Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2405
Views
10
Helpful
5
Replies

No ip redirect issues

jigsaw2026
Level 1
Level 1

‎09-28-2006 07:23 AM - edited ‎03-03-2019 05:17 AM

Hi,

As part of a company-wide security hardening, I was asked to implement the following commands on my switch and routers ip interfaces:

no ip redirects

no ip directed-broadcast

no ip proxy-arp

However, once I had done this we started getting problems with printing, terminal services and Exchange, which only went away when I backed out the changes.

I realise that I haven't gone into much detail, but I was just wondering if anywone knew about the implications of the commands? I was of the understanding that these bascially didn't do much and should be turned of reduce the risk from hackers.

Any help would be much apprciated,

Thanks in advance

J2026

1 person had this problem
Labels:
0 Helpful
5 Replies 5

Aaron Harrison
VIP Alumni
VIP Alumni

‎09-28-2006 07:38 AM

Roughly:

no ip redirects - this stops the default gateway sending out redirects to clients (or servers/whatever) if the best route to a given destination is via another gateway on the same subnet. It might mean that the default gateway or another router has excessive traffic going to it that would previously have been 'redirected'.

no ip directed-broadcast - this is a standard commmand in newer IOS versions... stops clients on one subnet sending broadcasts to another subnet, which is a security risk. This shouldn't cause you a problem of the type you described.

no ip proxy-arp - this feature allows the router to reply for ARP requests that clients put out for destinations the router has a route to. If a device doesn't have a correct default gateway it may be relying on proxy-arp to reach other subnets.

If you are using a lot of redirects or are relying on proxy arp, you can do a :

route print

on a windows server or client. If you see lots of routes to subnets or hosts that are not local with a destination of a router then you will be using redirects or proxy-arp.

I'd apply the no ip directed-broadcast first... then see if you have a problem.

Aaron

Please rate helpful posts...

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!
0 Helpful

jigsaw2026
Level 1
Level 1
In response to Aaron Harrison

‎09-28-2006 07:56 AM

Many thanks for your reply.

I've tried a route print on a host (the exchange server) and there are 2 remote subnets listed...these happen to be the subnets which were experiencing difficulties printing and with TS. Does this mean that the router is using redirects? Or proxy-arps? Or would this be considered normal? Apologies for my ignorance!

Thanks,

J2026

Forgot to add: the gateway that is listed in route print is the same as the host's configured default-gateway, and that there's only gateway router on the subnet.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to jigsaw2026

‎09-28-2006 10:27 AM

J2026

I do not think that no ip directed broadcast or no ip redirects would cause the symptoms that you describe. I think it is likely that the issue is related to no ip proxy-arp. I suggest that you apply the first two commands and see if the problem starts (and I think that it will not).

I have seen situations where problems emerged when proxy arp was stopped. There were network devices that were technically misconfigured and with proxy arp enabled the problem was avoided and with proxy arp disabled the problem was evident. Frequently the problem is a mismatch between the address and subnet mask on the end station and of the router.

An end station should arp for destinations that it believes are on the local subnet and should forward to its default gateway for all others. With an address mismatch or a subnet mask mismatch the end station may believe that things are local that the router believes are remote. With proxy arp the router will answer the arp anyway and the packet can be forwarded to its destination. With proxy arp disabled the router will not answer the incorrect arp and the packet can not be delivered.

I suggest that you check on some of the end stations on some of the segments that are experiencing problems and verify whether they have correct address, subnet mask, and default gateway configured.

HTH

Rick

HTH

Rick

Aaron Harrison
VIP Alumni
VIP Alumni
In response to Richard Burts

‎09-28-2006 11:31 PM

Hi

Just to confirm Rick's comments - ip redirects wouldn't seem to be the issue (as the routes point to the same gateway traffic will have been sent to in the first instance).

proxy-arp would seem to be the problem, but you may experience some issues when you turn them off.

You'll need to examine the devices that have problems and correct any IP config errors there.

Regards

Aaron

Please rate helpful posts...

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

jigsaw2026
Level 1
Level 1
In response to Aaron Harrison

‎09-29-2006 12:39 AM

Many thanks guys for your replies, much appreciated. I will investigate proxy-arp and check the configs of the problem devices.

Regards,

J2026

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card