From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Thu Dec 09 2004 - 21:12:20 GMT-3
Tim,
How about a design like below where R1, R2, and R3 are on the
same IP subnet and same VLAN but the CAT3550 is configured with R1 and
R2's ports as protected ports. This means that R1 and R2 can not
communicate directly with each other. Once R3 has local proxy ARP
configured, R1 and R2 would be able to send traffic to each other via R3
since R3 will now begin to proxy ARP for the local IP addresses.
R1:
interface Ethernet0/0
ip address 17.0.0.1 255.0.0.0
R2:
interface Ethernet0/0
ip address 17.0.0.2 255.0.0.0
R3:
interface Ethernet0/0
ip address 17.0.0.3 255.0.0.0
ip local-proxy-arp
SW1:
interface FastEthernet0/1
description R1 E0/0 Interface
switchport access vlan 123
switchport protected
!
interface FastEthernet0/2
description R2 E0/0 Interface
switchport access vlan 123
switchport protected
!
interface FastEthernet0/3
description R3 E0/0 Interface
switchport access vlan 123
R1#ping 17.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 17.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
R1#
R1#sho arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 17.0.0.1 - 0004.c057.32c0 ARPA Ethernet0/0
Internet 17.0.0.3 6 0050.3ee8.30e0 ARPA Ethernet0/0
Internet 17.0.0.2 5 0050.3ee8.30e0 ARPA Ethernet0/0
^^^^^^^^^^^^^^
R3#sho int e0/0 | in bia
Hardware is AmdP2, address is 0050.3ee8.30e0 (bia 0050.3ee8.30e0)
R3#
As you can see, R1 has R2 and R3 listed with the same MAC address
indicating that R3 is performing proxy ARP for R2.
I'm going to add this "gem" to our Volume 2 R&S workbook that
I'm currently working on but I can't pay you any royalties ;-)
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
-----Original Message-----
From: ccie2be [mailto:ccie2be@nyc.rr.com]
Sent: Thursday, December 09, 2004 3:37 PM
To: Brian Dennis; Group Study
Subject: Re: Local Proxy ARP
Thanks Brian,
That was a great explanation.
In what kind of scenario would I ever NEED "the router to proxy ARP for
another
172.16.1.0/24 IP address say 172.16.1.30?
And, if I did need to enable local proxy arp would that mean that some
host
was screwed up or the network was poorly designed?
thanks again, Tim
----- Original Message -----
From: "Brian Dennis" <bdennis@internetworkexpert.com>
To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
<ccielab@groupstudy.com>
Sent: Thursday, December 09, 2004 6:02 PM
Subject: RE: Local Proxy ARP
Tim,
It's when you want to proxy ARP for IP addresses on the local IP
network. Example: the router's interface is addressed with
172.16.1.1/24 and you need the router to proxy ARP for another
172.16.1.0/24 IP address say 172.16.1.30. Normally the router would not
proxy ARP for 172.16.1.30 as it would assume the device with that IP
address would answer the ARP itself.
To enable it use the "ip local-proxy-arp" interface command.
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
ccie2be
Sent: Thursday, December 09, 2004 2:29 PM
To: Group Study
Subject: Local Proxy ARP
Hi guys,
When you do a show ip int X, one of the things listed is "Local Proxy
ARP
<enabled |disabled>". It's right under the line for Proxy ARP.
I know what proxy arp is but what's LOCAL proxy arp?
And, if I needed to, how would I enable it?
Also, the next line after the Local proxy arp says "Security Level is
default". What's that about?
Any insight would be appreciated.
TIA, Tim
This archive was generated by hypermail 2.1.4 : Mon Jan 03 2005 - 10:31:26 GMT-3