Advanced ARP: reply-only, proxy-arp, local-proxy-arp

Рет қаралды 13,286

Күн бұрын

Пікірлер: 25

@RobertRidleyE Жыл бұрын

local-proxy-arp is useful when you have some old IP cameras with broken IP stacks(reolink). On a reboot the cameras work for a few hours/days but will eventually not reply to arp on the same broadcast domain. Setting local-proxy-arp on the router vlan interface for that subnet allows for it to always work.

@excession1293 Жыл бұрын

Finally understand the difference between proxy-arp and local-proxy-arp, thank you!

@CCL13CN Жыл бұрын

I like the "prnt" at 4:40. Very realistic.

@ussul6524 Жыл бұрын

most interesting arp trickery. IDK if I ever use it, but it is nice to learn. Thank you.

@wildorb1209 Жыл бұрын

Since the bootcamp in Riga, I have really understood the functions. 🙂

@stephanszarafinski9001 Жыл бұрын

Thanks for putting your time and effort into this video, it was not a waste of time!

@mikrotik Жыл бұрын

Glad it was helpful!

@alexandrcifer76 4 ай бұрын

Thanks ALOT for your effort, sure made it MUCH easier to troubleshoot badly configured setups for me

@mondy-chan Жыл бұрын

time well spent mate, thx for the explanation!

@stuartloberg4840 Жыл бұрын

I loved the depth of this video :)

@drumaddict89 Жыл бұрын

thanks. some clearance to ARP trickery on rOS looking forward to new VLAN videos

@Problembaer4 Жыл бұрын

I got in my mind that way: proxy-arp works not between devices in the same l2-segment, but needs a entry in the routing table to work. local-proxy-arp works like a proxy in the l2-segment. every arp-request is answered by the router (regardless of the routing table entries). the combination with horizon is new to me.

@RB01-lite Жыл бұрын

If what you mean by l2-segment is the broadcast domain then you got it correct that proxy-arp is not the same broadcast domain, but there is no entry in the routing table needed. Same in the local-proxy case, devices are not in the same broadcast domain - they cannot send layer2 frames directly to each other, they can only do layer3 communication.

@TGeersing Жыл бұрын

Time well spent!

@ВиталийБойко-з5й Жыл бұрын

Why is it useful to have network (bridged) members not sharing a broadcast domain?

@RB01-lite Жыл бұрын

Good question. Can't say from experience, but I imagine if some hosts like to spam a lot of broadcast messages or you are worried about a potential layer2 attack, you could solve it that way.

@ВиталийБойко-з5й Жыл бұрын

@@RB01-lite like in unicast mode? gotta research this one

@aidangillett5396 Жыл бұрын

When you want to isolate users from each other, but you don't want or need the additional overhead and complexity of individual routed or VLAN segment. I.e. a student campus network. You don't want a student plugging in the LAN port of a router into the wall socket and flooding DHCP everywhere, or a printer/TV/whatever and having it visible to all other rooms. If there are 500 rooms, you would then need to create 500 VLAN's. Or you can simply use horizon (or port isolation) to prevent any cross talk between rooms and get away with a single VLAN and subnet. A heck of a lot cleaner and simpler

@ВиталийБойко-з5й Жыл бұрын

@@aidangillett5396 makes sense, like a campus network where clients shouldn't be communicating with one another

@rycius-hy1jw Жыл бұрын

Mikrotik, i still can't understand why do think that arp reply and learning modes shuold be combined in one place ... they must by separate as all big players do. Because there are cases then you don't want to dynamically learn arp, but want to proxy it.

@mikrotik Жыл бұрын

Could you please elaborate on the use case for arp-proxy without ARP learning? ARP proxy is very rarely used as it is already, this seems like even more niche requirement that can already be satisfied using other RouterOS features.

@rycius-hy1jw Жыл бұрын

@@mikrotik Access network with Split horizon bridging/Private VLAN/Client Isolation (call it as you want) and DHCP Server with "Add arp for leases" combination requires disabled ARP learning and enabled local-proxy-arp (to keep communication between devices in same bridge domain). This problem was posted many times in your forum. Today it's possible to solve this problem only with bridge filtering (requires wasting extra resources), but it only work's when vlan's are not involved, because if you implement bridge with vlan support, you can't filter packets by parameters witch are VLAN tagged.

@unhuman42 Жыл бұрын

Прикольно. Выглядит довольно олдскульно, как артефакты ушедшей цивилизации :) Сейчас стандартный путь - роутинг, маршрутизаторы, BGP и вот это вот всё.