Re: ip local-proxy-arp

riz_432 · ‎04-30-2005

hye all,

Can anybody tell me the difference b/w the commands ip proxy-arp and ip local-proxy-arp.I've complete understanding of Proxy Arp but the thing i can't understand is why both these commands are there.

mhussein · ‎04-30-2005

With local-proxy-arp the router would respond to arp requests for addresses on the same subnet.

For example, say host A (192.168.1.5) is directly connected to router 192.168.1.1. If host A queries for host C (10.10.10.10), the router would respond with its MAC address (provided that the router can reach 10.10.10.10). This is proxy-arp.

If host A queries for host B (192.168.1.7, which is on the same subnet), the router would respond with its own MAC address if "ip local-proxy-arp" is configured/enabled. In other words, if "ip local-proxy-arp" is enabled, the router would assume responibilty for forwarding traffic between host A 192.168.1.5 and host B 192.168.1.7. All the arp cache entries on hosts A and B will reference the router's MAC address. In this case the router is performing local-proxy-arp for subnet 192.168.1.0/24

On a LAN, the normal/default behaviour is that "ip local-proxy-arp" is disabled, and hosts A and B have each other's MAC address and communicate directly without router involvement.

I have yet to see any practical use for this feature.

HTH,

Mustafa

jrahm · ‎04-10-2006

A requirement for private vlan edge (protected port) configurations

sannjay_cisco · ‎07-20-2012

thanks mhussein. good post

andrei · ‎08-09-2015

Does anybody have practice of using this feature when hosts within the broadcast domain with a local-proxy-arp enabled router are not isolated from each other?

I wonder how this feature affects a communication between non-isolated hosts? I would expect two arp-replies: one from the "owner" of IP in question and 2nd from local-proxy-arp enabled router. If so, wich MAC address the requesting host will install in its arp-table?

Peter Paluch · ‎08-09-2015

Hello Andrei,

I haven't tried it mysef as for practical deployments, this would be considered a misconfiguration, but following the basic ARP principle of operation, trivial ARP implementations on hosts will process the ARP replies in the order they arrive, updating the ARP cache entry as each ARP reply is processed. From this it would follow that the ARP cache would always hold the entry based on the last ARP reply received. Obviously, which one is going to be the last received is a matter of chance, so the results would be generally random.

The ARP implementation can differ between hosts. I can imagine some implementations using some kind of throttling, or processing only the first response in an attempt to tighten down the security on ARP. In any case, even if just a single ARP response is processed, it is still a matter of chance whose response that is.

Best regards,
Peter

mtalic · ‎11-17-2021

Filtering/Security as it forces the traffic to go to the router instead of host to host.

Mark

lietadielko · ‎11-18-2021

Hi Mustafa,

really old thread and my response but have one practical example.

working for a service providers, that they implemented L2 network using cisco Core and OLT/GPON technology on the edge, for their FTTH. and they decided for a less management overhead to implement OLT as a L2 gateway, while L3 function was moved towards Cisco Cat9500 acting as a L3 gateway. it is not ideal setup, and has some weaknesses as well. but The OLT setup created on catalyst Ethernet ports a non-broadcast network topology, where each communication runs in a very simple hub-and-spoke manners. So each end nodes can communicate only with a hub, in this case it is L3 catalyst 9500, but they do not see each other. In the case the end nodes need to access a different subnet, they need to point to their DG anyway, all seems to be working fine. But if they want to communicate each other directly it is not possible, and this feature could help in such non-usual cases.

have a nice day.

Martin