[c-nsp] unwanted "arp reply" traffic at IX

Gert Doering gert at greenie.muc.de
Sat Nov 17 19:06:33 EST 2007


Hi,

On Sat, Nov 17, 2007 at 10:52:34PM +0100, Enno Rey wrote:
> > On Fri, Nov 16, 2007 at 04:50:00PM +0100, Gert Doering wrote:
> > > Have them configure "no ip gratuitous-arps".
> 
> hmm... I've always been of the (possibly wrong) opinion that "no
> ip gratuitous-arps" was only relevant in PPP scenarios and subsequently
> has no effect in (most) ethernet environments (which is the reason
> why I took it off my L2 hardening templates).

Well, the original poster said their customers (IXP members) are doing
L2TP termination on the same router that's connected to the IXP.

... which is serious PPP stuff...

(What this misfeature does is to send out a gratuitous ARP every time a
PPP user connects, to let "the neighbourhood know" where a given IP address
can now be reached.  Which might come in handy for environments where
the concept of "routing" is completely misunderstood, and everything is
proxy-ARPed.  But even then, it's a bad idea, because "normal" proxy-arp
would handle this just fine.  Whoever coded this, and whoever made it
on-by-default needs serious enlightenment...)

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de


More information about the cisco-nsp mailing list