Proxy ARP Explained

Lesson Contents

Most networking students are familiar with ARP (Address Resolution Protocol), but Proxy ARP doesn’t always ring a bell. In this lesson, I will explain how proxy ARP works. We’ll use the following topology for this:

Proxy Arp Topology

In the example above, we have two subnets: 10.1.1.0 /24 and 10.2.2.0 /24. The router in the middle is connected to both subnets. On the bottom you see two hosts (H1 and H2) and on top we have a server (S1).

When you take a close look at the hosts, you can see that H1 has a /24 subnet mask and H2 has a /8 subnet mask. When H1 tries to reach the server at 10.2.2.100, the following will happen:

  1. H1 compares its IP address and subnet mask to the IP address of the server (10.2.2.100) and decides that the server is in another subnet.
  2. H1 decides to send the packet for the server to its default gateway (10.1.1.254).
  3. H1 checks its ARP table to see if there is an entry for 10.1.1.254. If not, it will send an ARP request.
  4. The router will respond to the ARP request, sending the MAC address of its FastEthernet 0/0 interface.

This is how ARP works normally. When H2 tries to send an IP packet to the server something else will happen:

  1. H2 compares its IP address and subnet mask to the IP address of the server (10.2.2.100) and decides that the server is in the same subnet.
  2. H2 checks its ARP table to see if there is an entry for 10.2.2.100, if not it will send an ARP request.

The server, however, is not on the 10.1.1.0 /24 subnet, and routers do not forward broadcast traffic so the ARP request never makes it to the server. All hope is not lost, however….this is where proxy ARP comes to the rescue!

When proxy ARP is enabled on the router, this is what happens:

  1. The router sees the ARP request from H2 on the 10.1.1.0 /24 subnet and sees that this is an ARP request for something in the 10.2.2.0 /24 subnet.
  2. The router realizes that it knows how to reach the 10.2.2.0 /24 subnet and decides to respond to the ARP request in order to help H2.
  3. The router sends an ARP reply to H2 with its MAC address on the FastEthernet 0/0 interface.

Are you following me so far? Let me show you what this looks like on a real router.

Configuration

I will use the following topology to demonstrate proxy ARP:

Proxy Arp Lab Topology

It’s the same as the picture I just showed you, but I am using the routers in my lab. By disabling ip routing I can turn the routers into ordinary host devices. Let’s start by disabling routing on R1, R2, and the server:

H1, H2 & S1(config)#
no ip routing

Let’s configure the default gateway on those devices:

H1 & H2(config)#
ip default-gateway 10.1.1.254
S1(config)#ip default-gateway 10.2.2.254

Let’s configure all the IP addresses that we require:

H1(config)#interface fastEthernet 0/0
H1(config-if)#ip address 10.1.1.1 255.255.255.0
H2(config)#interface fastEthernet 0/0
H2(config-if)#ip address 10.1.1.2 255.0.0.0
S1(config)#interface FastEthernet 0/0
S1(config-if)#ip address 10.2.2.100 255.255.255.0

Note that I used the /8 subnet mask on H2 here. Here’s the router:

R1(config)#interface FastEthernet 0/0
R1(config-if)#ip address 10.1.1.254 255.255.255.0
R1(config-if)#interface FastEthernet 0/3
R1(config-if)#ip address 10.2.2.254 255.255.255.0

That’s all we have to configure…let’s verify our work!

Verification

To test proxy ARP, I will first send some traffic from H1 to the server so you can see what normal ARP looks like, and then we will send some traffic from H2 to the server.

Proxy ARP is enabled by default, as you can see here:

R1#show ip interface FastEthernet 0/0 | include Proxy
  Proxy ARP is enabled

To see in real-time what is going on, I will use the following debug on R1:

R1#debug arp
ARP packet debugging is on

Let’s send some pings from host A to the server:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now!

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 799 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)
569 Sign Ups in the last 30 days
satisfaction-guaranteed

  • 100% Satisfaction Guaranteed!
  • You may cancel your monthly membership at any time.
  • No Questions Asked!

Tags: ,


Forum Replies

  1. “R1 receives an ARP request from R1 who is looking for the IP address of its default gateway and replies with its MAC address.”

    I think the second R1 should be Host A.

  2. You are right, just fixed it! Thanks for letting me know.

  3. Rene

    Is proxy arp used only if the destination ip address is detected to to be on a subnet that is not reachable by normal arp requests? When you changed the mask of host B to /8 it assumes the destination was local even though it was remote?

    Thanks

  4. Hi Donald,

    That’s right. Since host B has a /8 mask, it thinks it can reach anything in the 10.x.x.x range locally by using ARP requests. The router answers the ARP requests “on behalf” of the devices on the other side so that host B can reach them, otherwise it would fail.

    Still, it’s a misconfiguration issue. Proxy ARP is disabled by default.

    Rene

  5. Hi Rene,

    Got a question:

    If R1 has proxy arp enabled on interface facing HostA and HostB. Will it still reply to arp from Host B if R1 (if we assume)-has no route to destination ? Please clarify this for me?

    Thanks

57 more replies! Ask a question or join the discussion by visiting our Community Forum