Thanks for this. I knew what proxy ARP was, but I did not understand why it existed or what it was trying to accomplish. So, it looks like it is to help with incorrectly configured hosts. I'm not sure that is a good thing or not. As a network admin, I think I would rather know that there was a problem rather than silently having it fixed.
Great and short explanation! I do have two questions: 1) Does the ARP proxy works only to the directly connected subnets or can it work through other routers? Like, if we have 3 subnets 10.1.0.0, 10.2.0.0 and 10.3.0.0 and 2 routers in-between. If router that is not directly connected to the 10.3.0.0, but it has routing entry for 10.3.0.0 subnet, would it proxy ARP? 2) Does Proxy ARP works if 2 hosts are misconfigured and can Proxy ARP work not only between usual hosts, but routers as well? Thank you!
Thanks for the video. I see a lot of explanations of Proxy ARP that use the same example of the host misconfiguration. To the point that I am starting to think that the only purpose of Proxy ARP was to address such issues. Are there any other scenarios? Please don't get me wrong, I am truly curious. I just had a bizarre anomaly, and I am thinking that the Proxy ARP has something to do with it. Trying to understand a broader set of use cases involving Proxy ARP.
Hey, you're very welcome. Thanks for your question! So, the original thought process for Proxy ARP was to help hosts with misconfigured subnet masks have communication with other networks. Now, as you were wondering - Are there any other scenarios? Well, kind of... in some cases, we can intentionally use Proxy ARP to our advantage. Same concept, it's just intentional vs unintentional. For example, let's say that you have a device with a management interface that doesn't support routing or even configuring a default gateway, as seen on some Cisco ASAs. If you wanted to manage this device from a different subnet, you can't... technically. But you could take full advantage of Proxy ARP to create a subnetting effect. Here's what I mean... You might be managing this device from the 10.0.10.0/24 subnet whereas the device itself is on 10.0.20.0/24, or something like that. Obviously this is arbitrary and made up for example purposes. But anyway, since that device expects everything on its management interface to be connected to a flat layer 2 network, we could trick it by changing the subnet mask to 255.255.0.0, which would be a /16. Now, if you connect to that management interface from any network that starts with 10.0, it will think it's on the same subnet and send an ARP request. As long as Proxy ARP is enabled and the IP/subnet mask is configured correctly on your router, you can now have communication from a different subnet. In conclusion, I know this is pretty much the same example I showed in the video, but I was just trying to demonstrate how it could be a planned/intentional thing. If you don't mind me asking, what was the anomaly you were thinking Proxy ARP could have played a role in? I might be able to help.
Thanks a lot, Robert, for the detailed explanation. My anomaly is very close to what you described in the "intentional scenario" except that there are a few moments that don't add up to the entire picture. I don't want to complicate, but to bring some clarity and context I'll need to explain a little bit of the background. I use a product called Sophos. They build next gen firewalls and other cool protection solutions. Sophos firewalls have a hardware extension called RED (stands for Remote Ethernet Device). It creates VPN tunnels to your firewall on the fly from anywhere in the world as long as it can "see" the internet, no matter if it's behind another firewall. Conceptually, think of it as just another interface on the router with it's own defined subnet, and a veeery long cable reaching the remote location across the globe. That other end is what you plug into, when you plug your infrsastructure behind the RED box. You can have a switch and and entire infrastructure cascaded off of it on another side of the globe. It's like a site-to-site VPN, except that you don't have a full blown firewall on the other end requring own rules and license. Instead, uou have an unmanaged box that is linked to your firewall in HQ, where all the management of that subnet happens. I have 2 buildings: A (HQ) and B, 100 meters away. Both buildings have their own internet. The Building A has the Sophos firewall and Building B has the RED device. The internal Network in building A is 10.10.10.0/24. All server infrastructure is here (DC, DNS, DHCP). The internal network in building B is 10.10.30.0/24. Logically, it is identical to a router with 2 defined subnets: 10.10.10.0/24 and 10.10.30.0/24. I had a laptop in building A on 10.10.10.0/24 with IP 10.10.10.149. The address is assigned by the DC/DHCP server 10.10.10.11. A user took the laptop into building B and connected to 10.10.30.1 This is where the fun began. I'll continue in the next post to break them down and not make the reading boring.
This Sophos RED actually sounds pretty handy. I might have to look into that in the future! Anyway, is the mystery issue the fact that the laptop on 10.10.10.0/24 isn't supposed to be connecting to the network over at building B? I see that you mentioned that it connected to 10.10.30.1 specifically though. If this is the case, is it doing this with the same IP configuration it received from DHCP at building A? My thoughts are that there is a DHCP relay configured on the RED device and this laptop is grabbing a new lease when it roams over to building B. As I write this I am telling myself that it's probably not that simple though and I'm probably missing or misunderstanding something. Oh, and while I'm here, I have one more thing regarding proxy ARP that I left out in my original response. So not only does proxy ARP aid hosts with misconfigured subnet masks, but it will also allow hosts with misconfigured gateways to communicate with other networks. I just tested this by changing my default gateway to 8.8.8.8 just as a goof, and sure enough the L3 switch responds to the ARP request with its own MAC address. Anyway, not sure if this will be helpful or not, but hopefully it is!
Couldn't be any clearer than that! Thanks again!
You're very welcome. Thanks for the feedback!
Great explanation, simple and quick.
Thank you!
Helped a lot getting things clearer. thanks man 🙏
Glad to hear that. You’re very welcome!
Great work. thanks for your flawless explanations, that made me crystal clear about proxy arp.
You're welcome, and thank you for the feedback. I'm glad to hear that!
absolutely infomative and useful
Thanks for this. I knew what proxy ARP was, but I did not understand why it existed or what it was trying to accomplish. So, it looks like it is to help with incorrectly configured hosts. I'm not sure that is a good thing or not. As a network admin, I think I would rather know that there was a problem rather than silently having it fixed.
Great Explanation :)
Thank you!
Great and short explanation!
I do have two questions:
1) Does the ARP proxy works only to the directly connected subnets or can it work through other routers? Like, if we have 3 subnets 10.1.0.0, 10.2.0.0 and 10.3.0.0 and 2 routers in-between.
If router that is not directly connected to the 10.3.0.0, but it has routing entry for 10.3.0.0 subnet, would it proxy ARP?
2) Does Proxy ARP works if 2 hosts are misconfigured and can Proxy ARP work not only between usual hosts, but routers as well?
Thank you!
Thanks for this!
You're very welcome!
Thanks for the video. I see a lot of explanations of Proxy ARP that use the same example of the host misconfiguration. To the point that I am starting to think that the only purpose of Proxy ARP was to address such issues. Are there any other scenarios? Please don't get me wrong, I am truly curious. I just had a bizarre anomaly, and I am thinking that the Proxy ARP has something to do with it. Trying to understand a broader set of use cases involving Proxy ARP.
Hey, you're very welcome. Thanks for your question!
So, the original thought process for Proxy ARP was to help hosts with misconfigured subnet masks have communication with other networks. Now, as you were wondering - Are there any other scenarios? Well, kind of... in some cases, we can intentionally use Proxy ARP to our advantage. Same concept, it's just intentional vs unintentional.
For example, let's say that you have a device with a management interface that doesn't support routing or even configuring a default gateway, as seen on some Cisco ASAs. If you wanted to manage this device from a different subnet, you can't... technically. But you could take full advantage of Proxy ARP to create a subnetting effect.
Here's what I mean... You might be managing this device from the 10.0.10.0/24 subnet whereas the device itself is on 10.0.20.0/24, or something like that. Obviously this is arbitrary and made up for example purposes. But anyway, since that device expects everything on its management interface to be connected to a flat layer 2 network, we could trick it by changing the subnet mask to 255.255.0.0, which would be a /16.
Now, if you connect to that management interface from any network that starts with 10.0, it will think it's on the same subnet and send an ARP request. As long as Proxy ARP is enabled and the IP/subnet mask is configured correctly on your router, you can now have communication from a different subnet.
In conclusion, I know this is pretty much the same example I showed in the video, but I was just trying to demonstrate how it could be a planned/intentional thing.
If you don't mind me asking, what was the anomaly you were thinking Proxy ARP could have played a role in? I might be able to help.
Thanks a lot, Robert, for the detailed explanation. My anomaly is very close to what you described in the "intentional scenario" except that there are a few moments that don't add up to the entire picture.
I don't want to complicate, but to bring some clarity and context I'll need to explain a little bit of the background.
I use a product called Sophos. They build next gen firewalls and other cool protection solutions. Sophos firewalls have a hardware extension called RED (stands for Remote Ethernet Device). It creates VPN tunnels to your firewall on the fly from anywhere in the world as long as it can "see" the internet, no matter if it's behind another firewall. Conceptually, think of it as just another interface on the router with it's own defined subnet, and a veeery long cable reaching the remote location across the globe. That other end is what you plug into, when you plug your infrsastructure behind the RED box. You can have a switch and and entire infrastructure cascaded off of it on another side of the globe. It's like a site-to-site VPN, except that you don't have a full blown firewall on the other end requring own rules and license. Instead, uou have an unmanaged box that is linked to your firewall in HQ, where all the management of that subnet happens.
I have 2 buildings: A (HQ) and B, 100 meters away. Both buildings have their own internet. The Building A has the Sophos firewall and Building B has the RED device. The internal Network in building A is 10.10.10.0/24. All server infrastructure is here (DC, DNS, DHCP). The internal network in building B is 10.10.30.0/24.
Logically, it is identical to a router with 2 defined subnets: 10.10.10.0/24 and 10.10.30.0/24.
I had a laptop in building A on 10.10.10.0/24 with IP 10.10.10.149. The address is assigned by the DC/DHCP server 10.10.10.11.
A user took the laptop into building B and connected to 10.10.30.1
This is where the fun began. I'll continue in the next post to break them down and not make the reading boring.
This Sophos RED actually sounds pretty handy. I might have to look into that in the future!
Anyway, is the mystery issue the fact that the laptop on 10.10.10.0/24 isn't supposed to be connecting to the network over at building B? I see that you mentioned that it connected to 10.10.30.1 specifically though. If this is the case, is it doing this with the same IP configuration it received from DHCP at building A? My thoughts are that there is a DHCP relay configured on the RED device and this laptop is grabbing a new lease when it roams over to building B.
As I write this I am telling myself that it's probably not that simple though and I'm probably missing or misunderstanding something.
Oh, and while I'm here, I have one more thing regarding proxy ARP that I left out in my original response. So not only does proxy ARP aid hosts with misconfigured subnet masks, but it will also allow hosts with misconfigured gateways to communicate with other networks. I just tested this by changing my default gateway to 8.8.8.8 just as a goof, and sure enough the L3 switch responds to the ARP request with its own MAC address.
Anyway, not sure if this will be helpful or not, but hopefully it is!
Good 😊
Thanks 😊