Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
38397
Views
108
Helpful
12
Replies

Proxy-Arp

Go to solution
minumathur
Level 1
Level 1

‎11-21-2010 08:25 PM - edited ‎03-04-2019 10:32 AM

Hi Friend

what happend if i am configuring "no ip proxy-arp" command at interface ? please explain ....

-Minu

Labels:
0 Helpful
8 Accepted Solutions

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎11-21-2010 08:50 PM - last edited on ‎06-10-2022 02:30 AM by Community Manager

First let us be clear about the difference between

arp

and

proxy-arp.

ARP is a mechanism to establish the relationship between an IP address (at layer 3) and a MAC address (at layer 2). A device (host, or switch, or router) that wants to communicate will send an ARP request giving the IP address and requesting the associated MAC address.

 

In a normal ARP the request is sent on the local subnet and the IP address asked for is on the local subnet. But sometimes an ARP request is sent and the IP address asked for is on a remote subnet or remote network. A router may respond to that ARP request for a "remote" IP address. In essence the router is acting as a "proxy" for the device on the remote subnet or remote network and this is why it is called

proxy-arp.

 

By default Cisco IOS has

proxy-arp

enabled, so the router will respond to arp requests for remote addresses (assuming that the route does have a route to the remote subnet or remote network in the routing table). When you configure

no ip proxy-arp

on the interface you are instructing IOS that it should not respond to an ARP request for a remote address.

 

HTH

 

Rick

HTH

Rick

View solution in original post

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to minumathur

‎11-21-2010 09:11 PM - last edited on ‎06-10-2022 02:34 AM by Community Manager

Minu

 

In a well designed and correctly configured network the ARP will always be for local addresses and there is no need for

proxy-arp

In this case configuring

no ip proxy-arp

will not cause any problems.

 

But in many network there are some hosts that do ARP for remote addresses (there are several reasons why this may be the case). In this case configuring

no ip proxy-arp

will mean that these hosts will no longer have the same access that they had before.

 

So the problem that you may face is that some users had access to some network resources before you made the change and those users may not have access to those network resources after you make your change. Only someone who is familiar with the local network can assess whether disabling

proxy arp

will cause users to lose some connectivity.

 

HTH

 

Rick

HTH

Rick

View solution in original post

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to Richard Burts

‎11-22-2010 12:41 AM

Hello Rick,

Very clear and thoughtful answers! A please to read!

Best regards,

Peter

View solution in original post

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Peter Paluch

‎11-22-2010 05:56 AM

Peter

Thank you for the kind words. I really appreciate the compliment from you.

HTH

Rick

HTH

Rick

View solution in original post

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to Richard Burts

‎11-22-2010 10:33 AM

Rick,

I second what Peter noted about your explanation.

You do an excellent job of explaining the subject.

Cheers,

Reza

View solution in original post

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Reza Sharifi

‎11-22-2010 01:43 PM

Reza

Thank you for the kind words. I read posts by you and by Peter with interest and enjoyment. I am very appreciative that you find my explanations enjoyable and helpful.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful

Go to solution
Talha Ansari
Level 1
Level 1

‎11-22-2010 09:50 PM - last edited on ‎06-10-2022 02:44 AM by Community Manager

Hi,

 

One thing I would like to add. A router with default route configured with exit interface is same like a pc configured with ip address but

no default gateway

 

Suppose a pc is configured with an ip address of 192.168.1.2/24 and

no default gateway

is configured and suppose you have a router connected to internet with its LAN interface ip address as 192.168.1.1 /24.

 

If you issue a ping to any public ip from the pc then the PC will generate an ARP broadcast request to check for the layer 2 address to reach the destination. Now your router knows the destination to the public ip since it is connected to the internet. If

proxy-arp

is enabled on the router's lan interface(192.168.1.1/24) then the router will respond to the pc's ARP request with its own mac address and your ping will be successful. If

proxy-arp

is disabled then your ping will fail.

 

The end user's pc is always configured with default gateway so that the pc knows that if it has to reach the destination other than its own subnet in which it is configured it has to go to the default gateway. If you have default gateway enabled in your end user machines then you may safely turn off the

proxy-arp

on the router's interface.

 

Even the routers should always be configured with a next hop ip address as a best practice on a shared segment scenario like ethernet else it will keep on generating ARP entries for each and every destination ip you are trying to access.

 

For testing purpose you may configure a router with a default route with exit interface and ping an ip of other subnet(this ip should be pingable).... you will notice that an ARP entry is generated in the ARP table for an ip that belongs to other subnet. While if you configure a router with a default route with next hop ip address you will never ever see ARP entry generated for an ip that belongs to another subnet because the device has got the routing intelligence to send all the packets to the gateway that does not belong in the subnet.

 

Hope that helps...

 

View solution in original post

Go to solution
Tharak Abraham
Level 3
Level 3
In response to Talha Ansari

‎11-23-2010 07:50 AM - last edited on ‎06-10-2022 03:45 AM by Community Manager

Yep !

That was the best answer of all and thats why its  5 * for ya..-:)

 

As far as the host is concerned its the default gateway that matters.

 

1. No default gateway on the host and

no-proxy arp

on the router, will not let traffic through for remote subnets but works for the local

2. No default gateway with

proxy arp

configured, will work like a champ in any case

3. And with a default gateway at the host it doesn't really matter whether

proxy arp

is enabled or disabled

View solution in original post

0 Helpful
12 Replies 12

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎11-21-2010 08:50 PM - last edited on ‎06-10-2022 02:30 AM by Community Manager

First let us be clear about the difference between

arp

and

proxy-arp.

ARP is a mechanism to establish the relationship between an IP address (at layer 3) and a MAC address (at layer 2). A device (host, or switch, or router) that wants to communicate will send an ARP request giving the IP address and requesting the associated MAC address.

 

In a normal ARP the request is sent on the local subnet and the IP address asked for is on the local subnet. But sometimes an ARP request is sent and the IP address asked for is on a remote subnet or remote network. A router may respond to that ARP request for a "remote" IP address. In essence the router is acting as a "proxy" for the device on the remote subnet or remote network and this is why it is called

proxy-arp.

 

By default Cisco IOS has

proxy-arp

enabled, so the router will respond to arp requests for remote addresses (assuming that the route does have a route to the remote subnet or remote network in the routing table). When you configure

no ip proxy-arp

on the interface you are instructing IOS that it should not respond to an ARP request for a remote address.

 

HTH

 

Rick

HTH

Rick

Go to solution
minumathur
Level 1
Level 1
In response to Richard Burts

‎11-21-2010 09:01 PM

Hi Rick

thanks for answering my question but still my question is if i am going to implement " no ip proxy-arp " at interface, what will the the problem i may facing.

-Minu

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to minumathur

‎11-21-2010 09:11 PM - last edited on ‎06-10-2022 02:34 AM by Community Manager

Minu

 

In a well designed and correctly configured network the ARP will always be for local addresses and there is no need for

proxy-arp

In this case configuring

no ip proxy-arp

will not cause any problems.

 

But in many network there are some hosts that do ARP for remote addresses (there are several reasons why this may be the case). In this case configuring

no ip proxy-arp

will mean that these hosts will no longer have the same access that they had before.

 

So the problem that you may face is that some users had access to some network resources before you made the change and those users may not have access to those network resources after you make your change. Only someone who is familiar with the local network can assess whether disabling

proxy arp

will cause users to lose some connectivity.

 

HTH

 

Rick

HTH

Rick

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to Richard Burts

‎11-22-2010 12:41 AM

Hello Rick,

Very clear and thoughtful answers! A please to read!

Best regards,

Peter

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Peter Paluch

‎11-22-2010 05:56 AM

Peter

Thank you for the kind words. I really appreciate the compliment from you.

HTH

Rick

HTH

Rick

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to Richard Burts

‎11-22-2010 10:33 AM

Rick,

I second what Peter noted about your explanation.

You do an excellent job of explaining the subject.

Cheers,

Reza

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Reza Sharifi

‎11-22-2010 01:43 PM

Reza

Thank you for the kind words. I read posts by you and by Peter with interest and enjoyment. I am very appreciative that you find my explanations enjoyable and helpful.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
anandkallagunta5820
Level 1
Level 1
In response to Richard Burts

‎01-31-2020 01:04 AM

Thanks for the info.

0 Helpful

Go to solution
kadshah
Level 1
Level 1
In response to Richard Burts

‎03-02-2024 08:20 AM

This is the best explanation I've found on proxy arp I finally got it. Thanks Richard!

0 Helpful

Go to solution
ampdeck
Level 1
Level 1
In response to Richard Burts

‎06-12-2018 08:57 PM

wonderful explanation! thank you!
0 Helpful

Go to solution
Talha Ansari
Level 1
Level 1

‎11-22-2010 09:50 PM - last edited on ‎06-10-2022 02:44 AM by Community Manager

Hi,

 

One thing I would like to add. A router with default route configured with exit interface is same like a pc configured with ip address but

no default gateway

 

Suppose a pc is configured with an ip address of 192.168.1.2/24 and

no default gateway

is configured and suppose you have a router connected to internet with its LAN interface ip address as 192.168.1.1 /24.

 

If you issue a ping to any public ip from the pc then the PC will generate an ARP broadcast request to check for the layer 2 address to reach the destination. Now your router knows the destination to the public ip since it is connected to the internet. If

proxy-arp

is enabled on the router's lan interface(192.168.1.1/24) then the router will respond to the pc's ARP request with its own mac address and your ping will be successful. If

proxy-arp

is disabled then your ping will fail.

 

The end user's pc is always configured with default gateway so that the pc knows that if it has to reach the destination other than its own subnet in which it is configured it has to go to the default gateway. If you have default gateway enabled in your end user machines then you may safely turn off the

proxy-arp

on the router's interface.

 

Even the routers should always be configured with a next hop ip address as a best practice on a shared segment scenario like ethernet else it will keep on generating ARP entries for each and every destination ip you are trying to access.

 

For testing purpose you may configure a router with a default route with exit interface and ping an ip of other subnet(this ip should be pingable).... you will notice that an ARP entry is generated in the ARP table for an ip that belongs to other subnet. While if you configure a router with a default route with next hop ip address you will never ever see ARP entry generated for an ip that belongs to another subnet because the device has got the routing intelligence to send all the packets to the gateway that does not belong in the subnet.

 

Hope that helps...

 

Go to solution
Tharak Abraham
Level 3
Level 3
In response to Talha Ansari

‎11-23-2010 07:50 AM - last edited on ‎06-10-2022 03:45 AM by Community Manager

Yep !

That was the best answer of all and thats why its  5 * for ya..-:)

 

As far as the host is concerned its the default gateway that matters.

 

1. No default gateway on the host and

no-proxy arp

on the router, will not let traffic through for remote subnets but works for the local

2. No default gateway with

proxy arp

configured, will work like a champ in any case

3. And with a default gateway at the host it doesn't really matter whether

proxy arp

is enabled or disabled

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card