a3b2c1r46
asked on
Proxy ARP
I have a client who has a cisco router provided by a 3rd party goverment agency. This router has proxy arp enabled on the local network interface. I've been unsuccesful in finding anyone at the agency that knows enough to disable the 'feature' on their router.
Can anyone thing of anything I can do to mitigate the effects of the proxy arp service from the switch?
The clients network is configured as 172.16.0.0/16 if any of the clients on 172.16.0.0 - 172.16.0.255 attempt to access a server with anything but a 0 in the 3rd octet or any thing in another ip range the router responds with its mac address causing a failure to communicate between two devices.
This is not as horrible as it might have been as I've been able to come up with solutions here and there to mitigate the effects however a more complete solution would be helpful as the issue is always causing some minor headache.
I've got a couple of options on the switch to connect to. It's currently connected to a Linksys managed 48port but there is also a older Cisco switch in the stack that could be leveraged if needed.
Can anyone thing of anything I can do to mitigate the effects of the proxy arp service from the switch?
The clients network is configured as 172.16.0.0/16 if any of the clients on 172.16.0.0 - 172.16.0.255 attempt to access a server with anything but a 0 in the 3rd octet or any thing in another ip range the router responds with its mac address causing a failure to communicate between two devices.
This is not as horrible as it might have been as I've been able to come up with solutions here and there to mitigate the effects however a more complete solution would be helpful as the issue is always causing some minor headache.
I've got a couple of options on the switch to connect to. It's currently connected to a Linksys managed 48port but there is also a older Cisco switch in the stack that could be leveraged if needed.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Well; Author:
either "no ip gratuitious-arps" with credit to ikalmar; or; let us know what the heck your asking :P
either "no ip gratuitious-arps" with credit to ikalmar; or; let us know what the heck your asking :P
ASKER
ok; clarification on the question.
The router has proxy arp enabled and is spamming arp replies each time any of my clients does a arp broadcast.
Say client 172.16.0.5 is looking for 172.16.13.12 (MAC 00 00 00 00 01) the router will reply to the arp request with its MAC address say 00 00 00 00 99. This of course updates the hosts arp table and since there is really no 172.16.13.12 address on the 99 mac address the connection ie ping fails. Eventually if you ping or w/e to make enough connection attempts you can get the reply from the correct device into the arp table and everything works find. Of course I could add static arp mappings but this is a medium size network and that is only a minimal solution.
Like I said... I've moved stuff around enough to where it's not a huge super problem but I would like to know if there is a solution.
Again the router with proxy arp turned on is a 3rd party with an admin asleep at the helm or retired or something. Otherwise we could get into and fix the problem in two shakes with the no proxy-arp command.
The router has proxy arp enabled and is spamming arp replies each time any of my clients does a arp broadcast.
Say client 172.16.0.5 is looking for 172.16.13.12 (MAC 00 00 00 00 01) the router will reply to the arp request with its MAC address say 00 00 00 00 99. This of course updates the hosts arp table and since there is really no 172.16.13.12 address on the 99 mac address the connection ie ping fails. Eventually if you ping or w/e to make enough connection attempts you can get the reply from the correct device into the arp table and everything works find. Of course I could add static arp mappings but this is a medium size network and that is only a minimal solution.
Like I said... I've moved stuff around enough to where it's not a huge super problem but I would like to know if there is a solution.
Again the router with proxy arp turned on is a 3rd party with an admin asleep at the helm or retired or something. Otherwise we could get into and fix the problem in two shakes with the no proxy-arp command.
ASKER
basically what I want to know if there is a way to block these excessive arp replies at the switch the router is connected to since I can't disable them at the origin
ASKER
Post ID: 26153134 from asdlkf is right on target
[random network] -- [router out of our control] -- [ our network]
And yea... it it wasn't for some of the other particulars of this network it would be a bad scenario. I considered disconnecting the line to force someone to get on the phone to talk with me about it but I consider that as a last resort.
[random network] -- [router out of our control] -- [ our network]
And yea... it it wasn't for some of the other particulars of this network it would be a bad scenario. I considered disconnecting the line to force someone to get on the phone to talk with me about it but I consider that as a last resort.
What kind of switch is connected to this router?
The problem with fixing this with an ACL is that it's going to be real difficult to write it so that it blocks the proxy replies from the router and not from the legitimate devices while allowing the specific replies from the router.
I would execute your last resort measure. :-)
The problem with fixing this with an ACL is that it's going to be real difficult to write it so that it blocks the proxy replies from the router and not from the legitimate devices while allowing the specific replies from the router.
I would execute your last resort measure. :-)
ASKER
Same end answer I started with but thanks for thinking about it with me anyway.
I don't think that's it though. In the original post it states
"This router has proxy arp enabled on the local network interface."
I interpret that to mean proxy arp is enabled on the LAN (or inside) interface. This would mean that ARPs created by local machines for outside networks are being replied to by the router.
But then again, without clarification by the author, we don't really know.