Local Proxy ARP

In my last posts, I’ve explained ARP, Proxy-ARP and Gratuitous ARP and Now its turn to explain Local Proxy ARP.

What is Local-Proxy ARP?
Local-Proxy is a resolution process which works within the same IP subnet. Local Proxy ARP is disabled by default in a most of the network devices. It is used in the special type of network scenarios. Local Proxy ARP enables a node (Router or Switch) to answer ARP request on behalf of other nodes on the same subnet.

Where do we need Proxy-ARP?
– If we have got the network with Private VLAN and we want communication between Private VLANs.
– It is used in FTTH network where subscribers should not directly communicate but it can be possible through Router.

Primary it is used when the hosts in a layer 2 network are separated by Private VLANs or some other methods but we still want to make communication between separated VLAN’s hosts.

Requirements of Local-Proxy ARP:
– Proxy ARP must be enabled first. (Proxy ARP is enabled by default)
– ICMP Redirect will get disabled automatically when we enable Local Proxy ARP on the interface.
– Layer 3 interface

Imagine a scenario where layer 2 networks are separated by Private VLAN, Primary VLAN is 100, You have PC-A and PC-B in Community VLAN10, PC-C is in isolated VLAN20 and R1 is connected to the Promiscuous port.
All these devices are in

Secondary Community VLAN 10

PC-A –

PC-B –

Note – It allows to send and receive layer 2 data frame to any port in the same community and to Promiscuous port

Secondary Isolated VLAN 20

PC-C –

Note – It allows to communicate with Promiscuous port only

Promiscuous Port

R1 –

Note – This is the port where Router connects. It allows sending the data frame to both Community and Isolated ports

PC-A and PC-B can reach each other without R1’s involvement because they belong to the same community VLAN. PC-C the member of Isolated VLAN and can only ping R1.
R1 – Router is connected to promiscuous mode port so it can communicate with all VLANs ( Community, Isolated)

Now if we want to ping PC-A and PC-C, As a source PC-A will send an ARP broadcast asking that who is Tell the MAC address. R1 will hear this ARP broadcast request on its layer 3 interface but It will keep silent and no action will be taken. R1 never passes the ARP broadcast in the different broadcast domain.

PC-A will never get the response because PC-C is in different Private VLAN (but not in different IP Subnet) and the router is not taking any responsibility to make it across to PC-C. This is where Local-Proxy comes in the picture.

If we enable Local-Proxy ARP on R1’s interface then It becomes possible to take the ARP request on behalf of PC-A and send it to PC-C but this will not keep community VLAN and Isolated VLAN separate. Local-Proxy ARP can be enabled to make communication between different Private VLAN but Private VLAN will lose visibility in this case. The administrator has to enable manual filtering on R1 to decide which traffic would be allowed in which VLAN as per his design plan.

The configuration of Local-Proxy ARP on Cisco Router IOS:

R1# enable

R1(config)# interface <if-name>

R1(config)# ip local-proxy-arp

To verify whether Local Proxy-ARP is enabled on the interface or not use the following commands
# show interface <if-name>

I hope this has been informative for you. If it seems helpful then Like, Share and Don’t forget to subscribe to my channel




Write a Message