09-20-2012 06:12 AM - edited 03-07-2019 08:59 AM
Recently we observed that newly installed WS-C3560CG-8PC access switches are able to communicate without a default route or default gateway.
The 3650 switches are used as a layer2 access switch behind a layer3 distribution/core. They have only the management VLAN configured for IP with a single address.
The ARP table looks like there is an implicit proxy-ARP request sent for any IP address.
We definitley have no configuration whatsoever which would explain this.
Is this a new feature? Anyone seen this before? We don't observe that with the older 2960-series...
Here is a brief trace of what's happening (debug arp):
host41#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Sep 20 14:44:06.706: IP ARP: sent req src 10.1.8.41 1833.9dc9.wxyz,
dst 1.1.1.1 0000.0000.0000 Vlan1
Sep 20 14:44:06.711: IP ARP: rcvd rep src 1.1.1.1 2c54.2dd3.wxyz, dst 10.1.8.41 Vlan1..
host41#sh mac address-table ad 2c54.2dd3.wxyz
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 2c54.2dd3.wxyz DYNAMIC Gi0/10
5 2c54.2dd3.wxyz DYNAMIC Gi0/10
311 2c54.2dd3.wxyz DYNAMIC Gi0/10
Total Mac Addresses for this criterion: 3
The mac address if of course the mac address of the layer 3 interfaces of the distribution switch, no surprise here (proxy ARP is turned on by default).
Why is the 3560 sending out proxy arp requests without being told to? As far as I understood proxy ARP on Cisco IOS it only means it will reply to a proxy ARP request but will not send out proxy ARP requests by default.
rgds, MiKa
Solved! Go to Solution.
09-20-2012 06:53 AM
Hello MiKa,
It has been my personal experience that all Catalyst IOS-based switches act as ProxyARP clients (i.e. send an ARP request for each destination IP address) if they have no default gateway configured. Recall that these switches are usually in L2 switching mode only (there is no ip routing command present by default) which also means that they behave like IP end hosts. An IP end host without a default gateway is naturally bound to rely on ProxyARP if it wants to talk to stations in other networks. This is what these switches currently do - if they are in L3 host mode (as opposed to L3 routing mode), they send ProxyARP requests for each destination they are trying to talk to. If you configured ip routing then this ProxyARP client behavior would stop.
Sadly, I do not know if this behavior can be deactivated. To my best knowledge, the only remedy is to configure a phony IP default gateway.
Best regards,
Peter
09-20-2012 06:53 AM
Hello MiKa,
It has been my personal experience that all Catalyst IOS-based switches act as ProxyARP clients (i.e. send an ARP request for each destination IP address) if they have no default gateway configured. Recall that these switches are usually in L2 switching mode only (there is no ip routing command present by default) which also means that they behave like IP end hosts. An IP end host without a default gateway is naturally bound to rely on ProxyARP if it wants to talk to stations in other networks. This is what these switches currently do - if they are in L3 host mode (as opposed to L3 routing mode), they send ProxyARP requests for each destination they are trying to talk to. If you configured ip routing then this ProxyARP client behavior would stop.
Sadly, I do not know if this behavior can be deactivated. To my best knowledge, the only remedy is to configure a phony IP default gateway.
Best regards,
Peter
09-20-2012 08:00 AM
Hi Peter,
thanks for confirming!
interesting... I will give it a shot with a test switch and see whether "no ip proxy arp" on the vlan interfaces will stop sending proxy requests. We have to change the config of our 3560CG-8PC switches anyway (several 1000 switches in the organisation). Glad to have LMS with configuration compliance templates...
By the way: I don't want to block IP communication, just the proxy ARP. Which means that we will deploy either "ip default gateway" commands or "ip routing" plus "ip route 0.0.0.0/0" commands.
09-20-2012 08:45 AM
Hi MiKa,
You are welcome!
I will give it a shot with a test switch and see whether "no ip proxy arp" on the vlan interfaces will stop sending proxy requests.
Personally, I doubt it will help but I will gladly stand corrected. I have always considered the ip proxy-arp command to control the ProxyARP server (i.e. router's) behavior, not the client's.
I don't want to block IP communication, just the proxy ARP. Which means that we will deploy either "ip default gateway" commands or "ip routing" plus "ip route 0.0.0.0/0" commands.
This will certainly help. And I also suggest configuring no ip proxy-arp on your L3 devices to prevent them from responding to these queries.
Best regards,
Peter
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: