ip proxy-arp

ipproxy-arpHowDoesProxyARPWork?ProxyARP是如何工作的？BelowisanexampleofhowproxyARPworks:下面这个例子说明了ProxyARP是如何工作的NetworkDiagram图表TheHostA(172.16.10.100)onSubnetAneedstosendpacketstoHostD(172.16.20.200)onSubnetB.Asshowninthediagramabove,HostAhasa/16subnetmask.WhatthismeansisthatHostAbelievesthatitisdirectlyconnectedtoallofnetwork172.16.0.0.WhenHostAneedstocommunicatewithanydevicesitbelievesaredirectlyconnected,itwillsendanARPrequesttothedestination.Therefore,whenHostAneedstosendapackettoHostD,HostAbelievesthatHostDisdirectlyconnected,soitsendsanARPrequesttoHostD.这个主机A要发送数据包到主机D。图表显示主机A使用的是16位掩码。（注意这一点！）主机A相信目的网段是直接连接在172.16.0.0上的。于是主机A直接发送一个ARP请求给目的站点。ToreachHostD(172.16.20.200),HostAneedstheMACaddressofHostD.Therefore,HostAbroadcastsanARPrequestonSubnetA,asbelow:主机A需要得到主机D的MAC地址，所以主机A广播ARP请求：Sender'sMACAddressSender'sIPAddressTargetMACAddressTargetIPAddress00-00-0c-94-36-aa172.16.10.10000-00-00-00-00-00172.16.20.200InaboveARPrequest,HostA(172.16.10.100)isrequestingthatHostD(172.16.20.200)senditsMACaddress.TheaboveARPrequestpacketisthenencapsulatedinanEthernetframewithHostA'sMACaddressasthesourceaddressandabroadcast(FFFF.FFFF.FFFF)asthedestinationaddress.SincetheARPrequestisabroadcast,itreachesallthenodesintheSubnetA,includingtherouter'se0interface,butdoesnotreachHostD.ThebroadcastwillnotreachHostDbecauserouters,bydefault,donotforwardbroadcasts.ARP请求里主机A将自己的MAC地址作为源地址FFFF.FFFF.FFFF做为目的地址进行广播。但是路由器的E0口默认不支持转发广播。所以主机D不能响应这个ARP请求。Sincetherouterknowsthatthetargetaddress(172.16.20.200)isonanothersubnetandcanreachHostD,itwillreplywithitsownMACaddresstoHostA.路由器知道主机D在其他子网，于是用自己的MAC地址来应答ASender'sMACAddressSender'sIPAddressTargetMACAddressTargetIPAddress00-00-0c-94-36-ab172.16.20.20000-00-0c-94-36-aa172.16.10.100AboveistheProxyARPreplythattheroutersendstoHostA.TheproxyARPreplypacketisencapsulatedinanEthernetframewithrouter'sMACaddressasthesourceaddressandHostA'sMACaddressasthedestinationaddress.TheARPrepliesarealwaysunicasttotheoriginalrequester.路由器用自己接口的MAC地址作为源地址回复ARP应答给主机A。这个ARP应答总是利用单播来回复。OnreceivingthisARPreply,HostAupdatesitsARPtableasbelow:主机A收到ARP请求后更新自己的MAC地址表IPAddressMACAddress172.16.20.20000-00-0c-94-36-abFromnowonHostAwillforwardallthepacketsthatitwantstoreach172.16.20.200(HostD)totheMACaddress00-00-0c-94-36-ab(router).SincetherouterknowshowtoreachHostD,therouterforwardsthepackettoHostD.TheARPcacheonthehostsinSubnetAispopulatedwiththeMACaddressoftherouterforallthehostsonSubnetB.Hence,allpacketsdestinedtoSubnetBaresenttotherouter.TherouterforwardsthosepacketstothehostsinSubnetB.现在主机A如果发送数据包给主机D就将数据发送给MAC00-00-0c-94-36-ab.由路由器转发给主机D。所以目的地址为子网B的数据都发送给路由器。子网A内所有主机ARP地址表显示去往子网B主机的MAC地址全是路由器接口的MAC地址。这个路由器转发其他数据包到子网B。TheARPcacheofHostAisgivenbelow:这个主机A的ARP地址表IPAddressMACAddress172.16.20.20000-00-0c-94-36-ab172.16.20.10000-00-0c-94-36-ab172.16.10.9900-00-0c-94-36-ab172.16.10.20000-00-0c-94-36-bbNote:MultipleIPaddressesaremappedtoasingleMACaddress(therouter'sMACaddress),indicatingthatproxyARPisinuse.多个IP地址被映射到一个MAC地址。标志这在路由器上使用了proxy-arp。(查看主机的arp表就清楚）TheCiscorouter'sinterfaceshouldbeconfiguredtoacceptandrespondtoproxyARP.Thisisenabledbydefault.ProxyARPcanbedisabledonaperinterfacebasiswiththeinterfaceconfigurationcommandnoipproxy-arp,asshownbelow:cisco交换机应该配置为能够支持proxyarp。而且它默认是被开启的。如果需要关闭可以使用noipproxy-arp在接口模式下关闭。Router#configureterminalEnterconfigurationcommands,oneperline.EndwithCNTL/Z.Router(config)#interfaceethernet0Router(config-if)#noipproxy-arpRouter(config-if)#^ZRouter#ToenableproxyARPonaninterface,usetheipproxy-arpinterfaceconfigurationcommand.在接口上使用ipproxy-arp命令启用proxy-arp补充：摘自CCNA学习指南：为什么要用代理ARP呢？这是因为网络中的主机是不允许设置多个默认网关的。如果某个默认网关出现问题，使用代理ARP可以自动帮助那些在某个子网中的主机，在不重新配置路由甚至默认网关的情况下，发送数据到远程主机。使用代理ARP的一个优点是，可以在网络中单独地增加一台路由器而不扰乱同在一个网络上的其他路由器的路由组成。使用代理ARP一个严重缺点是：会明显增加网络分段中的传输业务量，并且网络中的主机也将会保存比正常时大许多的ARP表。（这点我们在上面翻译中已经可以看到，主机还保存了其他子网的主机的mac地址）