Table of Contents
Advertisement
Chapter 6
Edit Interface/Connection
IP Proxy ARP
IP Route Cache-Flow
Note
IP Redirects
OL-4015-12
replies to the falsified source. By sending a continuous stream of such requests,
the attacker can create a much larger reply stream, which can completely inundate
the host whose address is being falsified.
Disabling IP directed broadcasts drops directed broadcasts that would otherwise
be "exploded" into link-layer broadcasts at that interface.
ARP is used by the network to convert IP addresses into MAC addresses.
Normally ARP is confined to a single LAN, and a router can act as a proxy for
ARP requests, making ARP queries available across multiple LAN segments.
Because it breaks the LAN security barrier, proxy ARP should be used only
between two LANs with an equal security level, and only when necessary.
This option enables the Cisco IOS Netflow feature. Using Netflow, you can
determine packet distribution, protocol distribution, and current flows of data on
the router. This information is useful for certain tasks, such as searching for the
source of a spoofed IP address attack.
The IP Route Cache-Flow option enables Netflow on both inbound and outbound
traffic. To enable Netflow on either inbound traffic or outbound traffic, use the
Netflow options available on the Application Service tab.
ICMP redirect messages instruct an end node to use a specific router as a part of
its path to a particular destination. In a properly functioning IP network, a router
sends redirects only to hosts on its own local subnets, no end node will ever send
a redirect, and no redirect will ever traverse more than one network hop. However,
an attacker may violate these rules. Disabling ICMP redirects has no negative
impact on the network and can eliminate redirect attacks.
Cisco Router and Security Device Manager 2.5 User's Guide
General
6-15
Advertisement
Table of Contents
Troubleshooting
