From: Tim (ccie2be@nyc.rr.com)
Date: Wed Dec 20 2006 - 21:39:32 ART
What's the source of that assertion?
...one of the best practice...
I'm not disputed that it might be a good idea to use that command but I
don't know enough about the scenario where this command would be used to
have an opinion one way or the other.
Maybe Brian or Scott can offer better insight than I can.
Tim
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
koury@london.com
Sent: Wednesday, December 20, 2006 6:54 PM
To: ccielab@groupstudy.com
Subject: Re: RE: RE: Re: no ip gratuitous-arp
Hi, Tim!
I understood eveything about behavior of the g-arps packets.
My doubt is why the command "no ip gratuitous-arp" is indicated as one best
practice of security if this don't prevent a router from accepting a fake
g-arp packet from a host?
Thanks!!!
Koury
"Koury,
You're confusing apples and oranges.
The router command "no ip gratuitous-arp" doesn't prevent a host on a
subnet from sending out grat-arp's, it only stops the router from sending
grat-arp's on behalf of another host that's connected to the router via ppp.
See
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123tcr/123ti
p1r/ip1_l1gt.htm#wp1110181
A router's interface behaves like a host - it sends out arp requests when it
needs to send traffic to a host connected to that interface when it doesn't
have that host's mac address in it's own cache.
So, the router's arp cache can still be poisoned if it receives a grat-arp
from an imposter.
HTH, Tim"
This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:38 ART