As part of a company-wide security hardening, I was asked to implement the following commands on my switch and routers ip interfaces:
no ip redirects
no ip directed-broadcast
no ip proxy-arp
However, once I had done this we started getting problems with printing, terminal services and Exchange, which only went away when I backed out the changes.
I realise that I haven't gone into much detail, but I was just wondering if anywone knew about the implications of the commands? I was of the understanding that these bascially didn't do much and should be turned of reduce the risk from hackers.
no ip redirects - this stops the default gateway sending out redirects to clients (or servers/whatever) if the best route to a given destination is via another gateway on the same subnet. It might mean that the default gateway or another router has excessive traffic going to it that would previously have been 'redirected'.
no ip directed-broadcast - this is a standard commmand in newer IOS versions... stops clients on one subnet sending broadcasts to another subnet, which is a security risk. This shouldn't cause you a problem of the type you described.
no ip proxy-arp - this feature allows the router to reply for ARP requests that clients put out for destinations the router has a route to. If a device doesn't have a correct default gateway it may be relying on proxy-arp to reach other subnets.
If you are using a lot of redirects or are relying on proxy arp, you can do a :
on a windows server or client. If you see lots of routes to subnets or hosts that are not local with a destination of a router then you will be using redirects or proxy-arp.
I'd apply the no ip directed-broadcast first... then see if you have a problem.
Please rate helpful posts...
Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!
I've tried a route print on a host (the exchange server) and there are 2 remote subnets listed...these happen to be the subnets which were experiencing difficulties printing and with TS. Does this mean that the router is using redirects? Or proxy-arps? Or would this be considered normal? Apologies for my ignorance!
Forgot to add: the gateway that is listed in route print is the same as the host's configured default-gateway, and that there's only gateway router on the subnet.
I do not think that no ip directed broadcast or no ip redirects would cause the symptoms that you describe. I think it is likely that the issue is related to no ip proxy-arp. I suggest that you apply the first two commands and see if the problem starts (and I think that it will not).
I have seen situations where problems emerged when proxy arp was stopped. There were network devices that were technically misconfigured and with proxy arp enabled the problem was avoided and with proxy arp disabled the problem was evident. Frequently the problem is a mismatch between the address and subnet mask on the end station and of the router.
An end station should arp for destinations that it believes are on the local subnet and should forward to its default gateway for all others. With an address mismatch or a subnet mask mismatch the end station may believe that things are local that the router believes are remote. With proxy arp the router will answer the arp anyway and the packet can be forwarded to its destination. With proxy arp disabled the router will not answer the incorrect arp and the packet can not be delivered.
I suggest that you check on some of the end stations on some of the segments that are experiencing problems and verify whether they have correct address, subnet mask, and default gateway configured.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...