Introduction to Proxy ARP
Proxy ARP is a feature that enables a host, typically a router, to answer ARP requests on behalf of other machines. This technique is used when a router needs to forward traffic across two separate network segments. It can be enabled on a network where the clients have limited routing capabilities, such as don’t support the configuration of a gateway address, or incorrect setting, such as wrong subnet mask. In this post, I’ll detail how the default activation of proxy ARP by some networking vendors can lead to unforeseen traffic patterns. These can confound network engineers who may not be aware of this preset configuration.
In the next sections, I’ll briefly explain how ARP works, introduce proxy ARP, its benefits, and things to consider during its implementation.
What is ARP?
The Address Request Protocol (ARP) is a layer 2 network protocol that enables a host to lookup the MAC address of another host by referring to it by its IP address. The protocol works this way. The host that is doing the lookup, broadcasts on a directly connected interface a frame to all hosts with destination address 0xFFFFFF. The frame contains an ARP request asking what’s the MAC address associated with a given IP address. All the hosts on the network receive the ARP request. Only the one that is assigned the IP address contained in the request replies with its MAC address.
The following packet capture shows a decoded ARP requests from host 192.168.0.10 asking for the MAC address of host 192.168.0.11:
ARP, Request who-has 192.168.0.11 tell 192.168.0.10, length 28
The hosts with the IP address 192.168.0.11 generates an ARP reply including its MAC address:
ARP, Reply 192.168.0.11 is-at 14:7d:da:1a:30:5c (oui Unknown), length 28
If the host with IP 192.168.0.11 is not on the network, the ARP requests are left unanswered. Eventually the TCP/IP stack of the sender would eventually trigger a host unreachable error.
What is Proxy ARP?
When configured for proxy ARP, a router will respond to ARP requests intended for other devices, providing its own MAC address in the replies. Consequently, the router intercepts the traffic meant for those devices and then relays it to the appropriate host. For proxy ARP to function correctly, the router must have established routes to both the source and destination networks.
Let’s take the previous example, but a slightly different case. Host 192.168.0.10 is asking for the MAC address of target host 192.168.1.11. Although the target host resides in a separate subnet, the source host believes it resides within the same segment due to a subnet mask mismatch (/23 vs. /24). For this reason, the source host sends an ARP request.
The router, configured with proxy ARP, processes the ARP request and sends a reply including its own MAC address.
Proxy ARP is a feature supported by most networking vendors, such as Cisco and Juniper, as well as operating systems like Linux and some BSD flavors. Some vendors, like Juniper, have two operating modes: restricted and unrestricted. In restricted mode, the router replies only to ARP requests for hosts that are not part of the same subnet where the source is located. In unrestricted mode, the router replies to all ARP requests for which the router has a route to destination.
Benefits and Drawbacks
As we explained in the introductory paragraph, proxy ARP has several benefits, such as enabling clients with limited routing functionalities to communicate. It also has the advantage of enabling clients without a gateway configured or incorrect subnet mask to still communicate with other hosts. Network administrators that had to support legacy devices that only accepted classful network masks had to use proxy ARP to implement classless routing.
However, as mentioned at the beginning, it is a double edged sword. Consider the scenario where a network engineer is planning a migration from a networking vendor that enables proxy ARP by default (e.g. Cisco IOS), to one that doesn’t (e.g. Nokia SR OS). Before the cut over, all the clients, even those with incorrect subnet masks and gateway, can connect to non local hosts. However, after the migration, some clients stopped working as the new router doesn’t act as a proxy arp by default. This is one of those unexpected behaviors that can challenge a successful implementation.
Another disadvantage of proxy ARP is that it causes the ARP table of clients to grow as they will add one entry for each external host they need to reach.
Final Thoughts
The rationale behind some networking vendors’ decision to keep proxy ARP enabled by default remains ambiguous. It’s possible that they have preserved a configuration that was essential in the early days of computer networking. Today, there are relatively few scenarios that necessitate the use of proxy ARP. Network engineers who are not aware of this default setting may inadvertently encounter it in their work. I hope that this article will help some of them to be more prepared and avoid encountering this issue in the future.
Appendix: Testing for Proxy ARP with NetBeez
If you want to test this with NetBeez, you can use a WiFi sensor that is connected to both the wired and the wireless networks. In this example, we’ll test if the WLAN is configured with proxy ARP:
- Verify that network monitoring tests running on the wireless interface are returning results.
- Verify that the control wired interface is connected to the network so you won’t lose connectivity to the agent should proxy ARP not be enabled.
- Edit the wlan0 interface settings and remove the default gateway information.
- If the interface is set for DHCP, you can temporarily assign the same address the client received by the DHCP server. This may cause an IP conflict, so perform this test off hours. The problem doesn’t concern statically configured interfaces.
- Verify the status of the network monitoring tests:
- If the tests fail, then proxy ARP is not enabled.
- If the tests succeed, then chances are that proxy ARP is enabled on the default gateway.
