From: ccie2be (ccie2be@nyc.rr.com)
Date: Fri Dec 10 2004 - 19:50:22 GMT-3
Anthony,
Thanks for your response.
I don't fully follow your example. Any chance you could expand on it using
ip addresses and packet flow?
Tim
----- Original Message -----
From: "Anthony Pace" <anthonypace@fastmail.fm>
To: "Brian Dennis" <bdennis@internetworkexpert.com>; "ccie2be"
<ccie2be@nyc.rr.com>; "Group Study" <ccielab@groupstudy.com>
Sent: Friday, December 10, 2004 5:06 PM
Subject: RE: Local Proxy ARP
> There is a very practical application for the prox-arp mechanism on the
> 3550. they don't do NAT so if you want to expose a 3550 upstream VLAN
> (with a virtual IP interface) to a segment where some devices expect to
> find a certain public host (which is really on a private IP address
> downstream of the 3550) you can't do NAT but you can give the 3550 a
> static route to the downstream HOSTS NATTED address, the 3550 will
> repond to the arps for that address, and route the packet to the device
> really doing the NAT downstream.
>
> Router=>3550=>PIX=>PrivateHost
>
> Anthony Pace
>
>
> On Thu, 9 Dec 2004 19:12:20 -0500, "Brian Dennis"
> <bdennis@internetworkexpert.com> said:
> > Tim,
> > How about a design like below where R1, R2, and R3 are on the
> > same IP subnet and same VLAN but the CAT3550 is configured with R1 and
> > R2's ports as protected ports. This means that R1 and R2 can not
> > communicate directly with each other. Once R3 has local proxy ARP
> > configured, R1 and R2 would be able to send traffic to each other via R3
> > since R3 will now begin to proxy ARP for the local IP addresses.
> >
> >
> > R1:
> > interface Ethernet0/0
> > ip address 17.0.0.1 255.0.0.0
> >
> > R2:
> > interface Ethernet0/0
> > ip address 17.0.0.2 255.0.0.0
> >
> > R3:
> > interface Ethernet0/0
> > ip address 17.0.0.3 255.0.0.0
> > ip local-proxy-arp
> >
> > SW1:
> > interface FastEthernet0/1
> > description R1 E0/0 Interface
> > switchport access vlan 123
> > switchport protected
> > !
> > interface FastEthernet0/2
> > description R2 E0/0 Interface
> > switchport access vlan 123
> > switchport protected
> > !
> > interface FastEthernet0/3
> > description R3 E0/0 Interface
> > switchport access vlan 123
> >
> >
> > R1#ping 17.0.0.2
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 17.0.0.2, timeout is 2 seconds:
> > !!!!!
> > Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
> > R1#
> > R1#sho arp
> > Protocol Address Age (min) Hardware Addr Type Interface
> > Internet 17.0.0.1 - 0004.c057.32c0 ARPA Ethernet0/0
> > Internet 17.0.0.3 6 0050.3ee8.30e0 ARPA Ethernet0/0
> > Internet 17.0.0.2 5 0050.3ee8.30e0 ARPA Ethernet0/0
> > ^^^^^^^^^^^^^^
> > R3#sho int e0/0 | in bia
> > Hardware is AmdP2, address is 0050.3ee8.30e0 (bia 0050.3ee8.30e0)
> > R3#
> >
> > As you can see, R1 has R2 and R3 listed with the same MAC address
> > indicating that R3 is performing proxy ARP for R2.
> >
> > I'm going to add this "gem" to our Volume 2 R&S workbook that
> > I'm currently working on but I can't pay you any royalties ;-)
> >
> > Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> > bdennis@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987
> > Direct: 775-745-6404 (Outside the US and Canada)
> >
> >
> > -----Original Message-----
> > From: ccie2be [mailto:ccie2be@nyc.rr.com]
> > Sent: Thursday, December 09, 2004 3:37 PM
> > To: Brian Dennis; Group Study
> > Subject: Re: Local Proxy ARP
> >
> > Thanks Brian,
> >
> > That was a great explanation.
> >
> > In what kind of scenario would I ever NEED "the router to proxy ARP for
> > another
> > 172.16.1.0/24 IP address say 172.16.1.30?
> >
> > And, if I did need to enable local proxy arp would that mean that some
> > host
> > was screwed up or the network was poorly designed?
> >
> > thanks again, Tim
> >
> > ----- Original Message -----
> > From: "Brian Dennis" <bdennis@internetworkexpert.com>
> > To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
> > <ccielab@groupstudy.com>
> > Sent: Thursday, December 09, 2004 6:02 PM
> > Subject: RE: Local Proxy ARP
> >
> >
> > Tim,
> > It's when you want to proxy ARP for IP addresses on the local IP
> > network. Example: the router's interface is addressed with
> > 172.16.1.1/24 and you need the router to proxy ARP for another
> > 172.16.1.0/24 IP address say 172.16.1.30. Normally the router would not
> > proxy ARP for 172.16.1.30 as it would assume the device with that IP
> > address would answer the ARP itself.
> >
> > To enable it use the "ip local-proxy-arp" interface command.
> >
> > Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> > bdennis@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987
> > Direct: 775-745-6404 (Outside the US and Canada)
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > ccie2be
> > Sent: Thursday, December 09, 2004 2:29 PM
> > To: Group Study
> > Subject: Local Proxy ARP
> >
> > Hi guys,
> >
> > When you do a show ip int X, one of the things listed is "Local Proxy
> > ARP
> > <enabled |disabled>". It's right under the line for Proxy ARP.
> >
> > I know what proxy arp is but what's LOCAL proxy arp?
> >
> > And, if I needed to, how would I enable it?
> >
> > Also, the next line after the Local proxy arp says "Security Level is
> > default". What's that about?
> >
> > Any insight would be appreciated.
> >
> > TIA, Tim
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> --
> Anthony Pace
> anthonypace@fastmail.fm
This archive was generated by hypermail 2.1.4 : Mon Jan 03 2005 - 10:31:26 GMT-3