Proxy ARP
If a host sends an ARP Request packet to another host on the same logical subnet but a different physical network, the device that connects the two physical networks can reply to this packet. This function is called proxy ARP.
Proxy ARP is classified into the following types: routed proxy ARP, intra-VLAN proxy ARP, and inter-VLAN Proxy ARP. Table 2-2 describes the usage scenarios.
Proxy ARP Type |
Usage Scenario |
|---|---|
Routed proxy ARP |
Hosts (without default gateway address configured) that need to communicate belong to the same network segment across different physical networks (different broadcast domains). |
Intra-VLAN proxy ARP |
Hosts that need to communicate belong to the same network segment and VLAN but port isolation is configured in the VLAN. |
Inter-VLAN proxy ARP |
Hosts that need to communicate belong to the same network segment but different VLANs. |
- Proxy ARP is deployed on the gateway without any modifications to the configurations of the hosts on a network.
- Proxy ARP can shield topologies of physical networks so that hosts on different physical networks can use the same network ID to communicate.
- Proxy ARP affects only the ARP table on hosts but does not affect the ARP table and routing table on the gateway.
Routed Proxy ARP
Routed proxy ARP enables communication among network devices on the same network segment but different physical networks.
If a host connected to the device is not configured with a default gateway address (that is, the host does not know how to reach the intermediate system of the network), the device cannot forward data packets.
As shown in Figure 2-3, the IP address of Host_1 is 172.16.1.10/16 and that of Host_2 is 172.16.2.20/16, and Host_1 and Host_2 are located on the same network segment. The Router connects to two networks through VLANIF 10 and VLANIF 20. The IP addresses of VLANIF 10 and VLANIF 20 are located on different network segments.
The IP addresses of Host_1 and Host_2 are on the same network segment. When Host_1 needs to communicate with Host_2, Host_1 broadcasts an ARP Request packet, requesting the MAC address of Host_2. However, Host_1 and Host_2 are on different physical networks (in different broadcast domains). Host_2 cannot receive the ARP Request packet sent from Host_1 and does not respond with an ARP Reply packet.
To resolve this problem, enable routed proxy ARP on the Router. After routed proxy ARP is enabled, the Router queries the routing table after receiving the ARP Request packet. Host_2 is directly connected to the Router, so the Router has the routing entry of Host_2. The Router then uses its MAC address to send an ARP Reply packet to Host_1. Host_1 forwards data based on the MAC address of the Router. In this case, the Router functions as the proxy of Host_2. As shown in Figure 2-3, the MAC address of VLANIF 10 on the Router matches the IP address of Host_2 in the ARP entry on Host_1.
Intra-VLAN Proxy ARP
If two users belong to the same VLAN with port isolation configured, intra-VLAN proxy ARP can be enabled on the interfaces associated with the VLAN to allow the hosts to communicate at Layer 3.
As shown in Figure 2-4, Host_1 and Host_2 are connected to the Router. The two interfaces connected to Host_1 and Host_2 belong to VLAN 10 on the Router.
Host_1 and Host_2 cannot communicate at Layer 2 because port isolation in a VLAN is configured on the Router.
If intra-VLAN proxy ARP is enabled on the Router's interface, Host_1 and Host_2 can communicate at Layer 3. After the Router's interface receives an ARP Request packet whose destination address is not its own address, the Router does not discard the packet but searches for the ARP entry matching the interface. If an ARP entry matches Host_2, the Router sends its own MAC address to Host_1 and forwards the packet destined for Host_2. In this case, the Router functions as the proxy of Host_2.
Inter-VLAN Proxy ARP
If two hosts belong to the same network segment but different VLANs, inter-VLAN proxy ARP can be enabled on the interfaces (for example, the VLANIF interfaces or sub-interfaces) associated with the VLANs to enable users to communicate at Layer 3.
As shown in Figure 2-5, Host_1 and Host_2 on the same network segment are connected to the Router, Host_1 belongs to VLAN 10, and Host_2 belongs to VLAN 20.
Host_1 and Host_2 belong to different sub-VLANs, so they cannot communicate at Layer 2.
After inter-VLAN proxy ARP is enabled on the Router, Host_1 and Host_2 can communicate at Layer 3. After the Router's interface receives an ARP Request packet whose destination address is not its own address, the Router does not discard the packet but searches for ARP entries (including dynamically learned ARP entries and statically configured ARP entries). If an ARP entry matches Host_2, the Router sends its own MAC address to Host_1 and forwards the packet destined for Host_2. In this case, the Router functions as the proxy of Host_2.