Disable IP Gratuitous ARPs | 321 Studios OL-7141-04 specs

Chapter 1 Cisco SDM Express

Supplementary Help

enabled, Cisco SDM Express will recommend that IP Cisco Express Forwarding be enabled and will enable it if the recommendation is approved. If IP

Cisco Express Forwarding is not enabled, by Cisco SDM Express or otherwise, unicast RPF will not be enabled.

To enable unicast RPF, the following configuration will be delivered to the router for each interface that connects outside of the private network, replacing <outside interface> with the interface identifier:

interface <outside interface>

ip verify unicast reverse-path

Disable IP Gratuitous ARPs

Cisco SDM Express disables IP gratuitous Address Resolution Protocol (ARP) requests whenever possible. A gratuitous ARP is an ARP broadcast in which the source and destination MAC addresses are the same. It is used primarily by a host to inform the network about its IP address. A spoofed gratuitous ARP message can cause network mapping information to be stored incorrectly, causing network malfunction.

To disable gratuitous ARPs, the following configuration will be delivered to the router:

no ip gratuitous-arps

You can undo this fix using the Cisco SDM Security Audit feature. To learn how, see the Security Audit online help in Cisco SDM. For more information, click Cisco Router and Security Device Manager.

Disable IP Redirects

Cisco SDM Express disables Internet Message Control Protocol (ICMP) redirect messages whenever possible. ICMP supports IP traffic by relaying information about paths, routes, and network conditions. ICMP redirect messages instruct an end node to use a specific router as its path to a particular destination. In a properly functioning IP network, a router will send redirects only to hosts on its own local subnets, no end node will ever send a redirect, and no redirect will ever be traversed more than one network hop. However, an attacker may violate these

		Cisco SDM Express
		Cisco SDM Express
	OL-7141-04			1-37
	OL-7141-04			1-37

Image 43

321 Studios OL-7141-04 manual Disable IP Gratuitous ARPs, Disable IP Redirects

Contents

Cisco SDM Express User’s Guide Cisco SDM Express User’s Guide N T E N T S Contents Cisco SDM Express Edit Mode Contents A P T E R Welcome Domain Name Field Basic ConfigurationUsername and Password Fields Hostname Field Router Provisioning Enable Secret Password FieldSDM Express CNS Server Provision From USB TokenUSB Token or USB Flash Secure Device Provisioning Provision From USB Flash File Selection Size Wireless Interface ConfigurationLAN Interface Configuration Name Subnet Mask Field Wireless Parameters FieldsInterface/Bridge-to-Interface List IP Address Field Starting IP Address Field Dhcp Server ConfigurationEnable Dhcp server on the LAN interface Check Box Refresh, Apply Changes, Discard Changes Buttons Primary Domain Name Server Field Ending IP Address FieldSecondary Domain Name Server Field Address Type List Enable PPPoE Check BoxInternet WAN Ethernet Interface Use these DNS values for Dhcp clients Check Box Username Field Authentication Type Check BoxPassword Field Confirm Password Field Internet WAN Autodetect Encapsulation Status Icon and Enable or Disable ButtonInternet WAN User Specified Encapsulation Virtual Path Identifier Field Encapsulation ListVirtual Circuit Identifier Field IP Address for Remote Connection in Central Office Field WAN Interface Selection Enable or Disable ButtonAdd Connection, Edit, Delete Buttons Interface List Serial ConnectionRefresh Button IP Address and Subnet Mask Fields Frame Relay Configuration Settings Link Use Ietf Frame Relay Encapsulation Check Box Frame Relay Configuration SettingsDlci Field LMI Type Field CNS Server Information Internet WAN Advanced Options Primary DNS Field Firewall ConfigurationSecondary DNS Field Security Settings Disable Services that Involve Security Risks Check Box Disable Snmp Services on Your Router Check Box Encrypt Passwords Check Box Enhance Security on Router Access Check BoxSummary Supplementary Help Cisco Network ServicesCisco Router and Security Device Manager Disable Snmp Security Settings Disable PAD Service Disable Finger Service Disable TCP Small Servers Service Disable IP Bootp Server Service Disable UDP Small Servers Service Disable CDP Disable IP Identification Service Enable Password Encryption Service Disable IP Source Route Enable TCP Keepalives for Inbound Telnet Sessions Enable Netflow Switching Enable Sequence Numbers and Time Stamps on Debugs Enable TCP Keepalives for Outbound Telnet SessionsEnable IP CEF Set Scheduler Allocate Set Scheduler Interval Set TCP Synwait Time Enable Unicast RPF on Outside Interfaces Enable Logging Disable IP Redirects Disable IP Gratuitous ARPs Disable IP Directed Broadcast Disable IP Proxy ARP Disable IP Unreachables Disable MOP Service Set Minimum Password Length to Less Than 6 Characters Disable IP Mask Reply Set Banner Set Authentication Failure Rate to Less Than 3 Retries Enable SSH for Access to the Router Enable Telnet Settings Help Button Cisco SDM Express ButtonsAbout Button Discard Changes Button Reconnecting to the Router After Initial ConfigurationExit Button Apply Changes Button Testing Your WAN Internet Connection Troubleshooting Tips SDP Troubleshooting Tips Icons OverviewLAN Fields Firewall Fields Internet WAN Fields Edit/Delete Buttons Username/Login Password/Password is Encrypted Fields Refresh/Apply Changes/Discard Changes Buttons Encrypt password using MD5 hash algorithm CheckboxBridge/Do not bridge LAN interface with wireless Checkbox Edit a Username No WAN Available WirelessWAN-Unable to Configure WAN Interface LAN interface configuration Fields Delete Connection Enable Firewall/Disable Firewall ButtonsFirewall Unable to Configure NAT Unable to configure Firewall Window Add or Edit Address Translation Rule Routing Select All Recommended by Cisco Checkbox Disable Services that Involve Security Risks Checkbox Synchronize with my local PC clock Checkbox Encrypt Passwords Checkbox Ping Tools Destination Field Update SDM from Cisco.comTo clear the output of the ping command Source Field Update SDM from CD Update SDM from Local PCCCO Login Synchronize Checkbox Date and Time PropertiesEdit Date and Time Fields Apply Button Reset to Factory DefaultsSave Running Config to PC Write down these steps and then reset the router Reconfiguring Your PC with a Static or a Dynamic IP Address Microsoft Windows NT Feature Not Available Cisco SDM Express Edit Mode Feature Not Available D E IN-2