cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
887
Views
5
Helpful
3
Replies

unusual bahaviour on WS-C3560CG-8PC, IP connectivity without ip route or default gateway

m.kafka
Level 4
Level 4

Recently we observed that newly installed WS-C3560CG-8PC access switches are able to communicate without a default route or default gateway.

The 3650 switches are used as a layer2 access switch behind a layer3 distribution/core. They have only the management VLAN configured for IP with a single address.

The ARP table looks like there is an implicit proxy-ARP request sent for any IP address.

We definitley have no configuration whatsoever which would explain this.

Is this a new feature? Anyone seen this before? We don't observe that with the older 2960-series...

Here is a brief trace of what's happening (debug arp):

host41#ping 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

Sep 20 14:44:06.706: IP ARP: sent req src 10.1.8.41 1833.9dc9.wxyz,

                 dst 1.1.1.1 0000.0000.0000 Vlan1

Sep 20 14:44:06.711: IP ARP: rcvd rep src 1.1.1.1 2c54.2dd3.wxyz, dst 10.1.8.41 Vlan1..

host41#sh mac address-table ad 2c54.2dd3.wxyz
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    2c54.2dd3.wxyz    DYNAMIC     Gi0/10
   5    2c54.2dd3.wxyz    DYNAMIC     Gi0/10
311    2c54.2dd3.wxyz    DYNAMIC     Gi0/10
Total Mac Addresses for this criterion: 3

The mac address if of course the mac address of the layer 3 interfaces of the distribution switch, no surprise here (proxy ARP is turned on by default).

Why is the 3560 sending out proxy arp requests without being told to? As far as I understood proxy ARP on Cisco IOS it only means it will reply to a proxy ARP request but will not send out proxy ARP requests by default.

rgds, MiKa

1 Accepted Solution

Accepted Solutions

Peter Paluch
Cisco Employee
Cisco Employee

Hello MiKa,

It has been my personal experience that all Catalyst IOS-based switches act as ProxyARP clients (i.e. send an ARP request for each destination IP address) if they have no default gateway configured. Recall that these switches are usually in L2 switching mode only (there is no ip routing command present by default) which also means that they behave like IP end hosts. An IP end host without a default gateway is naturally bound to rely on ProxyARP if it wants to talk to stations in other networks. This is what these switches currently do - if they are in L3 host mode (as opposed to L3 routing mode), they send ProxyARP requests for each destination they are trying to talk to. If you configured ip routing then this ProxyARP client behavior would stop.

Sadly, I do not know if this behavior can be deactivated. To my best knowledge, the only remedy is to configure a phony IP default gateway.

Best regards,

Peter

View solution in original post

3 Replies 3

Peter Paluch
Cisco Employee
Cisco Employee

Hello MiKa,

It has been my personal experience that all Catalyst IOS-based switches act as ProxyARP clients (i.e. send an ARP request for each destination IP address) if they have no default gateway configured. Recall that these switches are usually in L2 switching mode only (there is no ip routing command present by default) which also means that they behave like IP end hosts. An IP end host without a default gateway is naturally bound to rely on ProxyARP if it wants to talk to stations in other networks. This is what these switches currently do - if they are in L3 host mode (as opposed to L3 routing mode), they send ProxyARP requests for each destination they are trying to talk to. If you configured ip routing then this ProxyARP client behavior would stop.

Sadly, I do not know if this behavior can be deactivated. To my best knowledge, the only remedy is to configure a phony IP default gateway.

Best regards,

Peter

Hi Peter,

thanks for confirming!

interesting... I will give it a shot with a test switch and see whether "no ip proxy arp" on the vlan interfaces will stop sending proxy requests. We have to change the config of our 3560CG-8PC switches anyway (several 1000 switches in the organisation). Glad to have LMS with configuration compliance templates...

By the way: I don't want to block IP communication, just the proxy ARP. Which means that we will deploy either "ip default gateway" commands or "ip routing" plus "ip route 0.0.0.0/0" commands.

Hi MiKa,

You are welcome!

I will give it a shot with a test switch and see whether "no ip proxy  arp" on the vlan interfaces will stop sending proxy requests.

Personally, I doubt it will help but I will gladly stand corrected. I have always considered the ip proxy-arp command to control the ProxyARP server (i.e. router's) behavior, not the client's.

I don't want to block IP communication, just the proxy ARP. Which means  that we will deploy either "ip default gateway" commands or "ip routing"  plus "ip route 0.0.0.0/0" commands.

This will certainly help. And I also suggest configuring no ip proxy-arp on your L3 devices to prevent them from responding to these queries.

Best regards,

Peter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco