Chapter 1 Cisco SDM Express
Supplementary Help
enabled, Cisco SDM Express will recommend that IP Cisco Express Forwarding be enabled and will enable it if the recommendation is approved. If IP
Cisco Express Forwarding is not enabled, by Cisco SDM Express or otherwise, unicast RPF will not be enabled.
To enable unicast RPF, the following configuration will be delivered to the router for each interface that connects outside of the private network, replacing <outside interface> with the interface identifier:
interface <outside interface>
ip verify unicast
Disable IP Gratuitous ARPs
Cisco SDM Express disables IP gratuitous Address Resolution Protocol (ARP) requests whenever possible. A gratuitous ARP is an ARP broadcast in which the source and destination MAC addresses are the same. It is used primarily by a host to inform the network about its IP address. A spoofed gratuitous ARP message can cause network mapping information to be stored incorrectly, causing network malfunction.
To disable gratuitous ARPs, the following configuration will be delivered to the router:
no ip
You can undo this fix using the Cisco SDM Security Audit feature. To learn how, see the Security Audit online help in Cisco SDM. For more information, click Cisco Router and Security Device Manager.
Disable IP Redirects
Cisco SDM Express disables Internet Message Control Protocol (ICMP) redirect messages whenever possible. ICMP supports IP traffic by relaying information about paths, routes, and network conditions. ICMP redirect messages instruct an end node to use a specific router as its path to a particular destination. In a properly functioning IP network, a router will send redirects only to hosts on its own local subnets, no end node will ever send a redirect, and no redirect will ever be traversed more than one network hop. However, an attacker may violate these
|
| Cisco SDM Express |
|
|
|
|
| ||
|
|
| ||
|
|
|