I believe it is on by default because it has to be. Even Cisco best practices say to turn it off. IP source routing is on by default also...
Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gert Doering Sent: Friday, March 21, 2008 5:29 PM To: Eric Cables Cc: [email protected] Subject: Re: [c-nsp] Proxy ARP -- To disable, or not to disable.. Hi, On Fri, Mar 21, 2008 at 12:12:45PM -0700, Eric Cables wrote: > A recent network audit has discovered that Proxy ARP is enabled on pretty > much every L3 interface in the network. As a Cisco default, this isn't > surprising, since no template configs have it disabled. > > The question is: whether or not I should go back and disable it, or just > leave it be, since it doesn't appear to be causing any problems. Disable it, but expect surprises. Proxy arp is a wonderful way to hide network misconfigurations - like "machines configured with a wrong subnet mask" *usually* will "just work" (thanks to proxy ARP), but all of a sudden fail due to a seemingly unrelated network change. So if you turn it off, it might uncover existing issues that have been masked. Which is why I think that having proxy ARP on-by-default is a massively stupid idea - it might seem like a nice and helpful feature, but as it hides *other* problems, in the end, the issues are alway going to be *more* nasty than without proxy ARP. (Selectively enabled, it can be a nice and very useful tool. But not on-by-default). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025 [EMAIL PROTECTED]
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
