The Operation of Proxy Arp

In A Simplified View of Proxy Arp, we looked conceptually at the function of this layer two protocol. The use of the process, typically found in what many consider a broken network, raises some concerns and should typically be disabled. In many cases, network administrators don’t even realize it is being used. Hosts that depend on this feature are typically found when a security conscious administrator disables the feature.

This article takes a deeper dive into Proxy Arp and looks at the issues that can occur when it is disabled. An IOS router can be instructed to act as a host that sends proxy arp requests. Additionally, routers typically respond to these proxy Arp requests by default. These factors make this process easy to demonstrate.

ProxyArp

Host

Host(config)#interface FastEthernet0/0
Host(config-if)# ip address 192.168.1.1 255.255.255.0
Host(config-if)#no shut
Host(config-if)#exit

//by only specify an Egress Ethernet Interface
//the router will arp for each destination
Host(config)#ip route 0.0.0.0 0.0.0.0 fa0/0

R1

R1(config)#interface FastEthernet0/0
R1(config-if)# ip address 192.168.1.2 255.255.255.0
R1(config-if)# no shut
R1(config-if)#interface Serial0/0
R1(config-if)# ip address 192.168.2.2 255.255.255.0
R1(config-if)# no shut

//and for the routing protocol
R1(config)#router eigrp 1
R1(config-router)# passive-interface FastEthernet0/0
R1(config-router)# network 0.0.0.0 255.255.255.255

R2

R2(config)#interface Serial0/0
R2(config-if)# ip address 192.168.2.3 255.255.255.0
R2(config-if)# no shut
R2(config-if)#interface Loopback1
R2(config-if)# ip address 1.1.1.1 255.255.255.0
R2(config-if)#interface Loopback2
R2(config-if)# ip address 2.2.2.2 255.255.255.0
R2(config-if)#interface Loopback3
R2(config-if)# ip address 3.3.3.3 255.0.0.0

//and for the routing protocol
R2(config-if)#router eigrp 1
R2(config-router)# network 0.0.0.0 255.255.255.255
R2(config-router)# no auto-summary

Examining the Routing table on R1 shows the following–

R1#show ip route

Gateway of last resort is not set

     1.0.0.0/24 is subnetted, 1 subnets
D       1.1.1.0 [90/409600] via 192.168.2.3, 00:00:03, FastEthernet0/1
     2.0.0.0/24 is subnetted, 1 subnets
D       2.2.2.0 [90/409600] via 192.168.2.3, 00:00:03, FastEthernet0/1
D    3.0.0.0/8 [90/409600] via 192.168.2.3, 00:00:38, FastEthernet0/1
C    192.168.1.0/24 is directly connected, FastEthernet0/0
C    192.168.2.0/24 is directly connected, FastEthernet0/1

To demonstrate the proxy Arp process, “debug arp” can be configured on R1.

R1#debug arp
ARP packet debugging is on
R1#

An ICMP Echo generated on Host toward the remote Loopbacks will trigger the Arp request.

Host#ping 3.3.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 40/41/44 ms
Host#

Although the ping was successful, examining the output on R1 reveals the proxy Arp process.

R1#
*Mar  1 01:52:47.199: IP ARP: rcvd req src 192.168.1.1 c000.06d6.0000, dst 3.3.3.3 FastEthernet0/0
*Mar  1 01:52:47.199: IP ARP: sent rep src 3.3.3.3 c001.06d6.0000,
                 dst 192.168.1.1 c000.06d6.0000 FastEthernet0/0
R1#

This is one of those arp requests that wouldn’t typically be seen. However, the host was forced to proxy Arp based on the static route that didn’t identify a next hop. To further demonstrate what can happen, we can disable proxy Arp on R1’s interface and clear the arp cache on Host.

R1(config)#int fa0/0
R1(config-if)#no ip proxy-arp
R1(config-if)#
Host#clear arp

Now testing from Host, reveals a broken network. The resolution is to configure a proper route that indicates a next hop address. This would be the same as configuring a proper default gateway on a host.

Host#ping 3.3.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Host#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Host(config)#no ip route 0.0.0.0 0.0.0.0 fastethernet0/0
Host(config)#ip route 0.0.0.0 0.0.0.0 fastethernet0/0 192.168.1.2
Host(config)#exit

//and to test again
Host#ping 3.3.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/43/52 ms
Host#

Proxy Arp is not a complex topic, but is an often overlooked component that can automagically make a misconfigured network seem to work properly. As network administrators, we should make an effort to fully understand the underlying components that make our environments functions.  It is also important to familiarize ourselvess with potential caveats as we make changes. Proxy Arp and the concepts demonstrated here are Ethernet concepts. Other layer two protocols have different methods for layer 2 addressing.

Additional Information

No related content found.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in Design. Bookmark the permalink.

4 Responses to The Operation of Proxy Arp

  1. xpwe says:

    Hi Paul, great interesting topic.

    I just ran into a problem and don’t really understand proxy arp on routers (my background is in firewalls, where proxy arp usually has to be configured properly or is only on an IP per IP basis).

    In my setup the proxy arp was enabled on two Routers on all interfaces and both of them have fa0/0 pointing to local where the clients are.

    Now what happened is that all communication between the clients on the same subnet was always going over one of the routers interfaces in and out. But the hosts have the same subnet and mask and they should never go over the router for the LAN traffic.

    Does the router really answer to any kind of ARP request even if for the network he is locally attached to (connected interface)?

  2. Sushim says:

    Dear Paul,

    Thanks for putting this topic here.
    As you have taken router as host, it works fine.
    But i am facing problem to get results of proxy arp when host is a PC.

    Is it like that , Proxy arp works for router interfaces only ?
    In my testing things work when all components are routers,
    i.e host(router) —- > router
    But when host is a PC or Laptop then proxy arp magic didnt work.

    Can you please suggest me on this?

    Best Regards
    Sushim

    • Proxy arp is one of those things that’s a hack. A good thing to experiment with to round out knowledge. I don’t like to knowingly or unknowingly depend on it.

      To answer your question, only a router should respond to proxy arp requests (and it should only respond for destinations in its routing table).

      Clients don’t all behave the same. All clients should arp for anything it believes to be directly connected. This assumption is made based on the IP and Subnet mask. So changing from 255.255.255.0 to 255.0.0.0 just instructed the host to arp for a lot more addresses.

      It is worth noting that the default gateway should reside on the local subnet and the host should arp for it as needed.

      The disparity in host operations comes in the form of some hosts using a proxy arp as a last result (no gw or maybe a gw is down).

      So the thing to ask is 1) is the arp request being sent? 2) if not why? 3) then is the router responding?

      Also remember that I just talk about proxy arp so people realize what it is. In reality, networks should be designed not to use it.

Comments are closed.