When to enable / disable proxy-arp

Cooky · Aug 15, 2007

So the definition I've seen is basically the router would answer the arp requests on behalf of a remote host on different subnet.

Exactly what are the pros & cons if you have it enabled?
I'm told it's better to have it disabled due to security & performance...is that true?
When would you want to have it enabled?

spidey07 · Aug 15, 2007

There's no need in this day and age to have it enabled. It is a security risk.

It was used for hosts that didn't understand the concept of a default gateway. Not needed these days.

p0lar · Aug 15, 2007

Originally posted by: Cooky
So the definition I've seen is basically the router would answer the arp requests on behalf of a remote host on different subnet.

Exactly what are the pros & cons if you have it enabled?
I'm told it's better to have it disabled due to security & performance...is that true?
When would you want to have it enabled?

+1 disable in all circumstances unless you have an explicit need and no other options. My last such occurrence was earlier this year for an ethernet-managed PRI->GSM channel bank manufactured by 2N (Ateus Stargate) that relied on proxy-arp to be accessible. Such occurrences are rare.

spidey07 · Aug 15, 2007

Then there's the story of a linksys router taking down a data center because of proxy arp.

p0lar · Aug 15, 2007

Originally posted by: spidey07
Then there's the story of a linksys router taking down a data center because of proxy arp.

Ugh.. <shudder>

Heads would ROLL..

Cooky · Aug 15, 2007

Why does Cisco have proxy-arp enabled by default on their routers, if it's not desirable to have it on?

cmetz · Aug 15, 2007

Many things in cisco land are done that way because that's always they way they did it, and they don't want to confuse you by changing the defaults. They have done just that a few times, though, when there's a security reason and not much downside to changing. But there are enough brain-damaged networks that depend on proxy ARP without really knowing it that they can't flip this default easily.

Proxy ARP is evil and should be disabled unless you know exactly what you're doing.

spidey07 · Aug 15, 2007

Originally posted by: Cooky
Why does Cisco have proxy-arp enabled by default on their routers, if it's not desirable to have it on?

It's still a standard AFAIK.

When to enable / disable proxy-arp

Cooky

Golden Member

spidey07

No Lifer

p0lar

Senior member

spidey07

No Lifer

p0lar

Senior member

Cooky

Golden Member

cmetz

Platinum Member

spidey07

No Lifer

TRENDING THREADS