From: Anthony Pace (anthonypace@fastmail.fm)
Date: Fri Dec 10 2004 - 19:06:47 GMT-3
There is a very practical application for the prox-arp mechanism on the
3550. they don't do NAT so if you want to expose a 3550 upstream VLAN
(with a virtual IP interface) to a segment where some devices expect to
find a certain public host (which is really on a private IP address
downstream of the 3550) you can't do NAT but you can give the 3550 a
static route to the downstream HOSTS NATTED address, the 3550 will
repond to the arps for that address, and route the packet to the device
really doing the NAT downstream.
Router=>3550=>PIX=>PrivateHost
Anthony Pace
On Thu, 9 Dec 2004 19:12:20 -0500, "Brian Dennis"
<bdennis@internetworkexpert.com> said:
> Tim,
> How about a design like below where R1, R2, and R3 are on the
> same IP subnet and same VLAN but the CAT3550 is configured with R1 and
> R2's ports as protected ports. This means that R1 and R2 can not
> communicate directly with each other. Once R3 has local proxy ARP
> configured, R1 and R2 would be able to send traffic to each other via R3
> since R3 will now begin to proxy ARP for the local IP addresses.
>
>
> R1:
> interface Ethernet0/0
> ip address 17.0.0.1 255.0.0.0
>
> R2:
> interface Ethernet0/0
> ip address 17.0.0.2 255.0.0.0
>
> R3:
> interface Ethernet0/0
> ip address 17.0.0.3 255.0.0.0
> ip local-proxy-arp
>
> SW1:
> interface FastEthernet0/1
> description R1 E0/0 Interface
> switchport access vlan 123
> switchport protected
> !
> interface FastEthernet0/2
> description R2 E0/0 Interface
> switchport access vlan 123
> switchport protected
> !
> interface FastEthernet0/3
> description R3 E0/0 Interface
> switchport access vlan 123
>
>
> R1#ping 17.0.0.2
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 17.0.0.2, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
> R1#
> R1#sho arp
> Protocol Address Age (min) Hardware Addr Type Interface
> Internet 17.0.0.1 - 0004.c057.32c0 ARPA Ethernet0/0
> Internet 17.0.0.3 6 0050.3ee8.30e0 ARPA Ethernet0/0
> Internet 17.0.0.2 5 0050.3ee8.30e0 ARPA Ethernet0/0
> ^^^^^^^^^^^^^^
> R3#sho int e0/0 | in bia
> Hardware is AmdP2, address is 0050.3ee8.30e0 (bia 0050.3ee8.30e0)
> R3#
>
> As you can see, R1 has R2 and R3 listed with the same MAC address
> indicating that R3 is performing proxy ARP for R2.
>
> I'm going to add this "gem" to our Volume 2 R&S workbook that
> I'm currently working on but I can't pay you any royalties ;-)
>
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> bdennis@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada)
>
>
> -----Original Message-----
> From: ccie2be [mailto:ccie2be@nyc.rr.com]
> Sent: Thursday, December 09, 2004 3:37 PM
> To: Brian Dennis; Group Study
> Subject: Re: Local Proxy ARP
>
> Thanks Brian,
>
> That was a great explanation.
>
> In what kind of scenario would I ever NEED "the router to proxy ARP for
> another
> 172.16.1.0/24 IP address say 172.16.1.30?
>
> And, if I did need to enable local proxy arp would that mean that some
> host
> was screwed up or the network was poorly designed?
>
> thanks again, Tim
>
> ----- Original Message -----
> From: "Brian Dennis" <bdennis@internetworkexpert.com>
> To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
> <ccielab@groupstudy.com>
> Sent: Thursday, December 09, 2004 6:02 PM
> Subject: RE: Local Proxy ARP
>
>
> Tim,
> It's when you want to proxy ARP for IP addresses on the local IP
> network. Example: the router's interface is addressed with
> 172.16.1.1/24 and you need the router to proxy ARP for another
> 172.16.1.0/24 IP address say 172.16.1.30. Normally the router would not
> proxy ARP for 172.16.1.30 as it would assume the device with that IP
> address would answer the ARP itself.
>
> To enable it use the "ip local-proxy-arp" interface command.
>
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> bdennis@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada)
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> ccie2be
> Sent: Thursday, December 09, 2004 2:29 PM
> To: Group Study
> Subject: Local Proxy ARP
>
> Hi guys,
>
> When you do a show ip int X, one of the things listed is "Local Proxy
> ARP
> <enabled |disabled>". It's right under the line for Proxy ARP.
>
> I know what proxy arp is but what's LOCAL proxy arp?
>
> And, if I needed to, how would I enable it?
>
> Also, the next line after the Local proxy arp says "Security Level is
> default". What's that about?
>
> Any insight would be appreciated.
>
> TIA, Tim
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
-- Anthony Pace anthonypace@fastmail.fm
This archive was generated by hypermail 2.1.4 : Mon Jan 03 2005 - 10:31:26 GMT-3