Monday, April 18, 2011

Local Proxy ARP

Below shows the output of the show ip interface {intf-type intf-num} command which shows that local proxy ARP is disabled. This section discusses what Local Proxy ARP is and its usage.
Router#sh ip int fa1/0
FastEthernet1/0 is up, line protocol is up
  Internet address is
  Broadcast address is
  Address determined by setup command
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
--- output omitted ---

Local Proxy ARP is used when there is a need to perform proxy ARP for hosts in local network. Normally network devices do not perform local proxy ARP as they would assume the host with the requested IP address would answer the ARP request itself.

Sample Local Proxy ARP Network

The switchport protected interface subcommand is configured on SW1 Fa0/1 and Fa0/2.
The ip local-proxy-arp interface subcommand is configured on RT3 Fa0/0.

Below shows that RT3 is performing proxy ARP for RT2:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
RT1#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet             -   1111.1111.1111  ARPA   FastEthernet0/0
Internet             6   3333.3333.3333  ARPA   FastEthernet0/0
Internet             5   3333.3333.3333  ARPA   FastEthernet0/0

The switchport protected interface subcommand configures a switch port as a protected port. Protected ports have the following characteristics:
1) A protected port does not forward any traffic (including unicast, multicast, and broadcast) to other protected ports – traffic cannot be forwarded between protected ports at Layer 2; all traffic between protected ports must be forwarded through a Layer 3 device.
2) Traffic between a protected port and a non-protected port is forwarded as usual.
Note: This feature applies upon a single switch, and cannot be extended across multiple switches.

Protected ports are being used in environments where traffic must not be forwarded between ports on the same switch so that an end system does not see the traffic from another end system. Below are some other sample usages of protected ports:
1) A hotel environment where the ports for each room should not be able to communicate with each other, but they need to communicate with the gateway.
2) A DMZ zone where the ports for each server should not be able to communicate with each other in order to prevent further damages of other servers when a server is owned.
3) A collocation environment where servers from different customers should not be able to communicate with each other.

No comments:

Post a Comment