Typical Behaviour

sameermunj · ‎10-05-2009

Hi

I have 4506 chassis on which users directlly connected and 4506 is connected to wan routers.vlans have been created on the 4506 and users directly connected to 4506.

for 1 vlan what we observed is even though the host gateway is not the vlan interface ip (any ip which is not at all configured on switch)still the users able to reach host on wan side.when we trace in 1st hop its reaching its own vlan interface and from their trace completing properly...

anycan can please explain the same.

sw details..cat4000-i9k91s-mz.122-25.ewa6.bin

Peter Paluch · ‎10-05-2009

Hello Sameer,

I am not sure if I understand you completely but I believe that one of the possible explanations is the ProxyARP feature. Even though the hosts in your VLAN use a gateway whose IP address is outside of the scope of that VLAN, they simply use the ARP to resolve that IP address to a MAC address. This ARP request is received by your 4506 and though the 4506 does not have the IP address in question, it knows how to reach it according to its routing table, so it responds back with its own MAC address in the ARP reply.

You can test it by issuing the command no ip proxy-arp on the VLAN SVI interface of the respective VLAN and testing the connectivity again. After the ARP cache expires on hosts in that VLAN, they should now be prevented from reaching other networks except their own.

Best regards,

Peter

Yudong Wu · ‎10-05-2009

It might be "arp proxy".

You can check arp table on user's PC to see which mac is associated to the gateway's IP. If it is the same as MAC of its vlan interface, it indicates that vlan interface is doning arp proxy.

arp proxy is enabled by default and local arp proxy is disabled by default if I remember correctly. You can check it by "show ip interface vlan xx".

Try to disable it by "no ip proxy-arp" and "no ip local-proxy-arp"