13.1 Proxy Arp

I have read quite a bit about this and I am not gettign it.  I think I understand Proxy-arp  But ip local-proxy-arp has me confused. 

 

Sounds like it's related to privet vlan like a quick fix in case ports in the same community cannot pine one another.  Or maybe they can ping but they are forced to ping through the router and not direct to each other. 

 

This post helped me understand privet vlans more so but still did not clear up my confusion on what exactly ip local-proxy-arp does. 

 

Can anybody help ?

Comments

  • After reading the documentation and going through the task, my understanding is that the ip local-proxy-arp
    feature operates as if a particular device within the LAN/subnet
    becomes the "ARP server" for the local subnet replying to all ARP
    requests for IP addresses within the subnet and forwarding traffic
    between devices at Layer 2.



    On this particular scenario, the switch ports connected to R1 and R5 are
    configured with the switchport protection feature which wouldn't allow
    them to communicate to each other directly. However, since R6 has been
    configured as the "ARP server" for the local subnet it will reply to ARP
    requests and forward traffic between these two devices.



    Below is a partial output of the debug arp on R6. It clearly shows R6
    receiving an ARP request from R1 and replying with its own MAC address.



    IP ARP: rcvd req src 155.1.146.1 0013.8047.c440, dst 155.1.146.5 FastEthernet0/0.146

    IP ARP: sent rep src 155.1.146.5 0021.a08a.f57e [R6],

                     dst 155.1.146.1 0013.8047.c440 FastEthernet0/0.146



    R1's ARP cache confirms R5's IP address has been mapped to R6's MAC address.



    RSRack1R1#sh ip arp 155.1.146.5

    Protocol  Address          Age (min)  Hardware Addr   Type   Interface

    Internet  155.1.146.5             2   0021.a08a.f57e  ARPA   FastEthernet0/0

    !
    ! Command Reference:
    ip local-proxy-arp
    !

    !
    ! Command Reference
    switchport protected
    !

  • Hello,

     

    As simple as this:

    You on a LAN will never reply to an ARP request send to a host within the same subnet.

    WIth local proxy-arp you will be able to do it,

    I got to be honest with you, I do not see how this could be useful but it's important to know it(except for the example being showed on this task with protected ports).

    Regards

     

  • The design where you would use it is that you have FTTH or something like that and you have maybe 15 tenants in a switch. You implement private VLAN because you don't want customers to talk L2 to each other.

    Because the gateway has IP in the LAN subnet normally it should not respond to ARP requests between hosts in that subnet but if you implement ip local-proxy-arp it will. So this is needed to control communication between the hosts in the LAN.

  • The design where you would use it is that you have FTTH or something like that and you have maybe 15 tenants in a switch. You implement private VLAN because you don't want customers to talk L2 to each other.

    Because the gateway has IP in the LAN subnet normally it should not respond to ARP requests between hosts in that subnet but if you implement ip local-proxy-arp it will. So this is needed to control communication between the hosts in the LAN.

    Spot-on. Our company provides wholesale L2 network with FTTH to SPs, and we dont allow local ARP from one end-user to another, so the SP BRAS/BNG needs to be enabled with local-proxy-ARP which responds to end-users ARP queries on behalf of other end-users on the same L2 network.

    Regards,

    AB.

  • Hi,

    Please look at here, 

    R1-----R2-----R3

    R1#sh run

    Building configuration...

     

    Current configuration : 116 bytes

    !

    interface GigabitEthernet0/1

     ip address 10.1.12.1 255.255.255.0

     no ip route-cache

     duplex auto

     speed auto

    end

     

    R1#sh run | sec ip default-gateway

    ip default-gateway 10.1.23.3

    R1#

    R1#

    R1#sh ip arp

    Protocol  Address          Age (min)  Hardware Addr   Type   Interface

    Internet  10.1.12.1               -   0018.730f.7bf9  ARPA   GigabitEthernet0/1

    R1#

    Since the default-gateway is configured as 10.1.23.3 (R3's IP address), it sends ARP broadcast and R2 but it doesn't respond because proxy-arp is disabled on R2.



    R1#ping 10.10.10.10 (R2's loopback)


    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:

    .....

    Success rate is 0 percent (0/5)



    R2#


    *Aug  5 05:58:49.267: IP ARP: rcvd req src 10.1.12.1 0018.730f.7bf9, dst 10.1.23.3 GigabitEthernet0/1

    *Aug  5 05:58:51.267: IP ARP: rcvd req src 10.1.12.1 0018.730f.7bf9, dst 10.1.23.3 GigabitEthernet0/1

    *Aug  5 05:58:53.267: IP ARP: rcvd req src 10.1.12.1 0018.730f.7bf9, dst 10.1.23.3 GigabitEthernet0/1

    *Aug  5 05:58:55.267: IP ARP: rcvd req src 10.1.12.1 0018.730f.7bf9, dst 10.1.23.3 GigabitEthernet0/1



    It's only getting request but not replying anymore.


    But once we enable proxy-arp, it can ping to R2's Lo.



    R1#ping 10.10.10.10


    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:

    !!!!!

    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/200/1000 ms

    R1#


    R2#


    *Aug  5 06:01:39.939: IP ARP: rcvd req src 10.1.12.1 0018.730f.7bf9, dst 10.1.23.3 GigabitEthernet0/1

    *Aug  5 06:01:39.939: IP ARP: sent rep src 10.1.23.3 0013.1a36.8f29,

                     dst 10.1.12.1 0018.730f.7bf9 GigabitEthernet0/1



     

    Hope this helps!



Sign In or Register to comment.