This topic is to discuss the following lesson:
1stly, thanks for the info… truly useful,
i do have a suggestion: how about “ip domain-lookup” ? we could disable it 2 prevent some domain-server translations (for time saving purposes)…
“no ip domain-lookup” is a nice feature since it can be very annoying when your router tries to do a DNS lookup when you mistype a command. The list above are mostly security-related features however. “Logging synchronous” is also a nice command that most people like to use.
You have to be very careful with ip unreachables - the same issue applies to blanket blocking of ICMP because it’s “best practice”.
The issue is CERTAIN types of “unreachables” do leak information, but other ICMP “types” (thinking Type 4 “packet to big”) need to be allowed to avoid running into nasty MTU issues.
I’m still fuzzy on the details of how all the commands interact, but the way we got around this was outbound (and inbound) extended ACLs areas overly filtering “good” icmp from bad.
Works really well, but one step away from Hayes AT codes in terms of black art voodoo.
Any chance you’d write a post on pulling all this together for us “hands on” guys?
I agree, just blocking ICMP isn’t a good idea because of MTU path discovery. Thanks for sharing
I’ll see if I can write up a post with some debugs and before and after configurations.
I prefer to disable DTP.
DTP is a good one to disable yes
First, thank you for sharing your knowledge. I learnt a lot with networkslessons and gns3vault. Those sites are awesome.
Second, I have a question: How do you exit the telnet session:
R1#telnet 184.108.40.206 19 ?
The usual break sequence does not work (CTRL SHIFT 6 X) and I can’t find it easily on the web.
Thanks a lot.
Normally CTRL SHIFT 6, X should do the job. If that doesn’t work…try CTRL SHIFT6, 6 and then X.
Otherwise you can also kill the TCP session like this:
Switch#show tcp brief TCB Local Address Foreign Address (state) 0DC15ED0 192.168.1.2.23 192.168.1.1.44565 ESTAB 0B511A08 192.168.1.2.23 192.168.1.1.31365 CLOSED 0C9FB040 192.168.1.2.23 192.168.1.1.51828 TIMEWAIT
Switch#clear tcp tcb 0DC15ED0 [confirm] [OK]
That will always work
Thanks a lot
How we can disable IP directed broadcasts?
If you want to remove a command from the config then putting “no” in front of it will do the job. This can also be used to disable certain features so in this case “no ip directed-broadcast” will do the job.
I have 2 questions in shutting down services.
1.- Which command will allow me to see all the services running on routers and switches?
2.- I have configured ip source-route and ip cef on a point to point routers. Should I disable it and why?
Unfortunately, there is no way to list all of these services in a similar way that you would on a PC. However, you can see what processes are running on a Cisco device and how much CPU and memory they are using with the following command:
show processes and its related command keywords.
This command however is not useful for the purpose of viewing these processes that should be disabled or restricted. You just have to know what they are and view them with their own individual show commands.
As for the
ip source-route command, it can be dangerous to use as it can be taken advantage of by malicious users. It is a rarely used option that allows the originator of a packet to decide which routers the packet should go through to get to the destination by supplying the full path of routers on the options header of the IP packet. Unless you have a very specific reason for this configuration, don’t enable it.
ip cef command does not have any security risks related to it, however, it is designed for a very specific purpose. Although you can use CEF in any part of a network, it is designed for high-performance, highly resilient Layer 3 IP backbone switching. If you are not implementing something like this, there is no need to enable it. Essentially, it won’t make any difference if you do.
I hope this has been helpful!
Cisco Smart Install
A legacy feature that provides zero-touch deployment for new switches, typically access layer switches, and incorporates no authentication by design.
This feature will show up in a security audit of your network as a potential risk