1 Reply Latest reply on May 7, 2013 3:05 PM by levi

    NetVanta 3450 Proxy ARP?

    mcalmes New Member

      I' recently deployed a NetVanta 3450(AOS Version R10.6.0) on a customers network that provides routes across a secondary network. It is NOT the default gateway and no routes were yet added to the default gateway so I was stumped as to why traffic to random IP addresses at remote sites suddenly started routing through this new router.   First some topology for background.

       

      For this particular site the network is 192.168.114.0/24. Connectivity goes:

      MPLS Network -> Telco Managed MPLS Router (192.168.114.254, this is the default gateway) -> Sonicwall in Layer-2 Bridge Mode ->  Switch <- new Adran NV350 (192.168.114.1).

       

      Traceroutes would show packets going to say 192.168.200.41 would mysteriously be routed to 192.168.114.1 (not the default gateway). Traceroutes to other address on the same remote network (say .200.42) would route through the Telco managed router (and default gateway) as expected.

       

      After a lot of finger pointing and circular logic with the telco support I checked the ARP table of the Sonicwall.  For some reason it had dynamic arp entries for these random addresses with the MAC address of the NV3450's LAN interface. Flushing this arp table resolved the issue, but after a while new addresses appear.  

       

      I have no idea how the Sonicwall determined that the NV3450 could route these packets (I'll likely open a ticket with them). But, It feels like the NV3450 is performing Proxy-ARP, but as far as I can tell that isn't even a feature of the AOS.  Does the NV3450 do any sort of ARP proxy?

       

      FWIW, I had ip helper-address entries configured on the LAN interface of the NV3450. I've disabled them for now, though I wouldn't think that would make a difference. 

        • Re: NetVanta 3450 Proxy ARP?
          levi Employee

          mcalmes:

           

          Thank you for asking this question in the support community.  It appears, as you described, that proxy ARP is the issue.  The proxy ARP feature is enabled by default on AOS devices.  In general, the principle of proxy ARP allows a router to insert its IP address in the source IP address field of a packet (if the packet is from a host on one of its subnetworks). This allows hosts to reach devices on other subnetworks without implementing routing or specifying a default gateway. If proxy ARP is enabled, AOS will respond to all ARP requests with its specified medium access control (MAC) address and forward packets accordingly.

           

          The following example disables proxy ARP on the Ethernet interface:

          (config)# interface ethernet 0/1

          (config-eth 0/1)# no ip proxy-arp

           

          I hope that makes sense, but please do not hesitate to reply to this post with any additional questions or information.  I will be happy to help in any way I can.

           

          Levi