cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
35537
Views
108
Helpful
12
Replies

Proxy-Arp

minumathur
Level 1
Level 1

Hi Friend

what happend if i am configuring "no ip proxy-arp" command at interface ? please explain ....

-Minu

8 Accepted Solutions

Accepted Solutions

Richard Burts
Hall of Fame
Hall of Fame

First let us be clear about the difference between

arp

and

proxy-arp.

ARP is a mechanism to establish the relationship between an IP address (at layer 3) and a MAC address (at layer 2). A device (host, or switch, or router) that wants to communicate will send an ARP request giving the IP address and requesting the associated MAC address.

 

In a normal ARP the request is sent on the local subnet and the IP address asked for is on the local subnet. But sometimes an ARP request is sent and the IP address asked for is on a remote subnet or remote network. A router may respond to that ARP request for a "remote" IP address. In essence the router is acting as a "proxy" for the device on the remote subnet or remote network and this is why it is called

proxy-arp.

 

By default Cisco IOS has

proxy-arp 

enabled, so the router will respond to arp requests for remote addresses (assuming that the route does have a route to the remote subnet or remote network in the routing table). When you configure

no ip proxy-arp

on the interface you are instructing IOS that it should not respond to an ARP request for a remote address.

 

HTH

 

Rick

HTH

Rick

View solution in original post

Minu

 

In a well designed and correctly configured network the ARP will always be for local addresses and there is no need for

proxy-arp

In this case configuring

no ip proxy-arp

will not cause any problems.

 

But in many network there are some hosts that do ARP for remote addresses (there are several reasons why this may be the case). In this case configuring

no ip proxy-arp 

will mean that these hosts will no longer have the same access that they had before.

 

So the problem that you may face is that some users had access to some network resources before you made the change and those users may not have access to those network resources after you make your change. Only someone who is familiar with the local network can assess whether disabling

proxy arp

will cause users to lose some connectivity.

 

HTH

 

Rick

HTH

Rick

View solution in original post

Hello Rick,

Very clear and thoughtful answers! A please to read!

Best regards,

Peter

View solution in original post

Peter

Thank you for the kind words. I really appreciate the compliment from you.

HTH

Rick

HTH

Rick

View solution in original post

Rick,

I second what Peter noted about your explanation.

You do an excellent job of explaining the subject.

Cheers,

Reza

View solution in original post

Reza

Thank you for the kind words. I read posts by you and by Peter with interest and enjoyment. I am very appreciative that you find my explanations enjoyable and helpful.

HTH

Rick

HTH

Rick

View solution in original post

Talha Ansari
Level 1
Level 1

Hi,

 

One thing I would like to add. A router with default route configured with exit interface is same like a pc configured with ip address but

no default gateway

 

Suppose a pc is configured with an ip address of 192.168.1.2/24 and

no default gateway

is configured and suppose you have a router connected to internet with its LAN interface ip address as 192.168.1.1 /24.

 

If you issue a ping to any public ip from the pc then the PC will generate an ARP broadcast request to check for the layer 2 address to reach the destination. Now your router knows the destination to the public ip since it is connected to the internet. If

proxy-arp

is enabled on the router's lan interface(192.168.1.1/24) then the router will respond to the pc's ARP request with its own mac address and your ping will be successful. If

proxy-arp

is disabled then your ping will fail.

 

The end user's pc is always configured with default gateway so that the pc knows that if it has to reach the destination other than its own subnet in which it is configured it has to go to the default gateway. If you have default gateway enabled in your end user machines then you may safely turn off the

proxy-arp

on the router's interface.

 

Even the routers should always be configured with a next hop ip address as a best practice on a shared segment scenario like ethernet else it will keep on generating ARP entries for each and every destination ip you are trying to access.

 

For testing purpose you may configure a router with a default route with exit interface and ping an ip of other subnet(this ip should be pingable).... you will notice that an ARP entry is generated in the ARP table for an ip that belongs to other subnet. While if you configure a router with a default route with next hop ip address you will never ever see ARP entry generated for an ip that belongs to another subnet because the device has got the routing intelligence to send all the packets to the gateway that does not belong in the subnet.

 

Hope that helps...

 

View solution in original post

Yep !

That was the best answer of all and thats why its  5 * for ya..-:)

 

As far as the host is concerned its the default gateway that matters.

 

1. No default gateway on the host and

no-proxy arp 

on the router, will not let traffic through for remote subnets but works for the local

2. No default gateway with

proxy arp

configured, will work like a champ in any case

3. And with a default gateway at the host it doesn't really matter whether

proxy arp

is enabled or disabled

View solution in original post

12 Replies 12

Richard Burts
Hall of Fame
Hall of Fame

First let us be clear about the difference between

arp

and

proxy-arp.

ARP is a mechanism to establish the relationship between an IP address (at layer 3) and a MAC address (at layer 2). A device (host, or switch, or router) that wants to communicate will send an ARP request giving the IP address and requesting the associated MAC address.

 

In a normal ARP the request is sent on the local subnet and the IP address asked for is on the local subnet. But sometimes an ARP request is sent and the IP address asked for is on a remote subnet or remote network. A router may respond to that ARP request for a "remote" IP address. In essence the router is acting as a "proxy" for the device on the remote subnet or remote network and this is why it is called

proxy-arp.

 

By default Cisco IOS has

proxy-arp 

enabled, so the router will respond to arp requests for remote addresses (assuming that the route does have a route to the remote subnet or remote network in the routing table). When you configure

no ip proxy-arp

on the interface you are instructing IOS that it should not respond to an ARP request for a remote address.

 

HTH

 

Rick

HTH

Rick

Hi Rick

thanks for answering my question but still my question is if i am going to implement " no ip proxy-arp " at interface, what will the the problem i may facing.

-Minu

Minu

 

In a well designed and correctly configured network the ARP will always be for local addresses and there is no need for

proxy-arp

In this case configuring

no ip proxy-arp

will not cause any problems.

 

But in many network there are some hosts that do ARP for remote addresses (there are several reasons why this may be the case). In this case configuring

no ip proxy-arp 

will mean that these hosts will no longer have the same access that they had before.

 

So the problem that you may face is that some users had access to some network resources before you made the change and those users may not have access to those network resources after you make your change. Only someone who is familiar with the local network can assess whether disabling

proxy arp

will cause users to lose some connectivity.

 

HTH

 

Rick

HTH

Rick

Hello Rick,

Very clear and thoughtful answers! A please to read!

Best regards,

Peter

Peter

Thank you for the kind words. I really appreciate the compliment from you.

HTH

Rick

HTH

Rick

Rick,

I second what Peter noted about your explanation.

You do an excellent job of explaining the subject.

Cheers,

Reza

Reza

Thank you for the kind words. I read posts by you and by Peter with interest and enjoyment. I am very appreciative that you find my explanations enjoyable and helpful.

HTH

Rick

HTH

Rick

Thanks for the info.

This is the best explanation I've found on proxy arp I finally got it. Thanks Richard!

wonderful explanation! thank you!

Talha Ansari
Level 1
Level 1

Hi,

 

One thing I would like to add. A router with default route configured with exit interface is same like a pc configured with ip address but

no default gateway

 

Suppose a pc is configured with an ip address of 192.168.1.2/24 and

no default gateway

is configured and suppose you have a router connected to internet with its LAN interface ip address as 192.168.1.1 /24.

 

If you issue a ping to any public ip from the pc then the PC will generate an ARP broadcast request to check for the layer 2 address to reach the destination. Now your router knows the destination to the public ip since it is connected to the internet. If

proxy-arp

is enabled on the router's lan interface(192.168.1.1/24) then the router will respond to the pc's ARP request with its own mac address and your ping will be successful. If

proxy-arp

is disabled then your ping will fail.

 

The end user's pc is always configured with default gateway so that the pc knows that if it has to reach the destination other than its own subnet in which it is configured it has to go to the default gateway. If you have default gateway enabled in your end user machines then you may safely turn off the

proxy-arp

on the router's interface.

 

Even the routers should always be configured with a next hop ip address as a best practice on a shared segment scenario like ethernet else it will keep on generating ARP entries for each and every destination ip you are trying to access.

 

For testing purpose you may configure a router with a default route with exit interface and ping an ip of other subnet(this ip should be pingable).... you will notice that an ARP entry is generated in the ARP table for an ip that belongs to other subnet. While if you configure a router with a default route with next hop ip address you will never ever see ARP entry generated for an ip that belongs to another subnet because the device has got the routing intelligence to send all the packets to the gateway that does not belong in the subnet.

 

Hope that helps...

 

Yep !

That was the best answer of all and thats why its  5 * for ya..-:)

 

As far as the host is concerned its the default gateway that matters.

 

1. No default gateway on the host and

no-proxy arp 

on the router, will not let traffic through for remote subnets but works for the local

2. No default gateway with

proxy arp

configured, will work like a champ in any case

3. And with a default gateway at the host it doesn't really matter whether

proxy arp

is enabled or disabled

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: