Can any tell me how proxy ARP behaves in conjunction with HSRP?
What MAC address does the router return as a proxy ARP: its own BIA or the HSRP group address?
If it returns the BIA, then there will be no redundant failover for the proxy ARP destinations.
Also, if both active and standby routers are running proxy ARP, will they both respond by proxy?
Another question abouy HSRP, but not related to proxy ARP: if I have two switches routing between my VLANs, and the HSRP fails over on one VLAN only, can the new active router (the old standby) still deliver to the other VLAN for which it is still the standby? And in the other direction? In this case, does it mean the traffic flows from-VLANA-to-VLANB and from-VLANB-to-VLANA goes through different routers for each direction?
The active router responds to the Proxy ARP with the HSRP adress unless you have configured: standby use-bia.
Your question about using different paths being used is relatively easy to answer. The router that receives the packet will forward it according to it's own routing tables. This may mean that the return traffic is following a different path. In fact, this is a characteristic of many ip networks that allow for redundancy. As ip is basically connectionless this should not be a problem.
If an HSRP router is configured to support proxy ARP with HSRP, then the router MUST specify the HSRP virtual MAC address in any proxy ARP responses it generates.
If I get your second question correct I believe you will like to know if any of the vlans for which router A is active and some problem comes for that vlan on that active router then will the new active router for that vlan will become active for that vlan and stay standby for other vlans?
If this is your query then the active and standby routers are for groups and so if you have 3 vlans in one HSRP group and any problem occurs on router A for one vlan of specific group the new active router will take the role as an active for the whole group and if you have some more vlans in other group the new active router will still serve as standby for the other group.
Also you can look at this FAQ for HSRP where it has a question for use of bia address also
For your furst question both posters are right. However for your second query I agree with leo as any router which recives the packets will forward according to its routing table. Your one router is active for only 1 vlan and standby for others but still it will be able to do the routing for the standvy routes acoording to its routing table.
Thank you all three of you, Leo, Ankur, and Amit, for your responses. That gives me something to work on. I think I now have enough understanding to put it into practice. Both documents were useful.
I do have one further puzzle though. Suppose I have more than one standby group on an interface. For example (cut down to the bare bones:
interface Vlan 20
ip address 192.168.20.254 255.255.255.0
standby 10 ip 192.168.20.10
standby 20 ip 192.168.20.10
Now, this interface will be presenting three MAC addresses, something like:
- its own bia for 192.168.20.254,
- 0000.0c07.ac0a for group 10
- 0000.0c07.ac14 for group 20
So if a host ARPs in this VLAN for something that is off net, which MAC address will be used in the proxy ARP response?
P.S. Why can I not "rate this post" for Leo?
Router and switches are intelligent enough that if something is given wrong they will report an error message and I believe the configuration you posted will report an error message.
You cannot have same ip address for 2 different hsrp groups and if you happen to do that it will report a message as
% Address 192.168.20.10 in group 10
So now option 3 mac address is gone. Left 2 one the bia address and one 0000.0c07.ac0a for group 10 so because you have not configured HSRP group to use bia address proxy ARP will reply 0000.0c07.ac0a for group 10 mac address.
Sorry, in asking my question I made a typo. I meant to have group 10 on 192.168.20.10 and group 20 on 192.168.20.20. I think the question is valid once that correction is made.
When we have MHSRP configured you can definetely have multiple standby ips with different group id under same subnet which will let you load balance your same subnet traffic via 2 different pair of HSRP configured routers.
But then you need to configure your machines also with different gateways. Your any machine will have only one gateway which is your standby ip address.
So as an example in the case when you have 2 machines you can configure each of them with different gateways and proxy arp reply will be from their gateway with its group mac address.
The right implementation for this kind of scenario will be to have multiple groups for same subnet but group 10 having higher priority on router A and group 20 having an higher priority at router B. So machines whose gateway is group 10 ip address will move out via router A and machines whose gateway is group 20 ip address will move out from router B and each group will reply its mac address in PROXY ARP reply to its gateway cofigured address.
Hope I am able to explain. Also attaching a link for above scenario
Thanks, I understood all that up to the last bit where you said "each group will reply its mac address in PROXY ARP reply". The point about a proxy ARP is that it is not directed at a gateway address, but at a host behind the router. For example, consider this situation:
interface vlan 10
ip address 192.168.10.126 255.255.255.128
Now, suppose we have a host on this network that is configured with a mask of 255.255.255.0, and that host wants to talk to 192.168.10.200. (Assume the router has a route out some other interface or VLAN to 192.168.10.128/25.) The host believes it is in the same network as 192.168.10.200, so it puts out an ARP request for 192.168.10.200 directly. The router, seeing the ARP request, will respond on bahalf of 192.168.10.200, giving its own BIA address.
Now add HSRP into the mix:
standby 10 ip 192.168.10.110
standby 20 ip 192.168.10.120
When the host puts out an ARP request for 192.168.10.200 (note NOT for the gateway address), which MAC address will the router send back in its proxy ARP response?
I just read your posting again. Are you saying that the router will send two proxy ARP replies, one for each group (assuming the router is active on both groups)?
Yeah thats true router will send 2 proxy replies one for each group assuming the router is active on both groups with one condition that if your clients having different gateway want to send traffic out of their network.
I mean when you configure 2 standby group on same subnet then you have 2 virtual standby ip address also. Now few clients will have gateway address for group 10 and few clients will have gateway address for group 20.
Now in a situation when clients with gateway address of group 10 and 20 both wants to send traffic out of their network then both will request for ARP and router will reply the mac address for both the groups and respective clients will use the mac address as per their gateway address but incase clients configured with gateway address of one single group wants to send traffic out of its network and will send ARP request then only that group mac address will be returned.
I hope I am able to explain.
*Pls rate all helpfull post
Kevin, I found a few intersting URL's on this topic:
At least this confirms that an HSRP adress is used in the response. I believe that the case you are putting is fairly hypothetic while a router should not normally run two HSRP groups as active unless there is a network problem. Under normal circumstances, the router checks which hsrp-group represents the best route for the given destination and replies with the corresponding hsrp-adress.
I believe that in the case that you describe, the router will use one of his adresses but I do not know the criteria for making this selection.
When a network is load balanced using two routers & two hsrp groups and each router runs one group in active mode then your scenario means that both routers will respond to the proxy-arp request. It is then up to the client to determine which mac adress he chooses.
I am still not sure this is the same situation we are talking about. I am considering the case where the client is not ARPing for the gateway address, but for the final destination address. There are two situations where proxy ARP can happen:
1. The client has its own address configured as gateway. In this case it ARPs directly for the destination, regardless. If the router considers the destination to be on net, it does not reply. If the router considers it to be off net but it has a route to it, then it replies with its own address (or the HSRP address).
2. The client has a wider mask than the router, and the destination is one that the host considers to be on net, but the router considers to be off net, but it doe have a route to it. In that case also, the host ARPs for the destination address, not the gateway.
I am setting up some experiments on this in my lab, and I shall post the results when I have them.