Proxy ARP

I have a client who has a cisco router provided by a 3rd party goverment agency. This router has proxy arp enabled on the local network interface. I've been unsuccesful in finding anyone at the agency that knows enough to disable the 'feature' on their router.

Can anyone thing of anything I can do to mitigate the effects of the proxy arp service from the switch?

The clients network is configured as 172.16.0.0/16 if any of the clients on 172.16.0.0 - 172.16.0.255 attempt to access a server with anything but a 0 in the 3rd octet or any thing in another ip range the router responds with its mac address causing a failure to communicate between two devices.

This is not as horrible as it might have been as I've been able to come up with solutions here and there to mitigate the effects however a more complete solution would be helpful as the issue is always causing some minor headache.

I've got a couple of options on the switch to connect to. It's currently connected to a Linksys managed 48port but there is also a older Cisco switch in the stack that could be leveraged if needed.
LVL 1
a3b2c1r46Asked:
Who is Participating?
 
Istvan KalmarHead of IT Security Division Commented:
Hi,

To disable the following need to you:

conf tno ip gratuitous-arps
0
 
Don JohnstonInstructorCommented:
>This router has proxy arp enabled on the local network interface

>Can anyone thing of anything I can do to mitigate the effects of the proxy arp service from the switch?

Not sure what you're looking for here.

1) Is it a router or a switch?
2) Do you want to disable proxy arp? ("no ip proxy-arp" in interface config mode)

Proxy ARP is used when devices can't be configured with a default gateway or you have a really screwy network topology (i.e. inconsistent masks).

0
 
asdlkfCommented:
i'm not sure of the answer, but i think the question is:


[cloud]----[ISP Router in question that we have no login to]----[our equipment]


ISP Router has proxy arps enabled; our equipment is getting spammed

how do we get our equipment to ignore the ISP's proxy arps...
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Don JohnstonInstructorCommented:
Wow... That would be a scary scenario. :-o

I don't think that's it though. In the original post it states

"This router has proxy arp enabled on the local network interface."

I interpret that to mean proxy arp is enabled on the LAN (or inside) interface. This would mean that ARPs created by local machines for outside networks are being replied to by the router.

But then again, without clarification by the author, we don't really know.


0
 
asdlkfCommented:
Well; Author:

either "no ip gratuitious-arps" with credit to ikalmar; or; let us know what the heck your asking :P
0
 
a3b2c1r46Author Commented:
ok; clarification on the question.

The router has proxy arp enabled and is spamming arp replies each time any of my clients does a arp broadcast.

Say client 172.16.0.5 is looking for 172.16.13.12 (MAC 00 00 00 00 01) the router will reply to the arp request with its MAC address say 00 00 00 00 99. This of course updates the hosts arp table and since there is really no 172.16.13.12 address on the 99 mac address the connection ie ping fails. Eventually if you ping or w/e to make enough connection attempts you can get the reply from the correct device into the arp table and everything works find. Of course I could add static arp mappings but this is a medium size network and that is only a minimal solution.

Like I said... I've moved stuff around enough to where it's not a huge super problem but I would like to know if there is a solution.

Again the router with proxy arp turned on is a 3rd party with an admin asleep at the helm or retired or something. Otherwise we could get into and fix the problem in two shakes with the no proxy-arp command.
0
 
a3b2c1r46Author Commented:
basically what I want to know if there is a way to block these excessive arp replies at the switch the router is connected to since I can't disable them at the origin
0
 
a3b2c1r46Author Commented:
Post ID: 26153134 from asdlkf is right on target

[random network]  -- [router out of our control]  -- [ our network]

And yea... it it wasn't for some of the other particulars of this network it would be a bad scenario. I considered disconnecting the line to force someone to get on the phone to talk with me about it but I consider that as a last resort.
0
 
Don JohnstonInstructorCommented:
What kind of switch is connected to this router?

The problem with fixing this with an ACL is that it's going to be real difficult to write it so that it blocks the proxy replies from the router and not from the legitimate devices while allowing the specific replies from the router.

I would execute your last resort measure. :-)
0
 
a3b2c1r46Author Commented:
Same end answer I started with but thanks for thinking about it with me anyway.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.