[c-nsp] Proxy ARP -- To disable, or not to disable..
Gert Doering
gert at greenie.muc.de
Fri Mar 21 17:28:35 EDT 2008
Hi,
On Fri, Mar 21, 2008 at 12:12:45PM -0700, Eric Cables wrote:
> A recent network audit has discovered that Proxy ARP is enabled on pretty
> much every L3 interface in the network. As a Cisco default, this isn't
> surprising, since no template configs have it disabled.
>
> The question is: whether or not I should go back and disable it, or just
> leave it be, since it doesn't appear to be causing any problems.
Disable it, but expect surprises.
Proxy arp is a wonderful way to hide network misconfigurations - like
"machines configured with a wrong subnet mask" *usually* will "just work"
(thanks to proxy ARP), but all of a sudden fail due to a seemingly
unrelated network change. So if you turn it off, it might uncover existing
issues that have been masked.
Which is why I think that having proxy ARP on-by-default is a massively
stupid idea - it might seem like a nice and helpful feature, but as it
hides *other* problems, in the end, the issues are alway going to be
*more* nasty than without proxy ARP.
(Selectively enabled, it can be a nice and very useful tool. But not
on-by-default).
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080321/b94c75db/attachment.bin
More information about the cisco-nsp
mailing list