Proxy Arp Question

alemooalemoo Member Posts: 9 ■□□□□□□□□□
Hello,

I'm trying to understand the difference between Proxy ARP and regular ARP.

Regular ARP:
1) When PC A needs to find the MAC of PCB, it sends a broadcast if there is no MAC address entry in it's ARP cache.
2) All PC's on the local subnet ignore the ARP broadcast, except for PCB.
3) PCB responds with a unicast message to PCA, informing it of it's MAC address.
4) If PCB was on a different subnet, it would never receive the ARP broadcast (routers don't forward them by default).
5) Router A responds on behalf of PCB, giving PCA it's MAC address (the MAC address of the interface that PCA connects to).

I have been reading that Proxy ARP exactly the same, except that PCB is in the same subnet but on a different port of the router.
How is this possible? If you are on a different port of the router, you are going to have to be in a different subnet.
If there is some way that you can be on a different port but on the same subnet, what would the purpose of this be? Can someone give a practical example of why you would do this?

EDIT: I just read this thread:
http://www.techexams.net/forums/ccna-ccent/81656-what-difference-between-arp-proxy-router.html
and I believe my misunderstanding is that if PCB is on a different subnet, PCA automatically knows this, and does not send out an ARP broadcast. It simply sends its data towards its default gateway, trusting that the router will know how to properly route it. No ARP is necessary. So therefore Proxy ARP is where for some reason I don't understand, the router will reply with an ARP request on behalf of PCB (which is on a different subnet).

Comments

  • networker050184networker050184 Mod Posts: 11,962 Mod
    With regular ARP PCA knows PCB is on another segment due to it's subnet and mask. Now that PCA knows that it's ARPs for it's default gateway instead to reach another segment. In this instance the router that hosts the gateway only answers for it's own address.

    Proxy ARP would allow the router to answer for the MAC of PCB that lives on another segment. PCA know has the IP of PCB mapped to the MAC of the gateway rather than PCB's MAC.

    There are issues that come into play using proxy ARP though. Table exhaustion being one of the biggest.
    An expert is a man who has made all the mistakes which can be made.
  • alemooalemoo Member Posts: 9 ■□□□□□□□□□
    Thanks for the reply. I'm still trying to find a decent article that will explain the reason of using Proxy ARP. I understand now that it will help when you have devices with misconfigured subnet masks...so if you have PCA, with a subnet mask that is larger than it should be, and it is trying to communicate with PCB that is attached to a different port of the router, it will ARP for PCB's MAC because it thinks the PC is in the same subnet as itself. So then the Proxy ARP-enabled router will respond on its behalf.

    If the router wasn't configured with Proxy ARP, then, when incorrectly-configured PCA ARPs for the MAC of PCB, the router will not reply, and PCA will never be able to communicate with PCB? That can't be correct...because PCA will have a default gateway pointing to the router. So PCA doesn't receive an ARP reply from anyone, and then the data can't be transferred? Or does the ARP reply time out, and then PCA sends the data to its default gateway, and the router then forwards the data to PCB?
  • james43026james43026 Member Posts: 303 ■■□□□□□□□□
    This article does a decent job of explaining proxy arp. And to answer your question, yes if host A believes that host B is on the same subnet, but proxy arp isn't enabled on the local default gateway, then communication between hosts would not occur, this is because host A that needs to send data, would have no MAC address to assign in it's ARP table for host B for the frame, and since it isn't destined for another network (at least from host A's perspective) it would have no reason to route the packet to it's default gateway. For example if host A was on the 192.168.1.0/16 network, then any traffic destined for any IP address in the range of 192.168.1.0/16 would simply be directed out of that connected interface. If host B was in another subnet but had 192.168.1.50/24 as an IP address, host A would simply calculate if 192.168.1.50 fits into the same subnet that it is currently in or not, when it sees that it should be, it will ARP for a MAC address, when no reply comes back, ultimately the packets will be dropped by host A.
  • theodoxatheodoxa Member Posts: 1,340 ■■■■□□□□□□
    Regular ARP is 1-4 on your list. Number 5 is Proxy ARP. A router doesn't normally respond to ARP Requests for other devices. Normally, a PC would be configured with a default gateway. For any traffic destined to a different subnet, it would send the traffic to its default gateway. It would ARP for the MAC Address associated with the IP Address of its default gateway, not that of its destination. The exception is if the PC sees the destination as being on the same subnet as it. Then, it will attempt to ARP for it. In this case, without Proxy ARP noone would ever respond to the ARP request and the traffic would not be able to be sent.

    Proxy ARP is typically a kludge for bad network design/addressing. It allows the router to respond with its own IP address, allowing the PC to send the traffic. A scenario (that I have unfortunately run into) involves a PC being configured with a /8, while the router is configured with multiple /24 interfaces.

    For example, a PC is assigned the address 10.1.1.100/8 address (i.e. 255.0.0.0 subnet mask), but the router has interfaces on 10.1.1.0/24 and 10.1.2.0/24. If the PC attempts to send traffic to 10.1.1.101, all is fine because it is on the same subnet as viewed by the PC and can be reached without having to be routed. But, should 10.1.1.100 need to send traffic to 10.1.2.100, it would look at its subnet mask and think the destination is on the same subnet as it it, but in fact the destination can only be reached by routing it across the router. So, when it ARPs for 10.1.2.100 noone would respond. OTOH, if Proxy ARP were enabled, the router would respond with its MAC Address and the PC would send the traffic to it, where it would be routed to the 10.1.2.0/24 interface, and then to the destination.
    R&S: CCENT CCNA CCNP CCIE [ ]
    Security: CCNA [ ]
    Virtualization: VCA-DCV [ ]
  • ebohlmanebohlman Member Posts: 26 ■■■□□□□□□□
    The classic case for proxy ARP is when you have two or more routers connected together via ethernet interfaces. If you have static or default routes that specify the outgoing interface rather than the next-hop router IP address, the routers will all need to run proxy ARP because otherwise they won't know what MAC addresses to send frames to (if the routes specified the next hop, the router could use ordinary ARP based on the next-hop address; if the routes only specify the interface number, the router has to do an ARP request for the destination address of the packet, which is unlikely to be on the LAN segment between the routers. Therefore the receiving router has to use proxy ARP to tell the sending router its own MAC address).
  • theodoxatheodoxa Member Posts: 1,340 ■■■■□□□□□□
    ebohlman wrote: »
    The classic case for proxy ARP is when you have two or more routers connected together via ethernet interfaces. If you have static or default routes that specify the outgoing interface rather than the next-hop router IP address, the routers will all need to run proxy ARP because otherwise they won't know what MAC addresses to send frames to (if the routes specified the next hop, the router could use ordinary ARP based on the next-hop address; if the routes only specify the interface number, the router has to do an ARP request for the destination address of the packet, which is unlikely to be on the LAN segment between the routers. Therefore the receiving router has to use proxy ARP to tell the sending router its own MAC address).

    I didn't think about that one, but this is why in my CCIE materials, they say not to use the outgoing interface except on a point-to-point link. Otherwise, it will have to ARP for every destination. I think the INE workbook had a lab on this, where you had to resolve the problem without enabling proxy ARP (by adding a static ARP entry).
    R&S: CCENT CCNA CCNP CCIE [ ]
    Security: CCNA [ ]
    Virtualization: VCA-DCV [ ]
  • james43026james43026 Member Posts: 303 ■■□□□□□□□□
    Yeah, I like to look at this the way Cisco does, which is that any route that has an interface as the destination, is considered to be directly connected to that interface, even if it is a multi-access segment. And as such will try to arp for the MAC address of every single destination IP address that matches the static route, which in some cases could be several, especially if you use an interface in a default route, then you have a potential problem that could cripple your router, as the CPU utilization could skyrocket. And a static ARP entry for each possible destination would be a knightmare to configure for this one, not to mention that doing so would actually break the routing on other interfaces lol.
  • alemooalemoo Member Posts: 9 ■□□□□□□□□□
    Thanks everyone for the clarification. I believe there are situations using firewalls where one interface of the firewall has to be in the same subnet as another interface of your private network, in which case Proxy-Arp is required...it appears I have more reading on this situation ahead...
Sign In or Register to comment.