Re: RE: RE: Re: no ip gratuitous-arp

From: koury@london.com
Date: Wed Dec 20 2006 - 20:53:54 ART

• Next message: Tim: "RE: RE: RE: Re: no ip gratuitous-arp"
• Previous message: Flaming Packet: "failed at RTP 12/19"
• Maybe in reply to: Tim: "RE: RE: Re: no ip gratuitous-arp"
• Next in thread: Tim: "RE: RE: RE: Re: no ip gratuitous-arp"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi, Tim!
I understood eveything about behavior of the g-arps packets.
My doubt is why the command "no ip gratuitous-arp" is indicated as one best practice of security if this don't prevent a router from accepting a fake g-arp packet from a host?

Thanks!!!
Koury

"Koury,

You're confusing apples and oranges.

The router command "no ip gratuitous-arp" doesn't prevent a host on a
subnet from sending out grat-arp's, it only stops the router from sending
grat-arp's on behalf of another host that's connected to the router via ppp.

See

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123tcr/123ti
p1r/ip1_l1gt.htm#wp1110181

A router's interface behaves like a host - it sends out arp requests when it
needs to send traffic to a host connected to that interface when it doesn't
have that host's mac address in it's own cache.

So, the router's arp cache can still be poisoned if it receives a grat-arp
from an imposter.

HTH, Tim"

• Next message: Tim: "RE: RE: RE: Re: no ip gratuitous-arp"
• Previous message: Flaming Packet: "failed at RTP 12/19"
• Maybe in reply to: Tim: "RE: RE: Re: no ip gratuitous-arp"
• Next in thread: Tim: "RE: RE: RE: Re: no ip gratuitous-arp"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:38 ART