ARP Proxy Explained [with GNS3 Lab Configuration Example]
What is ARP Proxy
Proxy ARP is the technique in which one host, usually a router, answers ARP requests intended for another machine. By “faking” its identity, the router accepts responsibility for routing packets to the “real” destination. Proxy ARP can help machines on a subnet reach remote subnets without the need to configure routing or a default gateway.
Lab Topology
PCs configurations:
PC1:
PC2:
PC3:
When PC1 want to communicate with PC3, it will first flood an ARP Request searching for the MAC of the gateway 10.0.1.254 (since PC3 is on another subnet):
The router R1 (interface f0/0) will respond the ARP, and then PC1 will be able to communicate with PC3:
PC1 can ping PC3:
Why do we need ARP Proxy:
Well, the previous example was a normal behavior for ARP, but, now let’s try the communicate from PC2 to PC3, as you can see in the topology, PC2 was configured with subnet mask (/16).
So when communicating with PC3, PC2 sees that PC3 is on the same subnet, then it will send ARP flood for PC3 IP 10.0.2.30 (not for the gateway IP).
In order to see the issue here, I will first disable ARP proxy on the router R1 interface f0/0 (because usually ARP Proxy is enable by default on Cisco routers):
R1(config)#int f0/0
R1(config-if)#no ip proxy-arp
- Now, let’s try to ping from PC2 to PC3:
As we expected, PC2 sent ARP for 10.0.2.30 (PC3), and in reality, PC3 is on a different network, so ARP didn’t reach PC3, therefore, no communication from PC2 to PC3:
ARP Proxy Configuration
Now, we will enable ARP proxy on the router interface f0/0, and check the behavior again:
R1(config)#int f0/0
R1(config-if)#ip proxy-arp
We start ping again from PC2 to PC3:
We see that now communication is working between PC2 and PC3, but, let’s see what actually happening:
- ARP flood is send from PC2 for PC3 IP (10.0.2.30)
- Router R1 (interface f0/0) responded to the ARP with its MAC address.
Since, we have activated ARP Proxy on the interface, the router receive the ARP request for 10.0.2.30 and check the routing table and sees that 10.0.2.30 is reachable therefore, he will respond the ARP with its interface f0/0 MAC address (Router R1 will respond to ARP in place of PC3, that’s why it’s called ARP)
For the PC2, this is transparent, she still think that PC3 is on the same network. we can check that on PC2 ARP:
In the ARP table of PC2, 10.0.2.30 is associated with router R1 f0/0 MAC address.
That’s it, I hope that was helpful 😉.