06-07-2005 04:20 AM - edited 03-02-2019 11:01 PM
Hi,
My Catalyst 3750 has quite a number of SVI (switched virtual interface) configured. And when I do "no ip proxy-arp" on any of the VLAN interface, I cannot connect to the Internet for some reason. Is it required?
Eg.
int vlan 1
192.168.1.254 < --- Default gateway to internet
int vlan 2
192.168.2.254
int vlan 3
192.168.3.254
no ip proxy-arp <---- This line created a problem
Solved! Go to Solution.
06-12-2005 06:58 PM
If some people in VLAN3 can get to outside addresses and some can not (with proxy arp disabled) the problem is in the configuration of the PCs and not in the configuration of the router. I would suggest that you look carefully at the configuration of the PC concentrating on the IP address, the subnet mask, and the gateway address. I believe you will find some configuration error on the PC is you look.
The reason that the default is to enable proxy arp are mostly historic. If you are interested look in the RFCs for the ones that discuss Requirements of Internet Gateways and Requirements for IP routers. Several of them discuss potential advantages of proxy arp (and RFC 1009 has an explicit requirement that the router be able to be configured to enable or disable support of proxy arp). In the early days of the Internet and of the development of IOS it was considered a "good thing to do" to support proxy arp. And many of the things that we perceive today as threats were not thought of that way back then.
HTH
Rick
06-07-2005 04:48 AM
Hi Alanchia,
is the C3750 a L3 Switch? Well i dont find anything about it...
Anyway, as a L2 Device it cannot be the default gateway for your Nodes. As u know your gateway has to be in the same subnet. With the ip proxy-arp command the switch answers the arp-request with its own mac. now it can redirect the traffic to its own default gateway, wich is in another subnet.
if u disable it, your nodes cannot reach their gateway.
Regards,
Sebastian
06-07-2005 04:49 AM
Hi,
Your layer-3 switch SVI acts as the proxy for the hosts or clients which are not in the same subnet, same as a router does. So when a arp requests comes for a client which is on the other subnet and as the Layer3 device doesnot maintain a CAM table, it will act as the proxy and provides its MAC for the ARP resolution.
By disabling that, your host will not be able to resolve the arp request and hence your connection goes down.
HTH,
-amit singh
06-07-2005 05:55 AM
I think I know what you guys mean.
Another question, is there a way to disable ip proxy-arp? The reason I ask this is because it seems that even if I am on VLAN 3 with an ip 192.168.2.254, I am still able to connect out to the Internet with the ip proxy-arp enabled; that is if my memory serves me well.
int vlan 1
192.168.1.254 <---- default gateway to Internet
int vlan 2
192.168.2.254
int vlan 3
192.168.3.254
06-07-2005 06:58 AM
The behavior that you describe is the expected behavior: if you have a PC connected to a port in VLAN 3 and the PC has an address (and a default gateway) that are in VLAN 2, then if proxy arp is enabled your PC should have connectivity to remote addresses. And with proxy arp disabled you will not have connectivity to remote addresses.
The command to disable proxy arp is the interface level command no ip proxy-arp.
HTH
Rick
06-07-2005 09:08 AM
Strange, but is that the normal way to do it?
Because it seems like there are lots of security loop holes and really defeat the purpose of having VLANs in the first place. You are saying that if I have an address that is in VLAN 2 and am connected to a VLAN 3 port, I am still able to access any network. Why do I even need multiple VLANs? ip proxy-arp has remove all the network boundaries I have.
I would really like to disable ip proxy-arp and yet have it functioning as if 192.168.3.254 is my gateway in VLAN 3, and to reach 192.168.2.0 network, I have to send my packets to the gateway without doing proxy arp.
Is that possible?
06-07-2005 10:17 AM
You are right that proxy-arp is a security risk, precisely for the kind of reasons you cite. But if you want to get rid of proxy-arp, you will have to make sure that each workstation is in the same VLAN as its default gateway. Otherwise is will not be able to reach it. It is precisely this restriction that makes no ip proxy-arp more secure. You cannot have your cake and eat it too; there is always a trade-off between security and flexibility.
But I was kind of surprised that proxy ARP gives you connectivity with an VLAN 2 IP address on a VLAN 3 port. Now it is true that packets out from the PC will be routed. But the return traffic ... I don't think so. This is what happens: PC thinks "I have a packet for 207.46.42.15 - I'll send it to my default gateway 192.168.2.254." So it ARPs for 192.168.2.254. Router thinks, "He has asked for 192.168.2.254, and I know where that is, and I'm doing proxy ARP. So I'll give him my MAC address. So, the PC sends the packet to 207.46.42.15 to the MAC address of the router on VLAN 3, and routes it correctly. But when the return packet comes back from 207.46.42.15, it gets routed to VLAN 2 interface. That does an ARP for the PC on VLAN 2, and gets no response.
So .. I think traffic will pass in one direction only. If you want that not to work, then you have to disable proxy ARP, and ensure that all PCs are on the same VLAN as their respective gateways.
Hope this helps.
Kevin Dorrell
Luxembourg
06-08-2005 12:26 AM
Hi Alancia,
Well there is a way... Enable inter-vlan routing with the ip routing global configuration command. Now u have to restrict traffic between the vlans either with access lists or vlan maps.
Your 3750 is now the real the gateway for your nodes in the respective vlans. If u use DHCP in your environment u have to assign ip helper-addresses additionally, or use the ip forward protocol command to make your DHCP work.
Please feel free to refer to this link:
Its not all but it might help.
Regards,
Sebastian
06-08-2005 05:36 PM
Thanks for the additional info about "ip routing".
I find it rather strange but when I disabled ip proxy-arp in vlan 3. No machines in vlan 3 can access machines in vlan 1. And when I disabled ip proxy-arp in vlan 2, machines in vlan 2 can access machines in vlan 1. Is there something which I have missed out?
int vlan 1
192.168.1.254 -> Default gateway to Internet
int vlan 2
192.168.2.254
no ip proxy-arp
int vlan 3
192.168.3.254
int vlan 4
192.168.4.254
no ip proxy-arp
ip routing
06-08-2005 06:16 PM
To really understand what is going on and to be able to explain it we would need information not only about the configuration of the switch/router but about the configuration of the workstations in each VLAN.
But based on what you have told us I will make this guess at what is happening:
- if disabling proxy arp in VLAN 3 causes machines not to be able to access machines in VLAN 1 then I guess that the machines in VLAN 3 do not have a default gateway of 192.168.3.254 (and perhaps machines in VLAN 3 do not have IP addresses in 192.168.3.0).
- if disabling proxy arp in VLAN 2 does not impact machines access to machines in VLAN 1 then I guess that machines in VLAN 2 do have a default gateway of 192.168.2.254 (and do have IP addresses in 192.168.2.0).
HTH
Rick
06-09-2005 02:51 AM
Hosts in the VLAN 3 are probably not having any default gateway. Hence this problem .. Configure a access port in a static vlan 3 and assign a default gateway in the host connected to that VLAN 3 port. Now disable IP proxy arp and check whether the host is able to hop to the next vlan.
06-12-2005 05:55 PM
I did try to disabled "ip proxy-arp" during last weekend. It seems that a handful group of people on VLAN 3 (192.168.3.0/24) are not able to reach 192.168.0.254 even with the gateway (192.168.3.254) configured, however, there were still some who were able to reach 192.168.0.0/24 network. It's really puzzling. Now my next question is why Cisco use "ip proxy-arp" as its default.
int vlan 1
ip address 192.168.0.254 255.255.255.0
no ip proxy-arp
int vlan 10
ip address 192.168.1.254 255.255.255.0
no ip proxy-arp
int vlan 20
ip address 192.168.2.254 255.255.255.0
no ip proxy-arp
int vlan 30
ip address 192.168.3.254 255.255.255.0
no ip proxy-arp
06-12-2005 06:58 PM
If some people in VLAN3 can get to outside addresses and some can not (with proxy arp disabled) the problem is in the configuration of the PCs and not in the configuration of the router. I would suggest that you look carefully at the configuration of the PC concentrating on the IP address, the subnet mask, and the gateway address. I believe you will find some configuration error on the PC is you look.
The reason that the default is to enable proxy arp are mostly historic. If you are interested look in the RFCs for the ones that discuss Requirements of Internet Gateways and Requirements for IP routers. Several of them discuss potential advantages of proxy arp (and RFC 1009 has an explicit requirement that the router be able to be configured to enable or disable support of proxy arp). In the early days of the Internet and of the development of IOS it was considered a "good thing to do" to support proxy arp. And many of the things that we perceive today as threats were not thought of that way back then.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide