User`s guide
1-37
Cisco SDM Express 2.4 User’s Guide
OL-7141-05
Chapter 1 Cisco SDM Express
Supplementary Help
Disable IP Gratuitous ARPs
Cisco SDM Express disables IP gratuitous Address Resolution Protocol (ARP)
requests whenever possible. A gratuitous ARP is an ARP broadcast in which the
source and destination MAC addresses are the same. It is used primarily by a host
to inform the network about its IP address. A spoofed gratuitous ARP message
can cause network mapping information to be stored incorrectly, causing network
malfunction.
To disable gratuitous ARPs, the following configuration will be delivered to the
router:
no ip gratuitous-arps
You can undo this fix using the Cisco SDM Security Audit feature. To learn how,
see the Security Audit online help in Cisco SDM. For more information, click
Cisco Router and Security Device Manager.
Disable IP Redirects
Cisco SDM Express disables Internet Message Control Protocol (ICMP) redirect
messages whenever possible. ICMP supports IP traffic by relaying information
about paths, routes, and network conditions. ICMP redirect messages instruct an
end node to use a specific router as its path to a particular destination. In a
properly functioning IP network, a router will send redirects only to hosts on its
own local subnets, no end node will ever send a redirect, and no redirect will ever
be traversed more than one network hop. However, an attacker may violate these
rules; some attacks are based on this. Disabling ICMP redirects will cause no
operational impact to the network, and it eliminates this possible method of
attack.
The configuration that will be delivered to the router to disable ICMP redirect
messages is as follows:
no ip redirects
Disable IP Proxy ARP
Cisco SDM Express disables proxy Address Resolution Protocol (ARP)
whenever possible. ARP is used by the network to convert IP addresses into MAC
addresses. Normally ARP is confined to a single LAN, but a router can act as a