Cisco IOS features that you should disable or restrict

This topic is to discuss the following lesson:

https://networklessons.com/uncategorized/cisco-ios-features-that-you-should-disable-or-restrict/

Greetings Rene,
1stly, thanks for the info… truly useful,
i do have a suggestion: how about “ip domain-lookup” ? we could disable it 2 prevent some domain-server translations (for time saving purposes)…

Hi Reza,

“no ip domain-lookup” is a nice feature since it can be very annoying when your router tries to do a DNS lookup when you mistype a command. The list above are mostly security-related features however. “Logging synchronous” is also a nice command that most people like to use.

Rene

You have to be very careful with ip unreachables - the same issue applies to blanket blocking of ICMP because it’s “best practice”.

The issue is CERTAIN types of “unreachables” do leak information, but other ICMP “types” (thinking Type 4 “packet to big”) need to be allowed to avoid running into nasty MTU issues.

I’m still fuzzy on the details of how all the commands interact, but the way we got around this was outbound (and inbound) extended ACLs areas overly filtering “good” icmp from bad.

Works really well, but one step away from Hayes AT codes in terms of black art voodoo.

Any chance you’d write a post on pulling all this together for us “hands on” guys?

Hi Rob,

I agree, just blocking ICMP isn’t a good idea because of MTU path discovery. Thanks for sharing :slight_smile:

I’ll see if I can write up a post with some debugs and before and after configurations.

Rene

I prefer to disable DTP.

DTP is a good one to disable yes :slight_smile:

Hi Rene,

First, thank you for sharing your knowledge. I learnt a lot with networkslessons and gns3vault. Those sites are awesome.

Second, I have a question: How do you exit the telnet session:

R1#telnet 6.6.6.6 19 ?

The usual break sequence does not work (CTRL SHIFT 6 X) and I can’t find it easily on the web.

Thanks a lot.
Kind regards,

Romain

Hi Romain,

Normally CTRL SHIFT 6, X should do the job. If that doesn’t work…try CTRL SHIFT6, 6 and then X.

Otherwise you can also kill the TCP session like this:

Switch#show tcp brief
TCB       Local Address               Foreign Address             (state)
0DC15ED0  192.168.1.2.23             192.168.1.1.44565           ESTAB
0B511A08  192.168.1.2.23             192.168.1.1.31365           CLOSED
0C9FB040  192.168.1.2.23             192.168.1.1.51828           TIMEWAIT
Switch#clear tcp tcb 0DC15ED0
[confirm]
 [OK]

That will always work :slight_smile:

Rene

Thanks a lot

Hi Rene,

How we can disable IP directed broadcasts?

Hi Deepak,

If you want to remove a command from the config then putting “no” in front of it will do the job. This can also be used to disable certain features so in this case “no ip directed-broadcast” will do the job.

Rene

Thanks Rene!

Hi Rene,

I have 2 questions in shutting down services.
1.- Which command will allow me to see all the services running on routers and switches?
2.- I have configured ip source-route and ip cef on a point to point routers. Should I disable it and why?

Please advise

Hello Alfredo

Unfortunately, there is no way to list all of these services in a similar way that you would on a PC. However, you can see what processes are running on a Cisco device and how much CPU and memory they are using with the following command: show processes and its related command keywords.

This command however is not useful for the purpose of viewing these processes that should be disabled or restricted. You just have to know what they are and view them with their own individual show commands.

As for the ip source-route command, it can be dangerous to use as it can be taken advantage of by malicious users. It is a rarely used option that allows the originator of a packet to decide which routers the packet should go through to get to the destination by supplying the full path of routers on the options header of the IP packet. Unless you have a very specific reason for this configuration, don’t enable it.

The ip cef command does not have any security risks related to it, however, it is designed for a very specific purpose. Although you can use CEF in any part of a network, it is designed for high-performance, highly resilient Layer 3 IP backbone switching. If you are not implementing something like this, there is no need to enable it. Essentially, it won’t make any difference if you do.

I hope this has been helpful!

Laz

Cisco Smart Install
A legacy feature that provides zero-touch deployment for new switches, typically access layer switches, and incorporates no authentication by design.
This feature will show up in a security audit of your network as a potential risk

1 Like