Proxy ARP Question

Hi All,
So I'm currently studying for CCENT (test is scheduled for September 2nd!) and proxy ARP has me a bit confused.

My understanding is that when a host is sending a packet, its first action is to determine if the destination is on the same subnet or not. If the destination is on the same subnet, the host will then send an ARP request (assuming it does not already have the MAC address of the destination in its cache) to acquire the MAC address of the destination. The destination host replies to the sender with its MAC address and communication between the two hosts continues.

If the sending host determines that the destination IP is not on its own subnet, it will then send the packet to its default gateway. My understanding of this process is that as the packet leaves the sending host, the IP destination will be the address of the receiving host on a different subnet, and that packet will be encapsulated in a frame which is destined for the mac address of the default gateway.

My question is, with the above process in mind, in what scenario would proxy ARP be needed? In what case would a host send out an ARP request for a host on a different subnet, which would be answered by a router configured for proxy ARP, as opposed to just sending the packet to its default gateway?

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

fredrikjj

Glyphic83 wrote: »

In what case would a host send out an ARP request for a host on a different subnet, which would be answered by a router configured for proxy ARP, as opposed to just sending the packet to its default gateway?

Never, unless the host doesn't have a default gateway.

PS.
Proxy ARP is confusing in general because it's from a different era. ARPing for every single destination on the Internet is obviously not a scalable solution and this is not what it was designed to accomplish. Instead, we use a default gateway. Proxy ARP was designed to allow you to use a single IPv4 prefix across multiple layer 3 networks. Consider this diagram from Comer's TCP/IP book:

R1 has a route to the classful network 192.168.1.0. Network 1 uses 192.168.1.0/25 and network 2 uses 192.168.1.128/25 in terms of addressing, but classless routing hasn't been invented yet. In other words, R1 cannot have a route pointing to R2 for 192.168.1.128/25. Instead, all packets to 192.168.1.0 must be ARPed for. When a packet destined for an IP in the 192.168.1.128/25 range reaches R1, R1 will ARP for the MAC address. Because the destination is beyond a L3 boundary, it cannot respond. Instead, R2 acts as a proxy and responds to the ARP (proxy ARP). R1 will send the packet to R2's MAC address which will then send it to the actual destination.

proxyarp.png

Glyphic83

Thanks fredrikjj! That was very helpful.

fredrikjj

Continued...

Because Proxy ARP was invented a long time ago ("early in the history of the Internet" according to Comer) to solve a problem we no longer have, it can sometimes cause problems. The most common one is to make the mistake of pointing a default route directly towards an Ethernet interface. Like this:

ip route 0.0.0.0 0.0.0.0 ethernet0/0

It will show up in the routing table as directly connected. Because the router sees it as directly connected, it assumes that it must ARP for all destinations that's covered by the default route. If the router on the other side of the link has proxy ARP enabled on its interface and has a route to the destination that's ARPed for, it will respond with its own MAC address. Potentially this could fill up the router's ARP cache with tons of destinations and create a flood of ARP traffic. If I remember correctly, proxy ARP is enabled by default in Cisco IOS for some reason, making it much more likely that you'll end up in this situation.

urvi

Hi
I'm sorry to interfere ,so what is the solution? To disable Proxy arp or to use the ip address of the next hop router?

Regards

fredrikjj

urvi wrote: »

Hi
I'm sorry to interfere ,so what is the solution? To disable Proxy arp or to use the ip address of the next hop router?

Regards

If you disable proxy arp in the default static route scenario above you'll lose reachability because the router will ARP for some remote destination and then not get a response back from the neighbor (it would normally respond due to proxy arp, but now can't). What disabling proxy arp accomplishes is making it immediately apparent that you've misconfigured the static route since it simply won't work. You should always use the ip address of the next hop in a static route to avoid this problem unless it's a p2p serial link in which case it doesn't matter since it's a completely different l2 technology and ARP isn't used.

saraanand

Could look at these links

NAT and Proxy ARP - Post #15 onwards.

https://learningnetwork.cisco.com/message/413776#413776

A walk-through on Proxy ARP

https://learningnetwork.cisco.com/message/407760#407760

saraanand

The way NAT uses Proxy-ARP is a very interesting.... I want to revelation.

Furthermore, this is a good Cisco documentation on Proxy-ARP

Proxy ARP - Cisco