Will proxy-arp fix this incorrectly subnetted network?

I inherited a network where the subnets are setup incorrectly; in so
far as I have subnets inside a 172.16/24 network that are netmasked to
be physically local but are, in fact, served by remote routers.

E.g.:

172.16.1.0/24 is local
172.16.26.0/24 is remote

The two networks are connected by a 2610 at my local end and a 3725 at
the remote end. I would like machines at both ends of the network to be
able to talk to each other; and I would like to do this without adding
static routes, changing IP addresses or changing netmasks.

Can I do this by enabling 'proxy-arp' on the LAN ports of each router
in question? I only wish to pass regular traffic over this link, I'm
not interested in doing DHCP or anything (so no need for 'ip
helper-address'). This thread kind of spills over from here:
http://groups.google.com/group/comp.dcom.sys.cisco/browse_thread/thread/53c0f0f01e0fd63b

Suggestions? TIA and HAND!


Chris

 

On 22.05.2006 22:01 Chris wrote

This -----------------------------------^^

looks strange. You ar shure it should really read /24 and not /16?

If it is really like above then simply let all machines one
172.16.1.0/24 point to your 2610 ( @ let's say 172.16.1.254), all of
your 172.16.26.0/24 point to your 3725 ( @ let's say 172.16.26.254) and
each of your ciscos route the other network via the whatever common
interface. What do they have in between?

 

Yes! Sorry, in my haste I posted the wrong mask. Oops.

They are both /16, i.e. the netmask is 255.255.0.0 for both networks
even though they are physically distant and thus require a router 'in
between' the two.

They have some kind of a serial connection between them, I presume
something like a T1 or a leased-line. 172.16.1.194 is Ethernet0 on the
local Cisco to me, 172.16.26.194 is Ethernet0 on the remote Cisco.
10.1.2.2 is Serial0 on the local Cisco to me, and 10.1.2.1 is it's
gateway (presumably Serial0 on the remote router).

So, the problem is that the 172.16.1.0 and 172.16.26.0 machines both
have subnets of 255.255.0.0, so they do not think that they need to
talk to a router to get to each other even though they do. My question
is, will enabling proxy-arp on Eth0 on both routers fix this problem
for me? Without moving IP networks or changing subnet masks everywhere.


Chris

 

Yes. Configure the subnet masks and routes correctly on the routers,
and proxy ARP will take care of routing the traffic transparently.

 

Thanks again for all your help, Barry. When you say "correctly", do you
mean that on the routers I should use 255.255.255.0 even though the
rest of the networks are set as 255.255.0.0 (which is incorrect for my
application)?


Chris

 

Thanks again for all your help, Barry. When you say "correctly", do you
mean that on the routers I should use 255.255.255.0 even though the
rest of the networks are set as 255.255.0.0 (which is incorrect for my
application)?
[/QUOTE]

Correctly means that you have to set subnet mask and broadcast accordingly

e.g. for the C2610

!
interface FastEthernet 0/0
ip address 172.16.1.194 255.255.255.0
ip broadcast-address 172.16.255.255
!
! static route to the other network
!
ip route 172.16.26.0 255.255.255.0 10.1.2.1

 

Thanks again for all your help, Barry. When you say "correctly", do you
mean that on the routers I should use 255.255.255.0 even though the
rest of the networks are set as 255.255.0.0 (which is incorrect for my
application)?
[/QUOTE]

Correctly means that you have to set subnet mask and broadcast accordingly

e.g. for the C2610

!
interface FastEthernet 0/0
ip address 172.16.1.194 255.255.255.0
ip broadcast-address 172.16.255.255
!
! static route to the other network
!
ip route 172.16.26.0 255.255.255.0 10.1.2.1

 

So, the problem is that the 172.16.1.0 and 172.16.26.0 machines both

So, you're asking whether proxy-arp will solve your problems with the
incorrect configuration? The short answer is no. Proxy arp isn't
going to do anything for you. Both routers think that 172.16.0.0/16 is
connected to their ethernet interface, and they have no reason to route
it.

It's possible that you could make it work with more specific static
routes (on your routers and all hosts), but do you really want to? It
seems really short-sighted. Don't work around an incorrect
configuration. Fix it the right way, or you'll have to fix it again
later.

 

Perhaps I don't want a solution, as much as I desire a temporary
work-around.

The problem is that I inherited this recently, and it was built long
ago. Some of the sites are geographically quite distant, and they have
many (100+ hosts); not all of which are using DHCP. So, to change all
the addressing at a big site far away (with no real tech there to help
me) isn't going to be the easiest thing to do in a hurry :-|

 

I've reread this thread, what Arnold and Barry wrote, and then also
refreshed my memory on proxy arp from Cisco's website, and I need to
retract my statement. I can now confidently say "I don't know" to your
original question.

Reading the proxy arp doc (
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094adb.shtml
), it sounds like it should work for your purposes, until you get to
the last bullet point toward the end: "It does not generalize to all
network topologies (for example, more than one router connecting two
physical networks)."

So, ... let us know?

Fred

 

Yes. The point is that the routers need to know the *true* organization
of the subnets. The router at each site needs to know that its LAN does
not contain the entire /16, but just a /24. Its routing table will tell
it that the rest of the /16 is reached via the WAN, and it will use
proxy ARP to route this transparently to the client machines that have
their masks set incorrectly.

 

Okay great, thanks Barry -- that clears it up. I was just wondering if
the routers were 'smart' enough to see that the subnet masking I was
using was, in fact, incorrect and that the mere presence of proxy-arp
would fix the issue. I doubted that would be the case, though, and
wanted to make sure that I'd need to change the subnet masks to be
'correct' in terms of how they would be setup in an ideal environment.


Chris

 

You know that proxy-arp is on by default, don't you? So if it's not
already doing what you want, it obviously isn't smart enough to figure
it out automatically.

 

Yep, I do, but unless it runs (even by default) without appearing in
the system's running-config, it's not running on these routers in
question.

(snipped)

interface Ethernet0/0
ip address 172.16.1.194 255.255.0.0
no ip mroute-cache
no mop enabled
!
interface Serial0/0
ip address 10.1.2.2 255.0.0.0
no ip mroute-cache
no fair-queue
!
interface Serial0/1
no ip address
no ip mroute-cache
shutdown
no fair-queue
!
interface Serial0/2
no ip address
no ip mroute-cache
shutdown
!
no ip classless
ip route 172.16.25.0 255.255.255.0 10.1.2.1
ip route 172.16.26.0 255.255.255.0 10.1.2.1
ip route 172.16.27.0 255.255.255.0 10.1.2.1
ip route 172.16.28.0 255.255.255.0 10.1.2.1


Chris

 

Yep, I do, but unless it runs (even by default) without appearing in
the system's running-config, it's not running on these routers in
question.

(snipped)

interface Ethernet0/0
ip address 172.16.1.194 255.255.0.0[/QUOTE]

Imho this should read

interface Ethernet 0/0
ip address 172.16.1.194 255.255.255.0
ip broadcast-address 172.16.255.255

 

Most default settings don't appear in "show running-config". Use "show
ip interface ethernet0/0" and you'll probably see it.

 

Ah, you're right:

aug-br0#show ip interface ethernet0/0
Ethernet0/0 is up, line protocol is up
Internet address is 172.16.1.194/16
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is enabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled

I guess, then, that the only thing I can do is change the IP address
and netmask to be 'correct' and hope for the best?


Chris

 

Ah, you're right:

aug-br0#show ip interface ethernet0/0
Ethernet0/0 is up, line protocol is up
Internet address is 172.16.1.194/16
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is enabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled

I guess, then, that the only thing I can do is change the IP address
and netmask to be 'correct' and hope for the best?
[/QUOTE]

You have to set the broadcast address to 172.16.255.255 as well.

 

You have to set the broadcast address to 172.16.255.255 as well.[/QUOTE]

Not that it really matters. Unless he's running something like RIP on
the LAN, the router rarely needs to send broadcasts.

 

I'm still having problems with all of this, however I can now post some
clearer information on the exact problems...

Our local network is made up of three subnets: 172.16.1.0/16,
172.16.10.0/16, 172.16.11.0/16. The *majority* of clients live in
172.16.10.0 and 172.16.11.0.

A local router (172.16.1.194/16) connects through a directly-connected
T1 to a remote router (172.16.26.1/24) for access to a remote network
consisting of 172.16.26.0/24 and 172.16.27.0/24.

Clients that exist locally in 172.16.1.0/16 *can* ping the local router
(172.16.1.194/16) and *can* ping the remote router (172.16.26.1/24) via
the T1. Clients that exist locally in 172.16.10.0/16 can ping the local
router but *CANNOT* ping the remote router, or any other host across
the T1.

A traceroute from a machine in the 172.16.10.0/16 network stops at the
local router (172.16.1.194/16), so it is clear that it is a routing or
addressing issue:

([email protected])$ traceroute -n 172.16.26.1
traceroute to 172.16.26.1 from 172.16.10.20, 64 hops max, 40 byte
packets
1 172.16.1.194 3.858 ms 1.200 ms 1.059 ms
2 * * *

Please note that 172.16.1.0, 172.16.10.0 and 172.16.11.0 have a subnet
mask of /16 as they are all directly-connected through a Layer-2
switch. No dynamic routing is used in the network. And as has been
covered in this thread, the subnet masks are 'incorrect' in terms of
172.16.26 really being remote, and not local.

Local router config:

version 11.3
!
interface Ethernet0/0
ip address 172.16.1.194 255.255.0.0
no ip mroute-cache
no mop enabled
!
interface Serial0/0
ip address 10.1.2.2 255.0.0.0
no ip mroute-cache
no fair-queue
!
no ip classless
ip route 172.16.25.0 255.255.255.0 10.1.2.1
ip route 172.16.26.0 255.255.255.0 10.1.2.1
ip route 172.16.27.0 255.255.255.0 10.1.2.1
ip route 172.16.28.0 255.255.255.0 10.1.2.1

Remote router config:

version 12.2
!
ip subnet-zero
!
interface FastEthernet0/0
ip address 172.16.26.1 255.255.255.0
duplex auto
speed auto
appletalk cable-range 20000-20000 20000.18
appletalk zone Augusta
no cdp enable
!
interface Serial0/0
description t1 to irrelevant remote office
ip address 10.1.0.1 255.255.255.252
encapsulation ppp
!
interface FastEthernet0/1
ip address 172.16.27.1 255.255.255.0
duplex auto
speed auto
no cdp enable
!
interface Serial0/1
description t1 to local router (i.e. the important one)
ip address 10.1.2.1 255.255.255.252
no cdp enable
!
interface Serial0/2
description t1 to another irrelevant office
ip address 10.1.1.1 255.255.255.252
appletalk cable-range 10000-10000 10000.7
appletalk zone WAN
no cdp enable
!
ip classless
ip route 172.16.1.0 255.255.255.0 10.1.2.2
ip route 172.16.3.0 255.255.255.0 10.1.2.2
ip route 172.16.25.0 255.255.255.0 10.1.1.2
ip route 172.16.28.0 255.255.255.0 10.1.0.2
!
call rsvp-sync
!
mgcp profile default
!
dial-peer cor custom

As you can see, the remote router happens to have a couple of extra T1s
that hang off it connecting to other sites; but those aren't relevant
to the discussion here.

As always, thanks for your help guys!


Chris
I'm not a routing expert, but I play one on T.V.