Local Proxy ARP

by 
       In order to show what local proxy ARP can do for you, we will leverage the port protection configuration within one single vlan. We would be in a situation when the hosts behind the protected ports would not be able to talk to each other. But what if you really want to look at that traffic? Or what if you like to offer the connectivity and have the traffic go through an inspection device? That is where local proxy ARP comes into play. Let's take a look!
       We have the switch in the middle that has port protection enabled on Gi1/1 and Gi1/2. How can we allow the hosts to communicate? Well, the first option would be to allow the switch to do so. Kind of beats the purpose, but for the fun of it we will take a look. The second option will be for the router to accommodate the flow - this would be what we're looking for: the 3rd party inspection device. Let's see how we get R02 and R03 to talk to each other.
  • Device configuration
  • The switch allowing the flows
  • The router allowing the flows
! for R01, R02, R03

interface FastEthernet0/0
 ip address 10.0.0.[1|2|3] 255.255.255.0
end

! the switch

interface GigabitEthernet0/1
 switchport access vlan 100
 switchport mode access
 
interface GigabitEthernet0/[2|3]
 switchport access vlan 100
 switchport mode access
 switchport protected

interface Vlan100
 ip address 10.0.0.254 255.255.255.0
 
! Validation

SW#sh int status | i 100
Gi0/1                        connected    100        a-full   auto RJ45
Gi0/2                        connected    100        a-full   auto RJ45
Gi0/3                        connected    100        a-full   auto RJ45
SW#sh ip int br | i lan
Vlan100                10.0.0.254      YES manual up                    up
SW#sh int gi0/1 switchport | i rotect
Protected: false
SW#sh int gi0/2 switchport | i rotect
Protected: true
SW#sh int gi0/3 switchport | i rotect
Protected: true
SW#
! verifying that R02 cannot ping R03

R02#ping 10.0.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R02#

! making the change on the switch

SW(config)#int vlan 100
SW(config-if)#ip local-proxy-arp
SW(config-if)#end
SW#sh ip int vlan 100 | i ARP
  Proxy ARP is enabled
  Local Proxy ARP is enabled
SW#

! testing connectivity

R02#ping 10.0.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/12/20 ms
R02#

! verifying that R02 cannot ping R03

R02#ping 10.0.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R02#

! making the change on R01

R01(config)#int fa0/0
R01(config-if)#ip local-proxy-arp
R01(config-if)#end
R01#sh ip int fa0/0 | i ARP
  Proxy ARP is enabled
  Local Proxy ARP is enabled
R01#

! testing connectivity

R02#ping 10.0.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/25/44 ms
R02#
       We have witnessed the magic that local proxy ARP can provide. We have seen it configured on a switch and on a router. The command is: 'ip local-proxy-arp'.

Leave a Comment