Proxy ARP: An insidious default setting

Introduction to Proxy ARP

Proxy ARP is a feature that enables a host, typically a router, to answer ARP requests on behalf of other machines. This technique is used when a router needs to forward traffic across two separate network segments. It can be enabled on a network where the clients have limited routing capabilities, such as don’t support the configuration of a gateway address, or incorrect setting, such as wrong subnet mask. In this post, I’ll detail how the default activation of proxy ARP by some networking vendors can lead to unforeseen traffic patterns. These can confound network engineers who may not be aware of this preset configuration.

In the next sections, I’ll briefly explain how ARP works, introduce proxy ARP, its benefits, and things to consider during its implementation. 

What is ARP?

The Address Request Protocol (ARP) is a layer 2 network protocol that enables a host to lookup the MAC address of another host by referring to it by its IP address. The protocol works this way. The host that is doing the lookup, broadcasts on a directly connected interface a frame to all hosts with destination address 0xFFFFFF. The frame contains an ARP request asking what’s the MAC address associated with a given IP address. All the hosts on the network receive the ARP request. Only the one that is assigned the IP address contained in the request replies with its MAC address.

The following packet capture shows a decoded ARP requests from host asking for the MAC address of host

ARP, Request who-has tell, length 28
arp request

The hosts with the IP address generates an ARP reply including its MAC address:

ARP, Reply is-at 14:7d:da:1a:30:5c (oui Unknown), length 28
arp reply

If the host with IP is not on the network, the ARP requests are left unanswered. Eventually the TCP/IP stack of the sender would eventually trigger a host unreachable error.

What is Proxy ARP?

When configured for proxy ARP, a router will respond to ARP requests intended for other devices, providing its own MAC address in the replies. Consequently, the router intercepts the traffic meant for those devices and then relays it to the appropriate host. For proxy ARP to function correctly, the router must have established routes to both the source and destination networks.

Let’s take the previous example, but a slightly different case. Host is asking for the MAC address of target host Although the target host resides in a separate subnet, the source host believes it resides within the same segment due to a subnet mask mismatch (/23 vs. /24). For this reason, the source host sends an ARP request. 

arp request proxy

The router, configured with proxy ARP, processes the ARP request and sends a reply including its own MAC address.

MAC address proxy arp

Proxy ARP is a feature supported by most networking vendors, such as Cisco and Juniper, as well as operating systems like Linux and some BSD flavors. Some vendors, like Juniper, have two operating modes: restricted and unrestricted. In restricted mode, the router replies only to ARP requests for hosts that are not part of the same subnet where the source is located. In unrestricted mode, the router replies to all ARP requests for which the router has a route to destination.

Benefits and Drawbacks

As we explained in the introductory paragraph, proxy ARP has several benefits, such as enabling clients with limited routing functionalities to communicate. It also has the advantage of enabling clients without a gateway configured or incorrect subnet mask to still communicate with other hosts. Network administrators that had to support legacy devices that only accepted classful network masks had to use proxy ARP to implement classless routing. 

However, as mentioned at the beginning, it is a double edged sword. Consider the scenario where a network engineer is planning a migration from a networking vendor that enables proxy ARP by default (e.g. Cisco IOS), to one that doesn’t (e.g. Nokia SR OS). Before the cut over, all the clients, even those with incorrect subnet masks and gateway, can connect to non local hosts. However, after the migration, some clients stopped working as the new router doesn’t act as a proxy arp by default. This is one of those unexpected behaviors that can challenge a successful implementation.

Another disadvantage of proxy ARP is that it causes the ARP table of clients to grow as they will add one entry for each external host they need to reach.

Final Thoughts

The rationale behind some networking vendors’ decision to keep proxy ARP enabled by default remains ambiguous. It’s possible that they have preserved a configuration that was essential in the early days of computer networking. Today, there are relatively few scenarios that necessitate the use of proxy ARP. Network engineers who are not aware of this default setting may inadvertently encounter it in their work. I hope that this article will help some of them to be more prepared and avoid encountering this issue in the future.

Appendix: Testing for Proxy ARP with NetBeez

If you want to test this with NetBeez, you can use a WiFi sensor that is connected to both the wired and the wireless networks. In this example, we’ll test if the WLAN is configured with proxy ARP:

  1. Verify that network monitoring tests running on the wireless interface are returning results.
  2. Verify that the control wired interface is connected to the network so you won’t lose connectivity to the agent should proxy ARP not be enabled.
  3. Edit the wlan0 interface settings and remove the default gateway information.
    1. If the interface is set for DHCP, you can temporarily assign the same address the client received by the DHCP server. This may cause an IP conflict, so perform this test off hours. The problem doesn’t concern statically configured interfaces.
  4. Verify the status of the network monitoring tests:
    1. If the tests fail, then proxy ARP is not enabled.
    2. If the tests succeed, then chances are that proxy ARP is enabled on the default gateway.
decoration image

Get your free trial now

Monitor your network from the user perspective

You can share

Twitter Linkedin Facebook

Let's keep in touch

decoration image