[c-nsp] RELATED: Feedback on: Security Advice for Routers and Switches

Masood Ahmad Shah masood at nexlinx.net.pk
Tue May 8 10:10:26 EDT 2007 

Before the local proxy ARP feature can be used, the IP proxy ARP feature 
must be enabled :)

Well, there is another problem, In network configurations that have the 
DHCP server and dhcp clients in different network segments, the 
"ip-helper" feature enables forwarding the DHCP requests to the server.
However, if the "local-proxy-arp" feature is configured on that same IP 
interface, the clients will have problems obtaining an IP addresses from 
the DCHP server, mistakenly thinking there is an IP address duplication 
on the network.
This happens because the dhcp client OS TCP/IP stack implementation 
sends a gratuitous ARP to the network with it's assigned address, in 
order to verify that there is no IP address conflict.
The router's proxy-arp function responds to that request with the 
address stored in it's ARP table during DHCP negotiation, causing the 
client to display an error message warning about another station using 
the same address it was assigned.

workaround disable ip local-proxy-arp

Regards,
Masood Ahmad Shah
BLOG: http://www.weblogs.com.pk/jahil/

A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
>   
>> Alan,
>>
>> Did you try to disable ICMP redirects? (no ip redirects on the VLAN
>> interface)?
>>     
>
> ip local-proxy-arp   seems to be the beast . can anyone disuade? with
> this, coupled with DAI and a better L3 ACL on the VLAN  you should
> be able to block any nefarious L3 attacks whilst reporting them etc.
>
> oh. a word of warning to those implementing this...by default if
> there are a dozen or so ARP spoofs in a short space of time, then
> it'll trigger a port error - arpspoof - which can be auto reset with
> an errdisable recovery - or you can avoid by setting no limit on the
> arpspoof count. this could bite if the interface was a trunk feed
> from a whole building/subnet/campus ;-)
>
> alan
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>

More information about the cisco-nsp mailing list