Thursday, February 5, 2015

Proxy Arp

Experimenting with Proxy-ARP

After reading a little about proxy ARP, I wanted to experiment with it.  Proxy-ARP is used  on some routers by default.  The idea is that it allows devices on 2 different subnets to talk to each other without configuring a default gateway!
LAB
This lab was setup on GNS3.  R1 and R3 are routers, however, we are going to emulate them as hosts by disabling ip routing.  So envision this as 2 hosts (R1 & R3) connecting to 1 router (R2).

Let’s set this up ready for testing.
R1#
!
no ip routing
!
interface FastEthernet0/0
 ip address 192.168.0.2 255.255.255.0
!
R1#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.0.2             -   cc00.0e1c.0000  ARPA   FastEthernet0/0
!
//notice we haven't configured a default gateway for this host
R2#
interface FastEthernet0/0
description connections to R1
ip address 192.168.0.1 255.255.255.0
!
interface FastEthernet0/1
description connections to R3
ip address 10.10.10.1 255.255.255.0
!
R2#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.10.10.1             -   cc01.0e1c.0001  ARPA   FastEthernet0/1
Internet  192.168.0.1            -   cc01.0e1c.0000  ARPA   FastEthernet0/0
R3#
no ip routing
interface FastEthernet0/1
ip address 10.10.10.2 255.255.255.0
!
R3#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.10.10.2             -   cc02.116c.0001  ARPA   FastEthernet0/1

//notice we haven't configured a default gateway for this host
So let’s try and ping from R1 to R3 without a default gateway configured either side.
R1#ping 10.10.10.2

.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 28/32/40 ms
!
R1#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.10.10.2              -   cc01.0e1c.0000  ARPA   FastEthernet0/0
Internet  192.168.0.2             -   cc00.0e1c.0000  ARPA   FastEthernet0/0
The MAC address for 10.10.10.2 is actually the MAC address of our router R2’s fa0/0 interface (as opposed to the MAC of our host R3). Let’s verify this by checking the MAC for R2’s fa0/0 interface.
R2#sh int fa0/0 | i bia
  Hardware is AmdFE, address is cc01.0e1c.0000 (bia cc01.0e1c.0000)
Cool.  This means our ping from R1 to R3 was actually proxy-arp’d by our router R2 (i.e. R2 actually arp’d R3 for us. This is because he knows the destination IP off one of his interfaces). So if we disable proxy-arp on R2, the ping from R1–>R3 should be unsuccessful!  At this point, I’ve now cleared the arp-cache by using #clear arp on each of the three devices so that we don’t use any old arp entries.
R2(config)#interface FastEthernet0/1
R2(config-if)#no ip proxy-arp

R2(config)#interface FastEthernet0/0
R2(config-if)#no ip proxy-arp
R2#ping 10.10.10.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R1#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.10.2 0 Incomplete ARPA
Internet 192.168.0.2 – cc00.0e1c.0000 ARPA FastEthernet0/0
Good.  The incomplete ARP entry indicates that we didn’t manage to receive a response from the destination of 10.10.10.2.  Because we removed proxy-arp we now need to add a default gateway on both R1 & R3 in order for this to work!
R3(config)#ip default-gateway 10.10.10.1
R1(config)#ip default-gateway 192.168.0.1

R1#ping 10.10.10.2

.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 28/32/40 ms
!
R1#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.0.1             0   cc01.0e1c.0000  ARPA   FastEthernet0/0
Internet  192.168.0.2             -   cc00.0e1c.0000  ARPA   FastEthernet0/0
Now we see the config as it should work without proxy arp.  When we ping an address on another subnet, our host (R1) knows it needs to use its default gateway.  It sends a broadcast ARP to find the MAC of the gateway so that he is able to pass the frame onto R2.  R2 looks up his routing table to see that the 10.10.10.0/24 network is directly connected via fa0/1.  He then broadcast ARPs for the MAC assigned to 10.10.10.2 and passes the frame onto R3. Because of the route-lookup, we are working at layer 3 on the router. This means we are no longer sending broadcast frames at layer 2 across different subnets.

No comments:

Post a Comment