[c-nsp] Proxy ARP -- To disable, or not to disable..

Fred Reimer freimer at ctiusa.com
Fri Mar 21 20:47:18 EDT 2008


I believe it is on by default because it has to be.  Even Cisco best
practices say to turn it off.  IP source routing is on by default also...

Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS
Senior Network Engineer
Coleman Technologies, Inc.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering
Sent: Friday, March 21, 2008 5:29 PM
To: Eric Cables
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Proxy ARP -- To disable, or not to disable..

Hi,

On Fri, Mar 21, 2008 at 12:12:45PM -0700, Eric Cables wrote:
> A recent network audit has discovered that Proxy ARP is enabled on pretty
> much every L3 interface in the network.  As a Cisco default, this isn't
> surprising, since no template configs have it disabled.
> 
> The question is: whether or not I should go back and disable it, or just
> leave it be, since it doesn't appear to be causing any problems.

Disable it, but expect surprises.

Proxy arp is a wonderful way to hide network misconfigurations - like
"machines configured with a wrong subnet mask" *usually* will "just work"
(thanks to proxy ARP), but all of a sudden fail due to a seemingly 
unrelated network change.  So if you turn it off, it might uncover existing
issues that have been masked.

Which is why I think that having proxy ARP on-by-default is a massively
stupid idea - it might seem like a nice and helpful feature, but as it
hides *other* problems, in the end, the issues are alway going to be
*more* nasty than without proxy ARP.

(Selectively enabled, it can be a nice and very useful tool.  But not
on-by-default).

gert
-- 
USENET is *not* the non-clickable part of WWW!
 
//www.muc.de/~gert/
Gert Doering - Munich, Germany
gert at greenie.muc.de
fax: +49-89-35655025
gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3080 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080321/77918d0d/attachment.bin 


More information about the cisco-nsp mailing list