Hi, On Fri, Mar 21, 2008 at 12:12:45PM -0700, Eric Cables wrote: > A recent network audit has discovered that Proxy ARP is enabled on pretty > much every L3 interface in the network. As a Cisco default, this isn't > surprising, since no template configs have it disabled. > > The question is: whether or not I should go back and disable it, or just > leave it be, since it doesn't appear to be causing any problems.
Disable it, but expect surprises.
Proxy arp is a wonderful way to hide network misconfigurations - like
"machines configured with a wrong subnet mask" *usually* will "just work"
(thanks to proxy ARP), but all of a sudden fail due to a seemingly
unrelated network change. So if you turn it off, it might uncover existing
issues that have been masked.
Which is why I think that having proxy ARP on-by-default is a massively
stupid idea - it might seem like a nice and helpful feature, but as it
hides *other* problems, in the end, the issues are alway going to be
*more* nasty than without proxy ARP.
(Selectively enabled, it can be a nice and very useful tool. But not
on-by-default).
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany [EMAIL PROTECTED]
fax: +49-89-35655025 [EMAIL PROTECTED]
pgpLMsEkdZ1Co.pgp
Description: PGP signature
_______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
