[nsp] proxy arp and dual homed internet

Matt Bazan Mbazan at onelegal.com
Tue May 11 18:10:28 EDT 2004 

Hey all,
	Got a question on dual homed internet questions and proxy arp
that I've been unable to figure out.  Here's the deal:  our company
hosts our web farm at a co-location facility that provides us with
redundant internet connectivity.  here's how it looks:

           to sprint                to at&t
               |                       |
               |                       |
           colo router 1            colo router 2
               |                       |
               |                       |
           colo switch 1            colo switch 2
               |                       |
           128.104.221.32 /30     128.104.228.36 /30
               |                       |
               \                       /
            eth0\128.104.221.34   eth1/128.104.221.38
                  HA firewall's (active/passive cluster)

colo routers and colo switches are the data center's equipment.  HA
firewall's are my responsibility.

Our primary Internet connection is the 128.104.221.32 net.

In our case they have provided us with an additional /27 block
(128.104.224.96 /27) that I'm NAT'ing on the outside of our firewall.
What they're telling me is that in order to provide us with redundant
internet connections our HA firewall appliance needs to support proxy
arp.  Now I understand proxy arp, I cannot, however, figure out how
proxy arp is used to provide this redundancy.  Their net engineer
states:
>	'The reason for proxy arp is how we are sending you your
> 	netblock. We are routing to your virtual interface, or 
> 	ethernet port (on our switch). This way if the link or port goes
down the 
> 	route will fall out of the routing table and stop routing to 
> 	a dead link and then rerouting to the other router to your 
> 	other connection. Routing this way send a broadcast route on 
> 	your connection and is asking for a reply. If your device 
> 	does not support proxy arp then it will not answer for the 
> 	route and traffic will not flow to your network.'

My question is:  how does proxy arp enable the above?  I don't get it.
For me, proxy arp has always been used to physically separate one
subnet..so, my guess is that the ip addressing scheme they have given us
is actually flat in some manner and their routing techniques are using
arp to determine if the primary or secondary route is to be used.  Can
someone shed some light on what may be going on here for me?  Thanks
much..

  Matt

More information about the cisco-nsp mailing list