3.2.3 Disable Proxy ARP on all Layer 3 Interfaces

Information

Proxy ARP is the technique in which one host, usually a router, answers ARP requests intended for another machine on a different network segment (vlan or subnet). By faking its identity, the router accepts responsibility for routing packets to the real destination.

Rationale:

Solution

Proxy ARP is disabled on all interfaces by default, and that configuration does not appear in the running or saved configuration. Proxy ARP only appears in the configuration if it is enabled (which is not desired in most cases).
To disable this on an interface if it is enabled:

switch(config-if)# no ip proxy-arp

for instance:

switch(config)# int vlan 9
switch(config-if)# no ip proxy-arp

Default Value:

By default the Proxy ARP feature is disabled on all IP Interfaces. This desired and default setting does not appear in the configuration.

This default setting does not appear in the running or saved configurations.

See Also

https://workbench.cisecurity.org/benchmarks/6524

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-18, 800-53|AC-18(1), 800-53|AC-18(3), 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|CP-6, 800-53|CP-7, 800-53|PL-8, 800-53|PM-7, 800-53|SA-8, 800-53|SC-7, CSCv7|11.1

Plugin: Cisco

Control ID: a05a4580b5e4e3ed66cfc91c9d157c2be62ecf0b21e7d48998571f00f50a139c