Proxy ARP
Definition
Proxy ARP is a technique in which a device on a given network answers the ARP requests for a network address that is not on that network.
Characteristics
- Proxy ARP is deployed on the gateway without any modifications to the configurations of the hosts on a network.
- Proxy ARP can shield topologies of physical networks so that hosts on different physical networks can use the same network ID to communicate.
- Proxy ARP affects only the ARP tables on hosts and does not affect the ARP table and routing table on the gateway.
Types
Table 1 describes different types of proxy ARP and their usage scenarios.
Proxy ARP Type |
Usage Scenario |
|---|---|
Routed proxy ARP |
For communication between hosts (without default gateway address configured) that belong to the same network segment across different physical networks (different broadcast domains) |
Intra-VLAN proxy ARP |
For communication between hosts that belong to the same network segment and VLAN (port isolation is configured in the VLAN) |
Inter-VLAN proxy ARP |
For communication between hosts that belong to the same network segment but different VLANs |
Routed Proxy ARP
Routed proxy ARP enables communication among network devices on the same network segment but on different physical networks.
If a host connected to a device is not configured with a default gateway address, the host does not know how to reach the intermediate system of the network. Therefore, data forwarding cannot be performed. Routed proxy ARP resolves this problem.
In Figure 1, Host_1 and Host_2 are located on the same network segment. The Switch connects two networks through VLANIF 10 and VLANIF 20. The IP addresses of VLANIF 10 and VLANIF 20 are located on different network segments.
The IP addresses of Host_1 and Host_2 are on the same network segment. When Host_1 needs to communicate with Host_2, Host_1 broadcasts an ARP Request packet, requesting the MAC address of Host_2. However, Host_1 and Host_2 are on different physical networks (in different broadcast domains); therefore, Host_2 cannot receive the ARP Request packet sent from Host_1 and does not respond with an ARP Reply packet.
With routed proxy ARP enabled on the Switch, the Switch queries the routing table after receiving the ARP Request packet. Host_2 is directly connected to the Switch, so the Switch has the routing entry of Host_2. The Switch then uses its MAC address to send an ARP Reply packet to Host_1. Host_1 forwards data based on the MAC address of the Switch. In this case, the Switch functions as the proxy of Host_2. This is shown in Figure 1, where the MAC address mapped to Host_2's IP address in the ARP table of Host_1 is the MAC address of VLANIF 10 on the Switch.
Intra-VLAN Proxy ARP
If two users belong to the same VLAN (which has port isolation configured), enabling intra-VLAN proxy ARP on the VLAN-associated interfaces allows the hosts to communicate at Layer 3.
In Figure 2, Host_1 and Host_2 are connected to the Switch. The two interfaces connected to Host_1 and Host_2 belong to VLAN 10 on the Switch.
Host_1 and Host_2 cannot communicate at Layer 2 because port isolation in a VLAN is configured on the Switch.
However, with intra-VLAN proxy ARP enabled on the Switch's interface, Host_1 and Host_2 can communicate at Layer 3. After the Switch's interface receives an ARP Request packet whose destination address is not its own address, the Switch searches for the ARP entry matching the interface. If an ARP entry matches Host_2, the Switch sends its own MAC address to Host_1 and forwards the packet destined for Host_2. In this case, the Switch functions as the proxy of Host_2.
Inter-VLAN Proxy ARP
If two hosts belong to the same network segment but different VLANs, enabling inter-VLAN proxy ARP on the VLAN-associated interfaces (for example, the VLANIF interfaces or sub-interfaces) allows users to communicate at Layer 3.
Only the S5720-EI, S5720-HI, S5720I-SI, S5720S-SI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5730-HI, S5730S-EI, S5730-SI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6720S-SI, S6720-SI, S6730-H, S6730S-H, S6730-S, and S6730S-S support the inter-VLAN proxy ARP.
In Figure 3, Host_1 and Host_2 on the same network segment are connected to the Switch, Host_1 belongs to sub-VLAN 10, and Host_2 belongs to sub-VLAN 20.
Host_1 and Host_2 belong to different sub-VLANs, so they cannot communicate at Layer 2.
However, with inter-VLAN proxy ARP enabled on the Switch, Host_1 and Host_2 can communicate at Layer 3. After the Switch's interface receives an ARP Request packet whose destination address is not its own address, the Switch searches for the ARP entry (a dynamically learned or statically configured ARP entry) matching Host_2. If an ARP entry matches Host_2, the Switch sends its own MAC address to Host_1 and forwards the packet destined for Host_2. In this case, the Switch functions as the proxy of Host_2.