[c-nsp] Proxy ARP -- To disable, or not to disable..

Fred Reimer freimer at ctiusa.com
Sun Mar 23 21:03:19 EDT 2008


I think there may be a misunderstanding as to whether I think proxy-ARP is a
good thing, or should be left on everywhere.  I don't; I believe it should
be turned off wherever possible.  However, I can at the same time understand
Cisco's reasoning for leaving it on by default.  As others have stated, if
the default were changed now it will break networks.  Not likely networks
for the vast majority of cisco-nsp users manage, but nonetheless a
significant number of networks.

So, Cisco could change the default and even put a big fat warning in the
release notes, which most of their customers won't read anyway.  And it will
cause problems.  And people with a clue will manage, but those without will
blame Cisco.

Or, Cisco could go with the status quo, which is to have proxy-ARP enabled
by default.  Those without a clue will continue to install new networks with
proxy-ARP enabled.  It will cause some inefficiencies and is unfortunate.
However, existing networks that may require proxy-ARP will continue to
function.  And, those with a clue will continue to install new networks with
it disabled and remove it from those networks where it is enabled when
possible.

Some people would obviously prefer the prize behind door #1.  I'd prefer to
choose door #2.

Thanks,

Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS
Senior Network Engineer
Coleman Technologies, Inc.
954-298-1697


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of sthaug at nethelp.no
Sent: Saturday, March 22, 2008 12:36 PM
To: Fred Reimer
Cc: gert at greenie.muc.de; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Proxy ARP -- To disable, or not to disable..

> "brainwashed crap"  Are you trolling?

It's quite clear that proxy ARP doesn't *have* to be turned on (proof by
example: Juniper M series routers).

> If you read the RFC's for gateway requirements it does not say that
gateways
> MUST or SHOULD use proxy ARP.  However, it is strongly suggestive that
most
> gateways DO use proxy ARP, and makes references to other RFC's which state
> plainly that it is in common use.  "Because it has to be" refers to the
need
> for it is most clueless networks where the network administrators don't
> understand octet boundary subnetting, let alone subnet boundaries on any
bit
> position or, God help them, variable subnet masks.

And the opinion of lots of people (myself included) is that leaving proxy
ARP on here is likely to create much more problems than it solves.

The Cisco default *may* have been sensible many years ago. In 2008 it's
an extremely bad default.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3080 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080323/8922b1e0/attachment.bin 


More information about the cisco-nsp mailing list