Re: why proxy-arp doesn't work ?

henrybb · ‎04-29-2005

My network topo is like this:

3901-(cip)7507(f1)--host2---(vlan2)6509(vlan3)--host3

ip of 3901 is : 10.0.23.18/24

ip of host2 is : 10.0.16.1/8

ip of host3 is : 10.0.19.35/24

ip address of cip is 10.0.23.17/24

There isn't defined gateway on host2. And host2 will communication to 3901 and host3 by proxy-arp.

Gateway of 3901 is 10.0.23.17 which is ip of 7507's cip .

Gateway of host3 is 10.0.19.253 which is ip of 6509 vlan3.

routing config on 7507 is:

ip route 0.0.0.0 0.0.0.0 10.0.16.253

10.0.16.253 is ip of 6509's vlan2

'ip redirect' and 'ip proxy-arp' is enabled on f1 of 7507.

'ip redirect' and 'ip proxy-arp' is disabled on vlan2 of 6509.

Ping is success from 3901 to host2.

And ping is fail from host3 to host2.

In my opinion,the data flow maybe like this:

1. host3 send echo to host2

2. host2 will send arp request to lan

3. 7507 will response arp because it has default route which pointed to 6509

4. host2 will send echo reply to host2.

But it looks like 7507 don't response arp request. So why it don't that ?

And 7507 response arp request for 3901.

I am in doubt whether 7507 will reply arp request for host which directly connected to it and will not reply arp request for host which will reach only by other routing ?

Document on TAC about proxy-arp doesn't mention that.

So anybody can tell me ?

thanks!

Kevin Dorrell · ‎04-29-2005

I think the points here are:

1. A router will not reply proxy ARP for a host for which its route is the same inteface the ARP request came from. Its reasoning is that if it has a route to the destination that is out the same interface as the ARP request, then there is something else on that network - either a router or the destination host itself - that is better able to handle the traffic.

2. A router will not reply proxy ARP if it does not have a route to the target. Because if it did, the requester would send it traffic and it wouldn't know what to do with it.

The first of these conditions seems to apply to your 7507. The 7507 will see the ARP from host2 on F1, but it will not reply because its route to host3 is through F1. The 6509 also sees the ARP from host2 does not reply because proxy arp is disabled.

Hope this helps.

Kevin Dorrell

Luxembourg

henrybb · ‎04-29-2005

thanks for your reply.

Are there any offical document about the first of these conditions ?

I disabled proxy-arp on 6509 because yesterday host2 send arp request for 3901 and 6509 reply it.I use sniffer to watch lan traffic and dst-mac of ip datagram which host2 send to host1 is 6509's mac.

So I disable proxy-arp on 6509 and host2 works normal.

But you said,that would not happen.

Can u give more help ?

thanks!

Kevin Dorrell · ‎04-29-2005

Sorry, let me modify my first statement - it wasn't quite correct. What I should have said was: "A router will not reply proxy ARP for a host for which its route is to the same subnet the ARP request came from."

So, if you have a primary subnet and a secondary subnet on the LAN interface, then they will proxy ARP for each other.

There are a couple of pieces I am still missing. What is the address and mask of the 7507 F1? And what are the routes on the 6509?

Kevin Dorrell

Luxembourg

henrybb · ‎04-29-2005

thanks for your reply.

But I don't understand what you mean when you said "for a host for which its route is to the same subnet " . Do you mean the next-hop of the route or the destination of the route ?

7507--f1(10.0.16.249)-------vlan 2(10.0.16.253)--6509

route on 7507:

ip route 0.0.0.0 0.0.0.0 10.0.16.253

route on 6509:

ip route 10.0.23.18 255.255.255.255 10.0.16.249

I have not any secondary ip address on any interface.

if my network topo is like this:

--pc1---7507----6509----pc2

and all the related route has been added.

if pc2 send arp request for pc1,would 6509 send proxy-arp reply to pc2 ? Of course,6509 has static route for pc1 which point to 7507.

thanks!

Kevin Dorrell · ‎05-01-2005

Henry,

I mean the next-hop of the route. There is no point in a router offering to dorward the traffic if its next hop is on the same subnet as the requester.

But I think if we are to discuss this further, it would be useful to know all your addressing and masks as my previous posting. Then we can work out what is going on. Otherwise there are too many unknowns.

Kevin Dorrell

Luxembourg

henrybb · ‎05-02-2005

My network addressing is:

390--(cip connection)--7507-(f1)-host2---(vlan2)-6509-(vlan3)---host3

ip of 390 is 10.0.23.18/30

ip of cip card on 7507 is 10.0.23.17/30

ip of 7507's f1 is 10.0.16.249/24

ip of 6509's vlan2 is 10.0.16.253/24

ip of 6509's vlan3 is 10.0.19.253/24

ip of host3 is 10.0.19.35/24

ip of host2 is 10.0.16.1/8

route on 390 is default route which pointed to 10.0.23.17

route on 7507 is default route which pointed to 10.0.23.253

no default gateway or other route on host2

route on host3 is default gateway which pointed to 10.0.19.253

route on 6509 is 10.0.23.16/30 which pointed to 10.0.16.249

proxy-arp is enabled on 7507's f1 and proxy-arp is disabled on 6509's vlan2

From what you said,7507 wouldn't answer arp-request which host2 send for host3 because next-hop is the same interface.

But if I enabled proxy-arp on 6509's vlan2,it would answer arp-request which host2 send for 390 ip (10.0.23.17). But in theory, it shouldn't answer.

I just can suppose whether there is bug for proxy-arp on 6509.

thanks!

don.fortes · ‎05-01-2005

you have answered your question "why proxy arp does not work?" proxy arp is disabled.

You can resolve your ping issue by adding a default gateway on host2 or enabling proxy arp.