What is Proxy ARP and why should I care?

Network without a default gateway

Proxy ARP can be used in a network where clients placed on different physical networks are configured as if they are all on the same subnet. It can be used to create a subnetting effect without changing the network configuration of the devices. A router or switch with the Proxy ARP feature enabled will reply to any broadcast with its own MAC address. Clients that tries to communicate with devices outside the local network will be sent to the router or switch that then forwards the traffic. 

In this day and age there is no reason to have Proxy ARP enabled unless you know exactly what you're doing.

 

Potential security risk

If more than one router or switch connects two physical networks there could be issues with traffic not flowing as expected and failover between the routers or switches would probably not work. And devices on your LAN doesn't know the physical details of the network. Any device can be reached by sending an ARP request. This may increase the amount of ARP traffic on your network.

Furthermore it makes it harder to detect ARP spoofing since an attacker may easily hide behind the MAC address of the router or switch. Any traffic from the victim device to devices outside the local network will be to the same destination MAC address (Proxy ARP makes the router or switch reply with its own MAC address).

For large networks it may require the router or switch to needless use more memory handling and storing the ARP table.

 

Impact on the Panorama9 system

The Panorama9 system may have issues with discovering peripheral devices (e.g. printers and switches) if Proxy ARP is enabled. Devices with the Panorama9 agent installed aren't able to "see" beyond their own physical network. So unless there is an active Panorama9 agent in each subnet you may risk not getting the full picture, since the router or switch is impersonating anything outside the subnet.

If you've Proxy ARP enabled the Panorama9 system will generate a network vulnerability issue that can be viewed if logged into the Panorama9 Dashboard.

 

How to disable Proxy ARP

Proxy ARP is by default enabled in Cisco IOS and can be disabled through the configuration terminal, just do:

# no ip proxy-arp

Same command may be used to disabled Proxy ARP on Hewlett Packard (not enabled by default).

 

About us

Panorama9 instantly gives you the full picture of your IT environment and provide you with the tools needed to quickly respond when issues are detected. Patch management, remote control, network discovery, all built into one beautiful and easy-to-use solution.

Try it today, get your free account here.

Last updated:

Comments