1c.0000 ARPA FastEthernet0/0
Internet 192.168.0.2 - cc00.0e1c.0000 ARPA FastEthernet0/0
The MAC address for 10.10.10.2 is actually the MAC address of our router NB_R2′s fa0/0 interface (as opposed to the MAC of our host NB_R3). Let’s verify this by checking the MAC for NB_R2′s fa0/0 interface.
NB_R2#sh int fa0/0 | i bia
Hardware is AmdFE, address is cc01.0e1c.0000 (bia cc01.0e1c.0000)
Cool. This means our ping from NB_R1 to NB_R3 was actually proxy-arp’d by our router NB_R2 (i.e. NB_R2 actually arp’d NB_R3 for us. This is because he knows the destination IP off one of his interfaces). So if we disable proxy-arp on NB_R2, the ping from NB_R1–>NB_R3 should be unsuccessful! At this point, I’ve now cleared the arp-cache by using #clear arp on each of the three devices so that we don’t use any old arp entries.
NB_R2(config)#interface FastEthernet0/1
NB_R2(config-if)#no ip proxy-arp
NB_R2(config)#interface FastEthernet0/0
NB_R2(config-if)#no ip proxy-arp
NB_R2#ping 10.10.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
NB_R1#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.10.2 0 Incomplete ARPA
Internet 192.168.0.2 – cc00.0e1c.0000 ARPA FastEthernet0/0
Good. The incomplete ARP entry indicates that we didn’t manage to receive a response from the destination of 10.10.10.2. Because we removed proxy-arp we now need to add a default gateway on both NB_R1 & NB_R3 in order for this to work!
NB_R3(config)#ip default-gateway 10.10.10.1
NB_R1(config)#ip default-gateway 192.168.0.1
NB_R1#ping 10.10.10.2
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 28/32/40 ms
NB_R1#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.0.1 0 cc01.0e1c.0000 ARPA FastEthernet0/0
Internet 192.168.0.2 - cc00.0e1c.0000 ARPA FastEthernet0/0
Now we understand the config as it should work without proxy ARP. When we ping an address on another subnet, our host (NB_R1) knows it needs to use its default gateway. It sends a broadcast ARP to find the MAC of the gateway so that he is able to pass the frame onto NB_R2. R2 looks up his routing table to see that the 10.10.10.0/24 network is directly connected via fa0/1.
Then broadcast ARPs for the MAC assigned to 10.10.10.2 and passes the frame onto NB_R3. Because of the route-lookup, we are working at layer 3 on the router. This means we are no longer sending broadcast frames at layer 2 across different subnets.
