Sometimes strange things happen: A computer can communicate with another computers, although this should not be possible due to IP addressing and the routing table. Proxy ARP comes into play …

Proxy ARP

A proxy ARP enabled router can output itself as someone else. By default, Proxy ARP is enabled on most (Cisco) routers:

Now let’s take a closer look to this feature and and the impact to computer networks in form of a simple scenario.

Scenario

Computer B sends a ping to computer C.

1. Computer B compares it’s IP address and subnet mask with the IP address of computer C.

2. Computer B comes to the conclusion that Computer C is in the same subnet. (10.10.10.0/8 = 10.x.x.x = 10.20.10.50). This conclusion is correct because of the subnet mask, but unfortunately wrong due to the topology. Computer C is located in a different subnet: 10.20.10.0/24.

3. Based on (2), computer B will not contact it’s gateway and sends an ARP broadcast via it’s link. The router and computer A normally do not respond with an ARP Reply, because both devices are not configured with IP 10.20.10.50.

4. Now Proxy ARP comes into play: The router sees the ARP broadcast and recognizes that this request is addressed to the network 10.20.10.0/24. And this network is reachable by the router itself. The router could help out here. And that’s what the router will do.

5. The router sends an ARP reply with the MAC address of the router’s interface and outputs itself as computer C to help computer B.

6. Computer B receives the MAC address of the router’s interface. Thus, all packets addressed to computer C are sent to the router, and the router transparently mediates between computer B and computer C.