What is PROXY ARP?

We are more familiar with ARP and it’s working process, Proxy ARP was often used in the network more than 10 years ago.
Proxy ARP is not mostly used nowadays in all the scenarios but we are going to learn how and where we can use it.

You may find many articles written about Proxy ARP but you may find very few of them are actually understandable at first. To understand this concept you may need to read more articles but I’m trying my best to make this easy for you.

What is Proxy ARP?
Proxy ARP is a resolution method in which a node responds to an ARP request on behalf of other nodes. Proxy ARP is performed when a node wants to send data from one network to another network. The devices sit between two or more subnets can perform Proxy ARP.

Proxy ARP is not malicious activity. It can be used with NAT (Network Address Translation) feature also. Proxy ARP is really helpful if some of the nodes (Router, PC) were not configured with the gateway and don’t have routing enabled.

Advantage:-
– It can be added on a single router of a network and does not disturb routing table of other routers
– It can be used where hosts are not configured with the default gateway and routing

Disadvantage
– Increases the amount of ARP traffic in the network
– No use if you don’t have devices that run ARP
– Hosts need a large ARP table to handle IP-to-MAC mapping

How Proxy ARP Works?
Let’s understand with the below example
As we already know that when a host sends data to another host within the same network then the source generates ARP requests toward the other host’s IP address.
If a host wants to send data to a host which belongs to another network then source host generates ARP request toward default gateway’s IP address.

We have two subnets in the above diagram: 192.168.1.0/24 and 192.168.2.0/24, There a router sits between these subnets.
PC-A is configured with 192.168.1.11 and subnet mask 255.255.255.0 and wants to send data to PC-C 192.168.2.11 subnet mask 255.255.255.0 which is on another network.

PC-B is configured 192.168.1.12 subnet mask 255.255.0.0 which is not the same as PC-A but still, PC-B wants to send data to PC-C 192.168.2.11 subnet mask 255.255.255.0 which is on another network.

PC-A and PC-B both are trying to send data to PC-C which exists on a different network. When PC-A tries to send data to PC-C 192.168.2.11, It knows that PC-C belongs to a different network because PC-A considers 192.168.1.1 to 192.168.1.255 are the only part of the same network.

PC-A checks it’s ARP table and look for MAC address of destination if it is not available then PC-A would send traditional ARP to the default gateway which is 192.168.1.1, Router will take the responsibility to give reply of ARP request to PC-A with its mac-address.

This is how a normal ARP works but in the case of PC-B, the result would be different.

When PC-B tries to send data to PC-C then It considers PC-C on the same network, Because PC-B thinks that IP address from 192.168.0.0 to 192.168.255.255 are part of the same network as per subnet mask 255.255.0.0 ( /16 in CIDR).

PC-B would generate ARP Broadcast to the LAN instead of sending ARP requests directly to the default gateway. PC-B is not configured with default gateway so ARP broadcast will never make it across the router to PC-C. Now ARP request will not get any reply and it will go unanswered.

Here is the role of Proxy ARP comes in the picture, Router must be configured to reply PC-B’s ARP request on behalf of PC-C.

When Router receives PC-B’s ARP broadcast and Proxy ARP is enabled on that interface then the router takes responsibility to send the ARP reply and tells PC-B that you can use my mac address to reach PC-C.

Proxy-ARP Configuration Demo:-

I’m using Cisco routers instead of using a PC. IP is already set as per the diagram.
I’ve disabled IP routing on all PCs and set default gateway as per diagram. Proxy ARP is enabled on Router on by default but I’m gonna disable until we ping from PC-B.

On PC-A and PC-B
PC-A(config)# no ip routing

PC-A(config)# ip default-gateway 192.168.1.1

PC-A(config)# ip address 192.168.1.11 255.255.255.0

PC-A(config)# mac-address 0011.aaaa.0011

PC-A(config)# no shutdown

PC-B(config)# no ip routing

PC-B(config)# ip default-gateway 192.168.1.1

PC-B(config)# ip address 192.168.1.11 255.255.255.0

PC-B(config)# mac-address 0012.bbbb.0012

PC-B(config)# no shutdown

On PC-C and  PC-D
PC-C(config)# no ip routing

PC-C(config)# ip default-gateway 192.168.2.1

PC-C(config)# ip address 192.168.2.11 255.255.255.0

PC-C(config)# mac-address 0011.cccc.0011

PC-C(config)# no shutdown

PC-D(config)# no ip routing

PC-D(config)# ip default-gateway 192.168.2.1

PC-D(config)# ip address 192.168.2.12 255.255.255.0

PC-D(config)# mac-address 0012.dddd.0012

PC-D(config)# no shutdown

On Router
R1(config)# interface FastEthernet0/0

R1(config)# mac-address aaaa.bbbb.0001

R1(config)# ip address 192.168.1.1 255.255.255.0

R1(config)# no ip proxy-arp

R1(config)# no shutdown

R1(config)# interface FastEthernet0/1

R1(config)# mac-address cccc.dddd.0001

R1(config)# ip address  192.168.2.1 255.255.255.0

R1(config)# no shutdown

Let’s verify the current ARP table of PC-A

PC-A# show arp

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  192.168.1.11            –   0011.aaaa.0011  ARPA   FastEthernet0/0

We can see that PC-A doesn’t have mac-address of any destination in the ARP table. It has got one entry at the initial stage which is directly connected.

Let’s enable debugging on PC-A, Router, and on PC-C.

PC-A# debug arp

ARP packet debugging is on

R1# debug arp

ARP packet debugging is on

PC-C# debug arp

ARP packet debugging is on

PC-A# show ip route

Default gateway is 192.168.1.1

Host               Gateway           Last Use    Total Uses  Interface

ICMP redirect cache is empty

PC-B# show ip route

Default gateway is 192.168.1.1

Host               Gateway           Last Use    Total Uses  Interface

ICMP redirect cache is empty

R1# show ip route

Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP

D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area

N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2

E1 – OSPF external type 1, E2 – OSPF external type 2

i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2

ia – IS-IS inter area, * – candidate default, U – per-user static route

o – ODR, P – periodic downloaded static route

Gateway of last resort is not set

C    192.168.1.0/24 is directly connected, FastEthernet0/0

C    192.168.2.0/24 is directly connected, FastEthernet0/1

We can see PCs have been properly configured with the default gateway. Now its time to ping PC-A and PC-C. Once they start pinging they will generate some ARP messages. Have a closer look at these logs on PC-A, Router and PC-C.

PC-A# ping 192.168.2.11

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.11, timeout is 2 seconds:

*Mar  1 00:33:15.627: IP ARP: creating incomplete entry for IP address: 192.168.1.1 interface FastEthernet0/0

*Mar  1 00:33:15.627: IP ARP: sent req src 192.168.1.11 0011.aaaa.0011,

dst 192.168.1.1 0000.0000.0000 FastEthernet0/0

*Mar  1 00:33:15.647: IP ARP: rcvd rep src 192.168.1.1 aaaa.bbbb.0001, dst 192.168.1.11 FastEthernet0/0.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 40/41/44 ms

Above result is self-explanatory, PC-A is asking Router to send its mac-address to reach PC-C.

The router sends ARP reply with it’s mac-address, Then Router generates new ARP request towards PC-C.

R1#

*Mar  1 00:33:16.923: IP ARP: rcvd req src 192.168.1.11 0011.aaaa.0011, dst 192.168.1.1 FastEthernet0/0

*Mar  1 00:33:16.927: IP ARP: sent rep src 192.168.1.1 aaaa.bbbb.0001,

dst 192.168.1.11 0011.aaaa.0011 FastEthernet0/0

R1#

*Mar  1 00:33:17.959: IP ARP: rcvd req src 192.168.2.11 0011.cccc.0011, dst 192.168.2.1 FastEthernet0/1

*Mar  1 00:33:17.959: IP ARP: sent rep src 192.168.2.1 cccc.dddd.0001,

dst 192.168.2.11 0011.cccc.0011 FastEthernet0/1

PC-C#

*Mar  1 00:33:14.083: IP ARP: creating incomplete entry for IP address: 192.168.2.1 interface FastEthernet0/0

*Mar  1 00:33:14.083: IP ARP: sent req src 192.168.2.11 0011.cccc.0011,

dst 192.168.2.1 0000.0000.0000 FastEthernet0/0

*Mar  1 00:33:14.087: IP ARP throttled out the ARP Request for 192.168.2.1

*Mar  1 00:33:14.107: IP ARP: rcvd rep src 192.168.2.1 cccc.dddd.0001, dst 192.168.2.11 FastEthernet0/0

PC-C#

PC-A is able to make communication with PC-C using Router as a gateway. This is how a normal ARP process works.

Now let’s understand how proxy ARP is used, This time I’m gonna ping from PC-B to PC-C and as we know that proxy ARP is disabled on the interface.

PC-B# ping 192.168.2.11

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.11, timeout is 2 seconds:

*Mar  1 00:35:34.359: IP ARP: creating incomplete entry for IP address: 192.168.2.11 interface FastEthernet0/0

*Mar  1 00:35:34.359: IP ARP: sent req src 192.168.1.12 0012.bbbb.0012,

dst 192.168.2.11 0000.0000.0000 FastEthernet0/0

*Mar  1 00:35:35.359: IP ARP throttled out the ARP Request for 192.168.2.11.

*Mar  1 00:35:36.359: IP ARP: sent req src 192.168.1.12 0012.bbbb.0012,

dst 192.168.2.11 0000.0000.0000 FastEthernet0/0

*Mar  1 00:35:37.359: IP ARP throttled out the ARP Request for 192.168.2.11

*Mar  1 00:35:37.359: IP ARP throttled out the ARP Request for 192.168.2.11

*Mar  1 00:35:38.359: IP ARP: sent req src 192.168.1.12 0012.bbbb.0012,

dst 192.168.2.11 0000.0000.0000 FastEthernet0/0

*Mar  1 00:35:39.359: IP ARP throttled out the ARP Request for 192.168.2.11.

*Mar  1 00:35:40.359: IP ARP: sent req src 192.168.1.12 0012.bbbb.0012,

dst 192.168.2.11 0000.0000.0000 FastEthernet0/0

*Mar  1 00:35:40.359: IP ARP throttled out the ARP Request for 192.168.2.11

*Mar  1 00:35:41.363: IP ARP throttled out the ARP Request for 192.168.2.11

*Mar  1 00:35:42.363: IP ARP: sent req src 192.168.1.12 0012.bbbb.0012,

dst 192.168.2.11 0000.0000.0000 FastEthernet0/0.

*Mar  1 00:35:43.363: IP ARP throttled out the ARP Request for 192.168.2.11

*Mar  1 00:35:43.363: IP ARP throttled out the ARP Request for 192.168.2.11

*Mar  1 00:35:44.363: IP ARP: sent req src 192.168.1.12 0012.bbbb.0012,

dst 192.168.2.11 0000.0000.0000 FastEthernet0/0.

*Mar  1 00:35:45.363: IP ARP throttled out the ARP Request for 192.168.2.11

*Mar  1 00:35:46.363: IP ARP: sent req src 192.168.1.12 0012.bbbb.0012,

dst 192.168.2.11 0000.0000.0000 FastEthernet0/0

*Mar  1 00:35:46.367: IP ARP throttled out the ARP Request for 192.168.2.11

*Mar  1 00:35:47.367: IP ARP throttled out the ARP Request for 192.168.2.11

*Mar  1 00:35:48.367: IP ARP: sent req src 192.168.1.12 0012.bbbb.0012,

dst 192.168.2.11 0000.0000.0000 FastEthernet0/0.

Success rate is 0 percent (0/5)

PC-B#

*Mar  1 00:35:49.367: IP ARP throttled out the ARP Request for 192.168.2.11

The above result shows that PC-B is not able to make across router to PC-C because PC-B thinks that PC-C is connected to the same subnet and it generates ARP Broadcast.

R1#

*Mar  1 00:35:36.915: IP ARP: rcvd req src 192.168.1.12 0012.bbbb.0012, dst 192.168.2.11 FastEthernet0/0

R1#

*Mar  1 00:35:38.935: IP ARP: rcvd req src 192.168.1.12 0012.bbbb.0012, dst 192.168.2.11 FastEthernet0/0

R1#

*Mar  1 00:35:40.935: IP ARP: rcvd req src 192.168.1.12 0012.bbbb.0012, dst 192.168.2.11 FastEthernet0/0

R1#

*Mar  1 00:35:42.923: IP ARP: rcvd req src 192.168.1.12 0012.bbbb.0012, dst 192.168.2.11 FastEthernet0/0

R1#

*Mar  1 00:35:44.919: IP ARP: rcvd req src 192.168.1.12 0012.bbbb.0012, dst 192.168.2.11 FastEthernet0/0

R1#

*Mar  1 00:35:46.943: IP ARP: rcvd req src 192.168.1.12 0012.bbbb.0012, dst 192.168.2.11 FastEthernet0/0

R1#

*Mar  1 00:35:48.911: IP ARP: rcvd req src 192.168.1.12 0012.bbbb.0012, dst 192.168.2.11 FastEthernet0/0

R1#

*Mar  1 00:35:50.931: IP ARP: rcvd req src 192.168.1.12 0012.bbbb.0012, dst 192.168.2.11 FastEthernet0/0

R1#

In the above result, Router gets ARP Broadcast from PC-B but Router will neither reply nor send it to another network.

Now Let’s enable proxy ARP and see the magic happens on the Router. Let’s enable proxy ARP on Router.

R1# conf t

Enter configuration commands, one per line.  End with CNTL/Z.

R1(config)#int fa0/0

R1(config-if)#ip proxy-arp

Once we configure it, let’s verify it whether proxy ARP is enabled on the interface or not, use below command

R1#show ip interface fa0/0

FastEthernet0/0 is up, line protocol is up

Internet address is 192.168.1.1/24

Broadcast address is 255.255.255.255

Address determined by setup command

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Outgoing access list is not set

Inbound  access list is not set

Proxy ARP is enabled

Local Proxy ARP is disabled

Now we can try pinging from PC-B to PC-C

PC-B# ping 192.168.2.11

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.11, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 28/246/1060 ms

PC-B#

*Mar  1 00:39:56.879: IP ARP: creating incomplete entry for IP address: 192.168.2.11 interface FastEthernet0/0

*Mar  1 00:39:56.879: IP ARP: sent req src 192.168.1.12 0012.bbbb.0012,

dst 192.168.2.11 0000.0000.0000 FastEthernet0/0

*Mar  1 00:39:56.927: IP ARP: rcvd rep src 192.168.2.11 aaaa.bbbb.0001, dst 192.168.1.12 FastEthernet0/0

PC-B#

PC-B# show ip arp

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  192.168.2.11           92   aaaa.bbbb.0001  ARPA   FastEthernet0/0

Internet  192.168.1.12            –   0012.bbbb.0012  ARPA   FastEthernet0/0

This time ARP Table of PC-B is updated with the destination mac address of Router in above example

R1#

*Mar  1 00:39:59.455: IP ARP: rcvd req src 192.168.1.12 0012.bbbb.0012, dst 192.168.2.11 FastEthernet0/0

*Mar  1 00:39:59.455: IP ARP: sent rep src 192.168.2.11 aaaa.bbbb.0001,

dst 192.168.1.12 0012.bbbb.0012 FastEthernet0/0

PC-C#

*Mar  1 00:41:23.343: IP ARP: creating incomplete entry for IP address: 192.168.2.1 interface FastEthernet0/0

*Mar  1 00:41:23.343: IP ARP: sent req src 192.168.2.11 0011.cccc.0011,

dst 192.168.2.1 0000.0000.0000 FastEthernet0/0

*Mar  1 00:41:23.347: IP ARP throttled out the ARP Request for 192.168.2.1

*Mar  1 00:41:23.359: IP ARP: rcvd rep src 192.168.2.1 cccc.dddd.0001, dst 192.168.2.11 FastEthernet0/0

PC-C#

In the above result, we can see this time PC-B can make across Router to PC-C, Proxy ARP is function and Router is replying to ARP on behalf of PC-C.

This was the basic configuration of Proxy ARP on the Cisco router. Proxy ARP can be used with NAT on the firewall and that I will cover in the different articles.

I hope this has been informative for you. If it seems helpful then Like, Share and Don’t forget to subscribe to my channel

https://www.facebook.com/networkinginfo/

https://www.youtube.com/channel/UC0-p23p1xWsZsTXHUQ7CiJg?view_as=subscriber

https://www.linkedin.com/in/dinesh-jangid-515b6a23/

Write a Message