Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Proxy-arp issue?

Here is the issue. We have two companies currently merging together. Each has a core switch architecture consisting of a 3750 Stack. Traditionally they would have been connected via a DMZ Firewall infrastructure, like so:

Company A LAN <> 3750-A-Stack <> Firewall A <> DMZ <> Firewall B <> 3750-B-Stack <> Company B LAN

The companies have introduced a direct uplink between the Stacks on a VLAN 400. Static routes point between the stacks for connectivity for various common services.

Company A LAN <> 3750-A-Stack <> 3750-B-Stack <> Company B LAN

Both routes between Company A & B are in place and services are being migrated via static routes. Each company has its seperate EIGRP domain which are not redistributed into each other. All routing between the companies is conducted via static routes.

As part of the inter-company email service integration, there was a requirement to provide connectivity between Company A's Exchange Server and Company B's Exchange Server. This connection was to be provisioned via the Firewalls/DMZ network and NOT via the direct link.

Here are some useful addresses:

Useful IPs

Company A VLAN 400 IP Address - 172.17.0.9/22

Company B VLAN 400 IP Address - 172.17.0.11/22

Company A Internal Firewall Address - 172.17.0.43/22

Company B Internal Firewall Address - 10.0.10.1/24

Company A Exchange Server - 172.17.1.30/22

Company B Exchange Server - 10.3.185.19/25

The following static route was applied on Company B's stack:

ip route 172.17.1.30 255.255.255.255 10.0.10.1

As soon as this static was introduced devices on the Company A LAN began receiving conflicting arp entries for the Company A Exchange Server.

Some were receiving the correct MAC address (i.e. AAAA.AAAA.AAAA), but some were receiving the following MAC address - f025.72b6.e145. This MAC address is the virtual MAC for VLAN400 on Company B's Switch Stack.

Vlan400 is up, line protocol is up

  Hardware is EtherSVI, address is f025.72b6.e145 (bia f025.72b6.e145)

  Description: Company A LAN

  Internet address is 172.17.0.11/22

Removing the static route resolved the issue.

I would like to know what the best way of resolving this issue is. Is this a common proxy-arp issue? If so, will turning proxy-arp off on VLAN 400 on Company B's stack fix the issue? What impact will this have on other services? VLAN 400 is the main VLAN for Company A. Company B just uses an address on VLAN 400 for interconnectivity.

Whats the best way to resolve this problem? Your help would be appreciated.

Regards

Tony Riccardi

Everyone's tags (1)
648
Views
0
Helpful
0
Replies
CreatePlease to create content