[c-nsp] Proxy ARP -- To disable, or not to disable..

Stephen Fulton sf at lists.esoteric.ca
Sat Mar 22 17:06:47 EDT 2008


 > I can't think of single reason why you'd need proxy-arp, ever.

I ran into such a reason, recently.  We were migrating a customer from a 
competitors colo to ours, and the customer had been using a Linux-based 
L2 firewall as their router.  We needed to create a temporary IPSec 
tunnel so that the customer devices could reach the new colo, but they 
were unwilling to create such a tunnel on their Linux box, so we could 
only place a router *within* their colo LAN, behind the Linux box, using 
routable addresses.  The quickest solution was to run proxy-arp at both 
ends.  Yes, static arp's are better, but the customer was not positive 
about which hosts needed to use the temporary tunnel.

That said, most times, particularly with junior network types, proxy-arp 
creates more problems than it solves, and I insist it be disabled by 
default.

-- Stephen

Saku Ytti wrote:
> On (2008-03-22 12:16 -0400), Julio Arruda wrote:
>  
>> I do remember one specific topology (DMS switches with EIUs and etc), 
>> where proxy-arp was used as a requirement in some configurations.
> 
> I can't think of single reason why you'd need proxy-arp, ever.
> However, for residential connections local-proxy-arp is commonly needed feature
> and for some cruel and unusual reason local-proxy-arp does not work without
> having proxy-arp also on (at least this was the case in 12.2SB, hopefully
> fixed since, didn't bother opening DDTS, but just as writing this, I
> checked for DDTS and fond CSCds43725, no fixed IOS' so far)
> 


More information about the cisco-nsp mailing list