[c-nsp] Is proxy-arp evil?
Whisper
whisper555 at gmail.com
Tue Jul 29 23:04:31 EDT 2008
Elmi
There was a big discussion on this list about proxy-arp several months ago.
Do a search for the forums that keep this in forum format to read up about
it.
I think you will find the discussions educational. :)
On Wed, Jul 30, 2008 at 4:40 AM, Elmar K. Bins <elmi at 4ever.de> wrote:
> Hi knowledgeable fellows,
>
> I think I should bounce this off the people on this list before
> I shoot myself in the foot...
>
> My setup looks like this:
>
> +--- [Server]
> [ISP]---| a.b.c.d/28 |--[Router]--+--- [Server]
> +--- [Server]
>
> Access network to the ISP is a.b.c.d/28, transfer network between
> "Router" (a WS-3750G in L3 mode) and Servers is something else (think
> 192.168.1.0/24) with every server having a unique address on that
> transfer network (like .2, .3 and .4).
>
> Every server also has one address from the access network, called
> "service address" on a loopback/dummy and the router is configured
> with static routes for that service address to each of the servers'
> transfer addresses:
>
>
> 3750#show run | i relevant
> !
> interface vlan 10
> description OUTSIDE
> ip address a.b.c.+2 255.255.255.240
> !
> interface vlan 11
> description INSIDE
> ip address 192.168.1.1 255.255.255.0
> !
> ip route 0.0.0.0 0.0.0.0 a.b.c.+1
> ip route a.b.c.+3 255.255.255.255 192.168.1.2
> ip route a.b.c.+3 255.255.255.255 192.168.1.3
> ip route a.b.c.+3 255.255.255.255 192.168.1.4
> !
> ip cef
> ip cef load-sharing algorithm tunnel
>
>
> This setup does work flawlessly as long as the service address is not
> from the ISP transfer block. CEF does a pretty good balancing job to
> the inside, the forwarding on a 3750 is not bad either.
>
> As soon as the service address is from the transfer block, I need to
> make traffic happen towards the routing system to be able to push
> it further (and control the routing).
>
> The solution I do see is to use
>
> interface vlan 11
> ip local-proxy-arp
>
> on the inside interface.
>
>
> In my lab environment this seems to work flawlessly, but maybe I am
> overlooking an obvious alternative solution (renumbering the entire
> setup and adding a transfer network is not an option in the short run).
>
> Am I being st00pid? Is that how one is supposed to do it? Is there
> a way around proxy-arp (which I frankly never liked)?
>
> Any ideas/thoughts...
> Elmi.
>
> --
>
> "Hinken ist kein Mangel eines Vergleichs, sondern sollte als wesentliche
> Eigenschaft von Vergleichen angesehen werden." (Marius Fränzel in
> desd)
>
> --------------------------------------------------------------[ ELMI-RIPE
> ]---
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list