Solved: Why does this work?

fdouble08 · ‎04-29-2010

I have a site that is connected to my WAN. They have a 3750 switch facing our WAN router. When it was installed and assumption was made that the site's subnet would be 10.30.32.0/22 and so the ip address on the WAN router interface is set to 10.30.32.1/22. They have set up the L3 switch with vlan interfaces that are 10.30.32.254/24 , 10.30.33.254/24, 10.30.34.254/24 and 10.30.35.254/24. The WAN router only knows that 10.30.32.0/22 is on the interface, not that there is a next hop involved. I can, however, ping devices in the 10.30.34.0/24 vlan.

I would expect that the WAN router would assume that the host address is connected to the segment attached to it's interface on 10.30.32.0/22. It should send out an ARP request looking for the mac address of the host on 10.30.34.0/24 as if it were a host on 10.32.32.0/22. Since the host in 10.30.34.0/24 is on a different VLAN, there should be no response. Obviously it is getting a response, because I can ping a device in that subnet. Can anyone explain why this works?

Jon Marshall · ‎04-29-2010

fdouble08 wrote:

That explains it. I didn't know that proxy-arp is enabled by default.

Does this type of configuration raise issues? For example, the WAN router considers 10.30.32.255, 10.30.33.255, and 10.30.34.255 as valid host addresses, while the 3750 expects them to the the broadcast addresses of 10.30.32.0/24, 10.30.33.0/24, and 10.30.34.0/24 respectively. Are there scenarios where that will cause a problem?

I would disable it if you don't need it as it can create confusion as you have found out. It's not a good design to rely on proxy-arp and you don't need to.

The main use for it is if you have static NAT statements then you need it enabled so the router/L3 switch can answer on behalf of the NAT. However as the 3750 doesn't support NAT then you don't need it for this.

Jon

View solution in original post

Jon Marshall · ‎04-29-2010

fdouble08 wrote:

I have a site that is connected to my WAN. They have a 3750 switch facing our WAN router. When it was installed and assumption was made that the site's subnet would be 10.30.32.0/22 and so the ip address on the WAN router interface is set to 10.30.32.1/22. They have set up the L3 switch with vlan interfaces that are 10.30.32.254/24 , 10.30.33.254/24, 10.30.34.254/24 and 10.30.35.254/24. The WAN router only knows that 10.30.32.0/22 is on the interface, not that there is a next hop involved. I can, however, ping devices in the 10.30.34.0/24 vlan.

I would expect that the WAN router would assume that the host address is connected to the segment attached to it's interface on 10.30.32.0/22. It should send out an ARP request looking for the mac address of the host on 10.30.34.0/24 as if it were a host on 10.32.32.0/22. Since the host in 10.30.34.0/24 is on a different VLAN, there should be no response. Obviously it is getting a response, because I can ping a device in that subnet. Can anyone explain why this works?

This is probably because of proxy-arp ie. the 3750 is answering requests for subnets it knows about that are directly connected.

Try adding this under the L3 vlan interface on the 3750 that is the next-hop for the router -

int vlan

no ip proxy-arp

Jon

fdouble08 · ‎04-29-2010

That explains it. I didn't know that proxy-arp is enabled by default.

Does this type of configuration raise issues? For example, the WAN router considers 10.30.32.255, 10.30.33.255, and 10.30.34.255 as valid host addresses, while the 3750 expects them to the the broadcast addresses of 10.30.32.0/24, 10.30.33.0/24, and 10.30.34.0/24 respectively. Are there scenarios where that will cause a problem?

Jon Marshall · ‎04-29-2010

fdouble08 wrote:

That explains it. I didn't know that proxy-arp is enabled by default.

Does this type of configuration raise issues? For example, the WAN router considers 10.30.32.255, 10.30.33.255, and 10.30.34.255 as valid host addresses, while the 3750 expects them to the the broadcast addresses of 10.30.32.0/24, 10.30.33.0/24, and 10.30.34.0/24 respectively. Are there scenarios where that will cause a problem?

I would disable it if you don't need it as it can create confusion as you have found out. It's not a good design to rely on proxy-arp and you don't need to.

The main use for it is if you have static NAT statements then you need it enabled so the router/L3 switch can answer on behalf of the NAT. However as the 3750 doesn't support NAT then you don't need it for this.

Jon