What design reasons are there to not use the following commands (see post)?
FrankGuthrie
Member Posts: 245
in CCNP
no ip redirects
no ip unreachables
no ip directed-broadcast
no ip proxy-arp
Can anyone tell me why to turn these 4 features off or why to keep them on. Is this done for security purposes?
no ip unreachables
no ip directed-broadcast
no ip proxy-arp
Can anyone tell me why to turn these 4 features off or why to keep them on. Is this done for security purposes?
Comments
-
subnet.ninja Member Posts: 6 ■□□□□□□□□□Most of them are from security reasons redirects,icmp unreacble and arp are traffic that punt to the CPU so the best practices is to disable them you can learn more in the following link:
Cisco Guide to Harden Cisco IOS Devices - Cisco -
Legacy User Unregistered / Not Logged In Posts: 0 ■□□□□□□□□□That link gives the break down of everything.
A quick tid bit to add because I seen it from a production side of things. The original reason IP Proxy-Arp was used on devices when there were older network devices <specialized vendor equipment,etc> that did not have an option to configure the default gateway or subnet mask. So what IP Proxy-arp does on the router or L3 switch would be to basically act like the default gateway for that device, "filling in the gaps" for it to forward traffic arp traffic to find the destination. This can generate ALOT of unnecessary additional traffic which could bog down everything cpu, link utilization.
Many times after upgrading EOL network equipment that had the ip proxy-arp enabled we commonly would get tickets for devices that don't have internet connection and its because those devices did not have the default gateway and/or subnet mask ever configured so only reason they previously worked was because of the IP proxy-arp command.