Proxy ARP

As part of my cert prep, I've started working my way through the Boson Netsim CCNA labs. The experience hasn't been perfect so far, but most forum threads and a couple trusted youtubers highly recommend it, so I'm powering through it. Anyway, the reason I mention Boson is because I had a little existential crisis during one of their labs and, according to a couple Reddit threads I happened across, I'm not alone.

The lab topology is shown below. The bottom-right LAN, which we'll call LAN01_Clients, is 10.10.10.0/24, and the bottom-left LAN, which we'll call LAN02_Servers, is 192.0.2.0/26. Switch1 and Switch2 handle layer 2 traffic for their respective networks, and Switch3 handles layer 3 traffic between them.

The lab instructions have you configure two layer 3 interfaces on Switch3, fa0/1 for LAN01_Clients, and fa0/0 for LAN02_Servers. These two interfaces will be the default gateways for their respective subnets.

Then you configure the VLAN 1 SVI (switch virtual interface) on Switch2 with an address in the LAN01_Clients subnet.

The potentially confusing part is what comes next. They have you ping Switch3's LAN02_Servers interface (192.0.2.62) from Switch2 in LAN01_Clients. Given the fact that Switch2 still doesn't have a default gateway configured, you might expect these pings to fail. Well, jokes on you, because the pings go through anyway.

This didn't make sense to me and Boson's explanation (screenshot below) wasn't particularly satisfying. Switch2 doesn't just magically know how to reach remote networks because it shares a link with Switch3. Something else must be going on here.

I did some digging and found that at some point, Cisco started configuring their switches to ARP out for resources even if said resources weren't in the local subnet. So that's what Switch2 is doing. Additionally, if Switch3 has proxy ARP configured (which it does, apparently), it will reply to Switch2's ARP requests and tell it to send packets for LAN02_Servers to its LAN01_Clients interface.

We can confirm this by checking Switch2's ARP table to see which MAC address the remote IP address is mapped to.

Here's Switch2's ARP table

and here we can confirm that the MAC address in question is for Switch3's LAN01_Clients interface.

I configured Switch1's VLAN 1 SVI with an IP address of 192.0.2.61 and was able to ping that from Switch2 as well. Again, we can see that Switch2 maps the remote IP address to Switch3's LAN01_Clients interface.

Again, Boson's explanation for all this is pretty weak considering they made no mention of proxy ARP, but this was a good opportunity for me to fill a knowledge gap. I had heard of proxy ARP before, but it fell to the back of my brain because I hadn't considered real world applications for it. I hope you found the information useful.

By the way, you can check out the original thread that I found to explain the behavior. I've attached a PDF copy of the page as well in case the original ever goes down.

Thanks for reading!