cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5810
Views
15
Helpful
12
Replies

HSRP and proxy ARP

Kevin Dorrell
Level 10
Level 10

Can any tell me how proxy ARP behaves in conjunction with HSRP?

What MAC address does the router return as a proxy ARP: its own BIA or the HSRP group address?

If it returns the BIA, then there will be no redundant failover for the proxy ARP destinations.

Also, if both active and standby routers are running proxy ARP, will they both respond by proxy?

***

Another question abouy HSRP, but not related to proxy ARP: if I have two switches routing between my VLANs, and the HSRP fails over on one VLAN only, can the new active router (the old standby) still deliver to the other VLAN for which it is still the standby? And in the other direction? In this case, does it mean the traffic flows from-VLANA-to-VLANB and from-VLANB-to-VLANA goes through different routers for each direction?

Kevin Dorrell

Luxembourg

12 Replies 12

lgijssel
Level 9
Level 9

Hello Kevin,

The active router responds to the Proxy ARP with the HSRP adress unless you have configured: standby use-bia.

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_configuration_example09186a0080093f93.shtml#reqs

Your question about using different paths being used is relatively easy to answer. The router that receives the packet will forward it according to it's own routing tables. This may mean that the return traffic is following a different path. In fact, this is a characteristic of many ip networks that allow for redundancy. As ip is basically connectionless this should not be a problem.

Regards,

Leo

ankbhasi
Cisco Employee
Cisco Employee

Hi Kevin,

If an HSRP router is configured to support proxy ARP with HSRP, then the router MUST specify the HSRP virtual MAC address in any proxy ARP responses it generates.

If I get your second question correct I believe you will like to know if any of the vlans for which router A is active and some problem comes for that vlan on that active router then will the new active router for that vlan will become active for that vlan and stay standby for other vlans?

If this is your query then the active and standby routers are for groups and so if you have 3 vlans in one HSRP group and any problem occurs on router A for one vlan of specific group the new active router will take the role as an active for the whole group and if you have some more vlans in other group the new active router will still serve as standby for the other group.

Also you can look at this FAQ for HSRP where it has a question for use of bia address also

http://www.cisco.com/warp/public/619/3.html

HTH

Ankur

amit-singh
Level 8
Level 8

Hi Kevin,

For your furst question both posters are right. However for your second query I agree with leo as any router which recives the packets will forward according to its routing table. Your one router is active for only 1 vlan and standby for others but still it will be able to do the routing for the standvy routes acoording to its routing table.

HTH,

-amit singh

Kevin Dorrell
Level 10
Level 10

Thank you all three of you, Leo, Ankur, and Amit, for your responses. That gives me something to work on. I think I now have enough understanding to put it into practice. Both documents were useful.

I do have one further puzzle though. Suppose I have more than one standby group on an interface. For example (cut down to the bare bones:

interface Vlan 20

ip address 192.168.20.254 255.255.255.0

standby 10 ip 192.168.20.10

standby 20 ip 192.168.20.10

Now, this interface will be presenting three MAC addresses, something like:

- its own bia for 192.168.20.254,

- 0000.0c07.ac0a for group 10

- 0000.0c07.ac14 for group 20

So if a host ARPs in this VLAN for something that is off net, which MAC address will be used in the proxy ARP response?

Kevin Dorrell

Luxembourg

P.S. Why can I not "rate this post" for Leo?

Hi Kevin,

Router and switches are intelligent enough that if something is given wrong they will report an error message and I believe the configuration you posted will report an error message.

You cannot have same ip address for 2 different hsrp groups and if you happen to do that it will report a message as

% Address 192.168.20.10 in group 10

So now option 3 mac address is gone. Left 2 one the bia address and one 0000.0c07.ac0a for group 10 so because you have not configured HSRP group to use bia address proxy ARP will reply 0000.0c07.ac0a for group 10 mac address.

HTH

Ankur

Ankur,

Sorry, in asking my question I made a typo. I meant to have group 10 on 192.168.20.10 and group 20 on 192.168.20.20. I think the question is valid once that correction is made.

Kevin Dorrell

L?uxembourg

Hi Kevin,

When we have MHSRP configured you can definetely have multiple standby ips with different group id under same subnet which will let you load balance your same subnet traffic via 2 different pair of HSRP configured routers.

But then you need to configure your machines also with different gateways. Your any machine will have only one gateway which is your standby ip address.

So as an example in the case when you have 2 machines you can configure each of them with different gateways and proxy arp reply will be from their gateway with its group mac address.

The right implementation for this kind of scenario will be to have multiple groups for same subnet but group 10 having higher priority on router A and group 20 having an higher priority at router B. So machines whose gateway is group 10 ip address will move out via router A and machines whose gateway is group 20 ip address will move out from router B and each group will reply its mac address in PROXY ARP reply to its gateway cofigured address.

Hope I am able to explain. Also attaching a link for above scenario

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225see/scg/swhsrp.htm#wp1061629

HTH

Ankur

Ankur,

Thanks, I understood all that up to the last bit where you said "each group will reply its mac address in PROXY ARP reply". The point about a proxy ARP is that it is not directed at a gateway address, but at a host behind the router. For example, consider this situation:

interface vlan 10

ip address 192.168.10.126 255.255.255.128

ip proxy-arp

Now, suppose we have a host on this network that is configured with a mask of 255.255.255.0, and that host wants to talk to 192.168.10.200. (Assume the router has a route out some other interface or VLAN to 192.168.10.128/25.) The host believes it is in the same network as 192.168.10.200, so it puts out an ARP request for 192.168.10.200 directly. The router, seeing the ARP request, will respond on bahalf of 192.168.10.200, giving its own BIA address.

Now add HSRP into the mix:

standby 10 ip 192.168.10.110

standby 20 ip 192.168.10.120

When the host puts out an ARP request for 192.168.10.200 (note NOT for the gateway address), which MAC address will the router send back in its proxy ARP response?

Kevin Dorrell

Luxembourg

I just read your posting again. Are you saying that the router will send two proxy ARP replies, one for each group (assuming the router is active on both groups)?

Kevin

Hi Kevin,

Yeah thats true router will send 2 proxy replies one for each group assuming the router is active on both groups with one condition that if your clients having different gateway want to send traffic out of their network.

I mean when you configure 2 standby group on same subnet then you have 2 virtual standby ip address also. Now few clients will have gateway address for group 10 and few clients will have gateway address for group 20.

Now in a situation when clients with gateway address of group 10 and 20 both wants to send traffic out of their network then both will request for ARP and router will reply the mac address for both the groups and respective clients will use the mac address as per their gateway address but incase clients configured with gateway address of one single group wants to send traffic out of its network and will send ARP request then only that group mac address will be returned.

I hope I am able to explain.

Regards,

Ankur

*Pls rate all helpfull post

Kevin, I found a few intersting URL's on this topic:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801d2d21.html

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_configuration_example09186a0080094e90.shtml

At least this confirms that an HSRP adress is used in the response. I believe that the case you are putting is fairly hypothetic while a router should not normally run two HSRP groups as active unless there is a network problem. Under normal circumstances, the router checks which hsrp-group represents the best route for the given destination and replies with the corresponding hsrp-adress.

I believe that in the case that you describe, the router will use one of his adresses but I do not know the criteria for making this selection.

When a network is load balanced using two routers & two hsrp groups and each router runs one group in active mode then your scenario means that both routers will respond to the proxy-arp request. It is then up to the client to determine which mac adress he chooses.

Regards,

Leo

Ankur,

I am still not sure this is the same situation we are talking about. I am considering the case where the client is not ARPing for the gateway address, but for the final destination address. There are two situations where proxy ARP can happen:

1. The client has its own address configured as gateway. In this case it ARPs directly for the destination, regardless. If the router considers the destination to be on net, it does not reply. If the router considers it to be off net but it has a route to it, then it replies with its own address (or the HSRP address).

2. The client has a wider mask than the router, and the destination is one that the host considers to be on net, but the router considers to be off net, but it doe have a route to it. In that case also, the host ARPs for the destination address, not the gateway.

I am setting up some experiments on this in my lab, and I shall post the results when I have them.

Kevin Dorrell

Luxembourg

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco