09-28-2006 07:23 AM - edited 03-03-2019 05:17 AM
Hi,
As part of a company-wide security hardening, I was asked to implement the following commands on my switch and routers ip interfaces:
no ip redirects
no ip directed-broadcast
no ip proxy-arp
However, once I had done this we started getting problems with printing, terminal services and Exchange, which only went away when I backed out the changes.
I realise that I haven't gone into much detail, but I was just wondering if anywone knew about the implications of the commands? I was of the understanding that these bascially didn't do much and should be turned of reduce the risk from hackers.
Any help would be much apprciated,
Thanks in advance
J2026
09-28-2006 07:38 AM
Roughly:
no ip redirects - this stops the default gateway sending out redirects to clients (or servers/whatever) if the best route to a given destination is via another gateway on the same subnet. It might mean that the default gateway or another router has excessive traffic going to it that would previously have been 'redirected'.
no ip directed-broadcast - this is a standard commmand in newer IOS versions... stops clients on one subnet sending broadcasts to another subnet, which is a security risk. This shouldn't cause you a problem of the type you described.
no ip proxy-arp - this feature allows the router to reply for ARP requests that clients put out for destinations the router has a route to. If a device doesn't have a correct default gateway it may be relying on proxy-arp to reach other subnets.
If you are using a lot of redirects or are relying on proxy arp, you can do a :
route print
on a windows server or client. If you see lots of routes to subnets or hosts that are not local with a destination of a router then you will be using redirects or proxy-arp.
I'd apply the no ip directed-broadcast first... then see if you have a problem.
Aaron
Please rate helpful posts...
09-28-2006 07:56 AM
Many thanks for your reply.
I've tried a route print on a host (the exchange server) and there are 2 remote subnets listed...these happen to be the subnets which were experiencing difficulties printing and with TS. Does this mean that the router is using redirects? Or proxy-arps? Or would this be considered normal? Apologies for my ignorance!
Thanks,
J2026
Forgot to add: the gateway that is listed in route print is the same as the host's configured default-gateway, and that there's only gateway router on the subnet.
09-28-2006 10:27 AM
J2026
I do not think that no ip directed broadcast or no ip redirects would cause the symptoms that you describe. I think it is likely that the issue is related to no ip proxy-arp. I suggest that you apply the first two commands and see if the problem starts (and I think that it will not).
I have seen situations where problems emerged when proxy arp was stopped. There were network devices that were technically misconfigured and with proxy arp enabled the problem was avoided and with proxy arp disabled the problem was evident. Frequently the problem is a mismatch between the address and subnet mask on the end station and of the router.
An end station should arp for destinations that it believes are on the local subnet and should forward to its default gateway for all others. With an address mismatch or a subnet mask mismatch the end station may believe that things are local that the router believes are remote. With proxy arp the router will answer the arp anyway and the packet can be forwarded to its destination. With proxy arp disabled the router will not answer the incorrect arp and the packet can not be delivered.
I suggest that you check on some of the end stations on some of the segments that are experiencing problems and verify whether they have correct address, subnet mask, and default gateway configured.
HTH
Rick
09-28-2006 11:31 PM
Hi
Just to confirm Rick's comments - ip redirects wouldn't seem to be the issue (as the routes point to the same gateway traffic will have been sent to in the first instance).
proxy-arp would seem to be the problem, but you may experience some issues when you turn them off.
You'll need to examine the devices that have problems and correct any IP config errors there.
Regards
Aaron
Please rate helpful posts...
09-29-2006 12:39 AM
Many thanks guys for your replies, much appreciated. I will investigate proxy-arp and check the configs of the problem devices.
Regards,
J2026
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide