[c-nsp] why disable ip cache and direct broadcast in switch
Steve Bertrand
steve at ibctech.ca
Wed Feb 25 19:34:03 EST 2009
ann kok wrote:
> Hi
>
> I see there is setting in switch
>
> why disable?
>
> no ip directed-broadcast
Because this allows the switch to broadcast packets to a specific VLAN
(more specifically, to an IP subnet) from hosts outside of the VLAN.
Enabling this provides a nice vector for a specific denial-of-service
attack.
> no ip route-cache
...which disables fast-forwarding due to the fact cef is enabled (or
should be).
> What is good for this configuration?
no ip directed-broadcast: mitigate denial of service
no ip route-cache: use cef (AFAIK, this is only cosmetic)
Steve
More information about the cisco-nsp
mailing list