Most networking students are familiar with ARP (Address Resolution Protocol) but Proxy ARP doesn’t always ring a bell. In this tutorial I will explain how proxy ARP works, we’ll use the following topology for this:
In the example above we have two subnets: 10.1.1.0 /24 and 10.2.2.0 /24. The router in the middle is connected to both subnets. On the bottom you see two hosts (H1 and H2) and on top we have a server (S1).
When you take a close look at the hosts you can see that H1 has a /24 subnet mask and H2 has a /8 subnet mask. When H1 tries to reach the server at 10.2.2.100 the following will happen:
- H1 compares its IP address and subnet mask to the IP address of the server (10.2.2.100) and decides that the server is in another subnet.
- H1 decides to send the packet for the server to its default gateway (10.1.1.254).
- H1 checks its ARP table to see if there is an entry for 10.1.1.254, if not it will send an ARP request.
- The router will respond to the ARP request, sending its MAC address of its FastEthernet 0/0 interface.
This is how ARP works normally, when H2 tries to send an IP packet towards the server something else will happen:
- H2 compares its IP address and subnet mask to the IP address of the server (10.2.2.100) and decides that the server is in the same subnet.
- H2 checks its ARP table to see if there is an entry for 10.2.2.100, if not it will send an ARP request.
The server however is not on the 10.1.1.0 /24 subnet and routers do not forward broadcast traffic so the ARP request never makes it to the server. All hope is not lost however….this is where proxy ARP comes to the rescue!
When proxy ARP is enabled on the router, this is what happens:
- The router sees the ARP request from H2 on the 10.1.1.0 /24 subnet and sees that this is an ARP request for something in the 10.2.2.0 /24 subnet.
- The router realizes that it knows how to reach the 10.2.2.0 /24 subnet and decides to respond to the ARP request in order to help H2.
- The router sends an ARP reply to H2 with its MAC address on the FastEthernet 0/0 interface.
Are you following me so far? Let me show you what this looks like on a real router.
Configuration
I will use the following topology to demonstrate proxy ARP:
It’s the same as the picture as I just showed you but I am using the routers in my lab. By disabling “ip routing” I can turn the routers into ordinary host devices. Let’s start by disabling routing on R1, R2 and the server:
H1, H2 & S1(config)#
no ip routingLet’s configure the default gateway on those devices:
H1 & H2(config)#
ip default-gateway 10.1.1.254S1(config)#ip default-gateway 10.2.2.254Let’s configure all the IP addresses that we require:
H1(config)#interface fastEthernet 0/0
H1(config-if)#ip address 10.1.1.1 255.255.255.0H2(config)#interface fastEthernet 0/0
H2(config-if)#ip address 10.1.1.2 255.0.0.0S1(config)#interface FastEthernet 0/0
S1(config-if)#ip address 10.2.2.100 255.255.255.0Note that I used the /8 subnet mask on H2 here. Here’s the router:
R1(config)#interface FastEthernet 0/0
R1(config-if)#ip address 10.1.1.254 255.255.255.0
R1(config-if)#interface FastEthernet 0/1
R1(config-if)#ip address 10.2.2.254 255.255.255.0That’s all we have to configure…let’s verify our work!
Verification
To test proxy ARP I will first send some traffic from H1 to the server so you can see what normal ARP looks like, and then we will send some traffic from H2 to the server.
Proxy ARP is enabled by default as you can see here:
R1#show ip interface FastEthernet 0/0 | include Proxy
Proxy ARP is enabledTo see in realtime what is going on, I will use the following debug on R1:
R1#debug arp
ARP packet debugging is onLet’s send some pings from host A to the server:
Hi William,
In my opinion, it is best practice to disable proxy ARP. In a “normal” network, it’s only helpful to solve the issue where hosts have configured the wrong subnet mask. Instead of using proxy ARP, it’s better to fix the subnet masks.
The only reason why you might use it is if you want to do some crazy things like NAT hairpinning. For example:
Cisco ASA NAT hairpin internal server
Rene
Hi Rene,
i have a question. Do each interface in router has different mac addresses ? If the router has 5 interfaces , whether it will have 5 mac addresses ( one for each port) along with router base mac address. In the above example I see 10.1.1.254 and 10.2.2.254 has different mac address. what is the advantage of having a router base mac address.
Also for layer 2 switches , how the mac address will be. If it is a 24 port switch , how many mac addresses it will have in addition to the base mac address. i am asking this because when we see how switches learn m
... Continue reading in our forumHello Ananth!
MAC address learning that occurs on a switch involves the learning of the MAC addresses that are attached to the specific interface. For example, if interface Fa0/1 is connected to PC1 with MAC Address A:B:C:D:E:F, then this MAC address will be used to populate the MAC address table. The Fa0/1 interface does not need to learn its own MAC address. What happens if interface Fa0/1 is connected to interface Fa0/2 of another switch. Won’t the MAC address of Fa0/2 of that switch be included in the MAC table of the first switch? It depends.
It is im
... Continue reading in our forumHello Carlo
Yes that is correct. In most IOS versions, proxy arp is enabled by default. This will disable it and will prevent the router from responding on behalf of another host.
I hope this has been helpful!
Laz
Hi Apiwat,
Proxy ARP will only work for subnets that are directly connected to your router. R1 is not going to reply to that ARP request from PC1 when it’s destined for some subnet that is behind another router.
There is no good reason to use proxy ARP, it’s a fix for a design issue that should be fixed in your network
Rene