Solved: Re: no ip proxy-arp problem

alanchia2000 · ‎06-07-2005

Hi,

My Catalyst 3750 has quite a number of SVI (switched virtual interface) configured. And when I do "no ip proxy-arp" on any of the VLAN interface, I cannot connect to the Internet for some reason. Is it required?

Eg.

int vlan 1

192.168.1.254 < --- Default gateway to internet

int vlan 2

192.168.2.254

int vlan 3

192.168.3.254

no ip proxy-arp <---- This line created a problem

Richard Burts · ‎06-12-2005

If some people in VLAN3 can get to outside addresses and some can not (with proxy arp disabled) the problem is in the configuration of the PCs and not in the configuration of the router. I would suggest that you look carefully at the configuration of the PC concentrating on the IP address, the subnet mask, and the gateway address. I believe you will find some configuration error on the PC is you look.

The reason that the default is to enable proxy arp are mostly historic. If you are interested look in the RFCs for the ones that discuss Requirements of Internet Gateways and Requirements for IP routers. Several of them discuss potential advantages of proxy arp (and RFC 1009 has an explicit requirement that the router be able to be configured to enable or disable support of proxy arp). In the early days of the Internet and of the development of IOS it was considered a "good thing to do" to support proxy arp. And many of the things that we perceive today as threats were not thought of that way back then.

HTH

Rick

HTH

Rick

View solution in original post

sebastian.wiegand · ‎06-07-2005

Hi Alanchia,

is the C3750 a L3 Switch? Well i dont find anything about it...

Anyway, as a L2 Device it cannot be the default gateway for your Nodes. As u know your gateway has to be in the same subnet. With the ip proxy-arp command the switch answers the arp-request with its own mac. now it can redirect the traffic to its own default gateway, wich is in another subnet.

if u disable it, your nodes cannot reach their gateway.

Regards,

Sebastian

amit-singh · ‎06-07-2005

Hi,

Your layer-3 switch SVI acts as the proxy for the hosts or clients which are not in the same subnet, same as a router does. So when a arp requests comes for a client which is on the other subnet and as the Layer3 device doesnot maintain a CAM table, it will act as the proxy and provides its MAC for the ARP resolution.

By disabling that, your host will not be able to resolve the arp request and hence your connection goes down.

HTH,

-amit singh

alanchia2000 · ‎06-07-2005

I think I know what you guys mean.

Another question, is there a way to disable ip proxy-arp? The reason I ask this is because it seems that even if I am on VLAN 3 with an ip 192.168.2.254, I am still able to connect out to the Internet with the ip proxy-arp enabled; that is if my memory serves me well.

int vlan 1

192.168.1.254 <---- default gateway to Internet

int vlan 2

192.168.2.254

int vlan 3

192.168.3.254

Richard Burts · ‎06-07-2005

The behavior that you describe is the expected behavior: if you have a PC connected to a port in VLAN 3 and the PC has an address (and a default gateway) that are in VLAN 2, then if proxy arp is enabled your PC should have connectivity to remote addresses. And with proxy arp disabled you will not have connectivity to remote addresses.

The command to disable proxy arp is the interface level command no ip proxy-arp.

HTH

Rick

HTH

Rick

alanchia2000 · ‎06-07-2005

Strange, but is that the normal way to do it?

Because it seems like there are lots of security loop holes and really defeat the purpose of having VLANs in the first place. You are saying that if I have an address that is in VLAN 2 and am connected to a VLAN 3 port, I am still able to access any network. Why do I even need multiple VLANs? ip proxy-arp has remove all the network boundaries I have.

I would really like to disable ip proxy-arp and yet have it functioning as if 192.168.3.254 is my gateway in VLAN 3, and to reach 192.168.2.0 network, I have to send my packets to the gateway without doing proxy arp.

Is that possible?

Kevin Dorrell · ‎06-07-2005

You are right that proxy-arp is a security risk, precisely for the kind of reasons you cite. But if you want to get rid of proxy-arp, you will have to make sure that each workstation is in the same VLAN as its default gateway. Otherwise is will not be able to reach it. It is precisely this restriction that makes no ip proxy-arp more secure. You cannot have your cake and eat it too; there is always a trade-off between security and flexibility.

But I was kind of surprised that proxy ARP gives you connectivity with an VLAN 2 IP address on a VLAN 3 port. Now it is true that packets out from the PC will be routed. But the return traffic ... I don't think so. This is what happens: PC thinks "I have a packet for 207.46.42.15 - I'll send it to my default gateway 192.168.2.254." So it ARPs for 192.168.2.254. Router thinks, "He has asked for 192.168.2.254, and I know where that is, and I'm doing proxy ARP. So I'll give him my MAC address. So, the PC sends the packet to 207.46.42.15 to the MAC address of the router on VLAN 3, and routes it correctly. But when the return packet comes back from 207.46.42.15, it gets routed to VLAN 2 interface. That does an ARP for the PC on VLAN 2, and gets no response.

So .. I think traffic will pass in one direction only. If you want that not to work, then you have to disable proxy ARP, and ensure that all PCs are on the same VLAN as their respective gateways.

Hope this helps.

Kevin Dorrell

Luxembourg

sebastian.wiegand · ‎06-08-2005

Hi Alancia,

Well there is a way... Enable inter-vlan routing with the ip routing global configuration command. Now u have to restrict traffic between the vlans either with access lists or vlan maps.

Your 3750 is now the real the gateway for your nodes in the respective vlans. If u use DHCP in your environment u have to assign ip helper-addresses additionally, or use the ip forward protocol command to make your DHCP work.

Please feel free to refer to this link:

http://www.cisco.com/en/US/partner/products/hw/switches/ps5023/products_configuration_guide_chapter09186a00801cdea6.html#95649

Its not all but it might help.

Regards,

Sebastian

alanchia2000 · ‎06-08-2005

Thanks for the additional info about "ip routing".

I find it rather strange but when I disabled ip proxy-arp in vlan 3. No machines in vlan 3 can access machines in vlan 1. And when I disabled ip proxy-arp in vlan 2, machines in vlan 2 can access machines in vlan 1. Is there something which I have missed out?

int vlan 1

192.168.1.254 -> Default gateway to Internet

int vlan 2

192.168.2.254

no ip proxy-arp

int vlan 3

192.168.3.254

int vlan 4

192.168.4.254

no ip proxy-arp

ip routing

Richard Burts · ‎06-08-2005

To really understand what is going on and to be able to explain it we would need information not only about the configuration of the switch/router but about the configuration of the workstations in each VLAN.

But based on what you have told us I will make this guess at what is happening:

- if disabling proxy arp in VLAN 3 causes machines not to be able to access machines in VLAN 1 then I guess that the machines in VLAN 3 do not have a default gateway of 192.168.3.254 (and perhaps machines in VLAN 3 do not have IP addresses in 192.168.3.0).

- if disabling proxy arp in VLAN 2 does not impact machines access to machines in VLAN 1 then I guess that machines in VLAN 2 do have a default gateway of 192.168.2.254 (and do have IP addresses in 192.168.2.0).

HTH

Rick

HTH

Rick

kaustav.g · ‎06-09-2005

Hosts in the VLAN 3 are probably not having any default gateway. Hence this problem .. Configure a access port in a static vlan 3 and assign a default gateway in the host connected to that VLAN 3 port. Now disable IP proxy arp and check whether the host is able to hop to the next vlan.

alanchia2000 · ‎06-12-2005

I did try to disabled "ip proxy-arp" during last weekend. It seems that a handful group of people on VLAN 3 (192.168.3.0/24) are not able to reach 192.168.0.254 even with the gateway (192.168.3.254) configured, however, there were still some who were able to reach 192.168.0.0/24 network. It's really puzzling. Now my next question is why Cisco use "ip proxy-arp" as its default.

int vlan 1

ip address 192.168.0.254 255.255.255.0

no ip proxy-arp

int vlan 10

ip address 192.168.1.254 255.255.255.0

no ip proxy-arp

int vlan 20

ip address 192.168.2.254 255.255.255.0

no ip proxy-arp

int vlan 30

ip address 192.168.3.254 255.255.255.0

no ip proxy-arp

Richard Burts · ‎06-12-2005

If some people in VLAN3 can get to outside addresses and some can not (with proxy arp disabled) the problem is in the configuration of the PCs and not in the configuration of the router. I would suggest that you look carefully at the configuration of the PC concentrating on the IP address, the subnet mask, and the gateway address. I believe you will find some configuration error on the PC is you look.

The reason that the default is to enable proxy arp are mostly historic. If you are interested look in the RFCs for the ones that discuss Requirements of Internet Gateways and Requirements for IP routers. Several of them discuss potential advantages of proxy arp (and RFC 1009 has an explicit requirement that the router be able to be configured to enable or disable support of proxy arp). In the early days of the Internet and of the development of IOS it was considered a "good thing to do" to support proxy arp. And many of the things that we perceive today as threats were not thought of that way back then.

HTH

Rick

HTH

Rick