Details

PROXY ARP should be used in networks where the host is not configured with default gateway or there is no routing policy.

PROXY ARP has negative effects:

1. ARP traffic on one network segment is increased

2. The host needs a larger ARP table to process the mapping from IP address to MAC address

3. Security problems are available, such as ARP spoofing (spoofing)

4. Does not work for a network that does not use ARP to parse addresses

5. Network topology cannot be summarized and promoted

Solution

Disable the functions related to Proxy ARP:

ZXR10 (config)#arp
ZXR10 (config-arp)#interface fei-0/1/1/13
ZXR10 (config-arp-if)#no proxy
ZXR10 (config-arp-if)#no inter-vlan-proxy
ZXR10 (config-arp-if)#no proxy local
ZXR10 (config-arp-if)#no local-proxy-arp

Supportive Information

The following resource is also helpful.

• https://support.zte.com.cn/support/doccenter/DocumentProductHandBookDetail.aspx?sid=102&id=30768582&type=docfeedbackhttps://support.zte.com.cn/support/doccenter/DocumentProductHandBookDetail.aspx?sid=102&id=30768582&type=docfeedback

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system ZTE_ROSNG.

References

• 800-53|CM-7b.

Source

• Tenable.com/audits