Detecting Proxy ARP from SNMP

Discussion in 'Cisco' started by Max Baker, Jan 29, 2004.

  1. Max Baker

    Max Baker Guest

    Hey Gurus,

    Does anyone know of detecting Proxy ARP from SNMP? I have a fun network
    management utility (http://netdisco.org) that gets a little confused
    when pointed to a router running Proxy ARP.

    As far as I've found, there is no direct MIB that says, "hey this
    interface is running Proxy Arp!" You can of course find this out
    through the CLI on a device, but I work only in the SNMP domain. So
    I'm looking for an indirect CLUE that maybe the ARP cache for a certain
    interface/device isn't to be trusted.

    Thanks.
    Max - Author of SNMP::Info and Netdisco

    PS. Please CC this e-mail too ;-)
     
    Max Baker, Jan 29, 2004
    #1
    1. Advertising

  2. Max Baker

    shope Guest

    "Max Baker" <> wrote in message
    news:fjZRb.8336$...
    > Hey Gurus,
    >
    > Does anyone know of detecting Proxy ARP from SNMP? I have a fun network
    > management utility (http://netdisco.org) that gets a little confused
    > when pointed to a router running Proxy ARP.
    >
    > As far as I've found, there is no direct MIB that says, "hey this
    > interface is running Proxy Arp!" You can of course find this out
    > through the CLI on a device, but I work only in the SNMP domain. So
    > I'm looking for an indirect CLUE that maybe the ARP cache for a certain
    > interface/device isn't to be trusted.


    max - maybe this is down to the subnet masks for the interface and the
    routers on the same subnet?

    proxy ARP is on by default on cisco, but doesnt have any effect until a
    device tries to send an ARP for an IP off the local subnet - and it only
    does that when it has a mask for a "bigger" local subnet.

    So - proxy ARP is in place and in use on a router, when the mask for a local
    device is not consistant with the router, but the device has ARP entries in
    its table for devices outside the local subnet, and that point at the MAC
    address of the router.
    >
    > Thanks.
    > Max - Author of SNMP::Info and Netdisco
    >
    > PS. Please CC this e-mail too ;-)

    --
    Regards

    Stephen Hope - remove xx from email to reply
     
    shope, Jan 29, 2004
    #2
    1. Advertising

  3. In article <Vu5Sb.13171$>,
    shope <> wrote:
    :proxy ARP is on by default on cisco, but doesnt have any effect until a
    :device tries to send an ARP for an IP off the local subnet - and it only
    :does that when it has a mask for a "bigger" local subnet.

    That doesn't sound quite right.

    I have two Class C's, one of them internally fragmented. Call them N
    (non-fragmented) and F (fragmented).

    According to what you wrote above, if something in N is looking for
    something in F, then none of the fragments of F is bigger than N, then
    the router will never do proxy arp that way around.

    But according to what you wrote above, when sending from any fragment
    of F to N, because N will be bigger, then the proxy arp will work.

    And if I'm sending within fragments of F, then according to what you
    wrote, whether the proxy arp works or not depends on the relative
    fragment sizes, with two /26's not able to send to each other, either
    /26 able to send to a /25, and the /25 not able to proxy arp
    to either /26.
    --
    Sub-millibarn resolution bio-hyperdimensional plasmatic space
    polyimaging is just around the corner. -- Corry Lee Smith
     
    Walter Roberson, Feb 2, 2004
    #3
  4. On 2 Feb 2004 18:54:15 GMT, -cnrc.gc.ca (Walter
    Roberson) wrote:

    >In article <Vu5Sb.13171$>,
    >shope <> wrote:
    >:proxy ARP is on by default on cisco, but doesnt have any effect until a
    >:device tries to send an ARP for an IP off the local subnet - and it only
    >:does that when it has a mask for a "bigger" local subnet.
    >
    >That doesn't sound quite right.
    >
    >I have two Class C's, one of them internally fragmented. Call them N
    >(non-fragmented) and F (fragmented).
    >
    >According to what you wrote above, if something in N is looking for
    >something in F, then none of the fragments of F is bigger than N, then
    >the router will never do proxy arp that way around.
    >
    >But according to what you wrote above, when sending from any fragment
    >of F to N, because N will be bigger, then the proxy arp will work.
    >
    >And if I'm sending within fragments of F, then according to what you
    >wrote, whether the proxy arp works or not depends on the relative
    >fragment sizes, with two /26's not able to send to each other, either
    >/26 able to send to a /25, and the /25 not able to proxy arp
    >to either /26.


    What he was referring to is the typical example of a host being
    configured with a subnet mask that is larger than it should be; e.g, a
    host configured as 10.0.0.10/8 when the subnet it is on is really
    10.0.0.0/24. In this case, the host will ARP for everything in
    10.0.0.0/8, most of which is actually outside the host's subnet.
    Normally these ARPs would go answered, unless there's a Cisco around
    on which proxy-arp hasn't been disabled.

    This is how proxy-arp essentially allows broken networks to function,
    which is why it is ugly and should be avoided. And based on posts
    here and elsewhere it seems 95% of its usage is accidental anyway.

    -Terry
     
    Terry Baranski, Feb 3, 2004
    #4
  5. Max Baker

    Hansang Bae Guest

    In article <bvm6cn$7fj$>, -
    cnrc.gc.ca says...
    > That doesn't sound quite right.
    > I have two Class C's, one of them internally fragmented. Call them N
    > (non-fragmented) and F (fragmented).
    > According to what you wrote above, if something in N is looking for
    > something in F, then none of the fragments of F is bigger than N, then
    > the router will never do proxy arp that way around.

    [snip]

    Getting around this stub segments is another use for proxy-arp. So two
    separated IP subnets will talk to one another via proxy-arp.


    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
     
    Hansang Bae, Feb 3, 2004
    #5
  6. Max Baker

    shope Guest

    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:bvm6cn$7fj$...
    > In article <Vu5Sb.13171$>,
    > shope <> wrote:
    > :proxy ARP is on by default on cisco, but doesnt have any effect until a
    > :device tries to send an ARP for an IP off the local subnet - and it only
    > :does that when it has a mask for a "bigger" local subnet.
    >
    > That doesn't sound quite right.
    >
    > I have two Class C's, one of them internally fragmented. Call them N
    > (non-fragmented) and F (fragmented).
    >
    > According to what you wrote above, if something in N is looking for
    > something in F, then none of the fragments of F is bigger than N, then
    > the router will never do proxy arp that way around.


    no - normal case would use a router explicitly, cos a device in N looks at
    the dest addre in F, together with the local address and mask, and decides
    the network portions dont match. So, target address is out of subnet, give
    the packet to the default gateway.

    The way to see the difference is that the ARP request from N generated would
    be for the default gateway, not the target address in F.

    the other 2 posts explain some of what i was trying to say about the way
    proxy ARP is intended to work - it is a useful tool, and can make migration
    between addresses easier - but like all good tools with sharp edges
    originally designed for something else, it is easy to cut yourself.....

    >
    > But according to what you wrote above, when sending from any fragment
    > of F to N, because N will be bigger, then the proxy arp will work.
    >
    > And if I'm sending within fragments of F, then according to what you
    > wrote, whether the proxy arp works or not depends on the relative
    > fragment sizes, with two /26's not able to send to each other, either
    > /26 able to send to a /25, and the /25 not able to proxy arp
    > to either /26.


    not quite - the decision to ARP is from the original source - it sends the
    ARP to either the default gateway or the final target, depending on whether
    the target looks to be "local" - and that is based on source IP address,
    mask and target IP.
    > --
    > Sub-millibarn resolution bio-hyperdimensional plasmatic space
    > polyimaging is just around the corner. -- Corry Lee Smith

    --
    Regards

    Stephen Hope - remove xx from email to reply
     
    shope, Feb 4, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Phil B

    Re: detecting proxy settings......

    Phil B, Aug 15, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    461
    Phil B
    Aug 15, 2003
  2. why?

    Re: detecting proxy settings......

    why?, Aug 15, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    2,243
  3. Phil B

    detecting proxy settings.........

    Phil B, Aug 18, 2003, in forum: Computer Support
    Replies:
    1
    Views:
    650
  4. ROBERT BROOKS

    detecting proxy settings question

    ROBERT BROOKS, Oct 15, 2004, in forum: Computer Information
    Replies:
    5
    Views:
    2,061
    ROBERT BROOKS
    Oct 17, 2004
  5. Darren Green

    Arp or Proxy Arp

    Darren Green, Feb 20, 2009, in forum: Cisco
    Replies:
    0
    Views:
    583
    Darren Green
    Feb 20, 2009
Loading...

Share This Page