?
Solved

Proxy ARP

Posted on 2009-12-30
10
Medium Priority
?
963 Views
Last Modified: 2012-05-08
I have a client who has a cisco router provided by a 3rd party goverment agency. This router has proxy arp enabled on the local network interface. I've been unsuccesful in finding anyone at the agency that knows enough to disable the 'feature' on their router.

Can anyone thing of anything I can do to mitigate the effects of the proxy arp service from the switch?

The clients network is configured as 172.16.0.0/16 if any of the clients on 172.16.0.0 - 172.16.0.255 attempt to access a server with anything but a 0 in the 3rd octet or any thing in another ip range the router responds with its mac address causing a failure to communicate between two devices.

This is not as horrible as it might have been as I've been able to come up with solutions here and there to mitigate the effects however a more complete solution would be helpful as the issue is always causing some minor headache.

I've got a couple of options on the switch to connect to. It's currently connected to a Linksys managed 48port but there is also a older Cisco switch in the stack that could be leveraged if needed.
0
Comment
Question by:a3b2c1r46
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 34

Accepted Solution

by:
Istvan Kalmar earned 668 total points
ID: 26152091
Hi,

To disable the following need to you:

conf tno ip gratuitous-arps
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 668 total points
ID: 26153030
>This router has proxy arp enabled on the local network interface

>Can anyone thing of anything I can do to mitigate the effects of the proxy arp service from the switch?

Not sure what you're looking for here.

1) Is it a router or a switch?
2) Do you want to disable proxy arp? ("no ip proxy-arp" in interface config mode)

Proxy ARP is used when devices can't be configured with a default gateway or you have a really screwy network topology (i.e. inconsistent masks).

0
 
LVL 11

Assisted Solution

by:asdlkf
asdlkf earned 664 total points
ID: 26153134
i'm not sure of the answer, but i think the question is:


[cloud]----[ISP Router in question that we have no login to]----[our equipment]


ISP Router has proxy arps enabled; our equipment is getting spammed

how do we get our equipment to ignore the ISP's proxy arps...
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 50

Expert Comment

by:Don Johnston
ID: 26153157
Wow... That would be a scary scenario. :-o

I don't think that's it though. In the original post it states

"This router has proxy arp enabled on the local network interface."

I interpret that to mean proxy arp is enabled on the LAN (or inside) interface. This would mean that ARPs created by local machines for outside networks are being replied to by the router.

But then again, without clarification by the author, we don't really know.


0
 
LVL 11

Expert Comment

by:asdlkf
ID: 26153242
Well; Author:

either "no ip gratuitious-arps" with credit to ikalmar; or; let us know what the heck your asking :P
0
 
LVL 1

Author Comment

by:a3b2c1r46
ID: 26155658
ok; clarification on the question.

The router has proxy arp enabled and is spamming arp replies each time any of my clients does a arp broadcast.

Say client 172.16.0.5 is looking for 172.16.13.12 (MAC 00 00 00 00 01) the router will reply to the arp request with its MAC address say 00 00 00 00 99. This of course updates the hosts arp table and since there is really no 172.16.13.12 address on the 99 mac address the connection ie ping fails. Eventually if you ping or w/e to make enough connection attempts you can get the reply from the correct device into the arp table and everything works find. Of course I could add static arp mappings but this is a medium size network and that is only a minimal solution.

Like I said... I've moved stuff around enough to where it's not a huge super problem but I would like to know if there is a solution.

Again the router with proxy arp turned on is a 3rd party with an admin asleep at the helm or retired or something. Otherwise we could get into and fix the problem in two shakes with the no proxy-arp command.
0
 
LVL 1

Author Comment

by:a3b2c1r46
ID: 26155665
basically what I want to know if there is a way to block these excessive arp replies at the switch the router is connected to since I can't disable them at the origin
0
 
LVL 1

Author Comment

by:a3b2c1r46
ID: 26155687
Post ID: 26153134 from asdlkf is right on target

[random network]  -- [router out of our control]  -- [ our network]

And yea... it it wasn't for some of the other particulars of this network it would be a bad scenario. I considered disconnecting the line to force someone to get on the phone to talk with me about it but I consider that as a last resort.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 26155914
What kind of switch is connected to this router?

The problem with fixing this with an ACL is that it's going to be real difficult to write it so that it blocks the proxy replies from the router and not from the legitimate devices while allowing the specific replies from the router.

I would execute your last resort measure. :-)
0
 
LVL 1

Author Closing Comment

by:a3b2c1r46
ID: 31671510
Same end answer I started with but thanks for thinking about it with me anyway.
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question