---

---

UNCLASSIFIED Implementing Security on Cisco Routers  Version 1.0g  UNCLASSIFIED 61   4.2.2.    How to Disable Unneeded Features and Services Each sub-section below describes how to disable or restrict particular services and features under Cisco IOS 11.3 and 12.0.   CDP The Cisco Discovery Protocol is a proprietary protocol that Cisco routers use to identify each other on a LAN segment.  It is useful only in specialized situations, and is considered deleterious to security.  To turn off CDP entirely, use the commands shown below in global configuration mode. Central# config t Enter configuration commands, one per line.  End with CNTL/Z. Central(config)# no cdp run Central(config)# exit Central# show cdp % CDP is not enabled In the unlikely event that CDP is needed for part of a network, it can be enabled and disabled for each interface. To enable CDP use the cdp run command in global configuration mode, and then disable it on each interface where it is not needed using the  no cdp enable  command in interface configuration mode. TCP and UDP Small Servers  The TCP and UDP protocol standards include a recommended list of simple services that hosts should provide.  In virtually all cases, it is not necessary for routers to support these services, and they should be disabled.  The example below shows how to test whether the TCP small servers are running, and how to disable the TCP and UDP small servers. Central# ! if connect success, then tcp-small-servers are running Central# connect 14.2.9.250 daytime Trying 14.2.9.250, 13 ... Open Monday, April 3, 2000 11:48:39-EDT [Connection to 14.2.9.250 closed by foreign host] Central# config t Enter configuration commands, one per line.  End with CNTL/Z. Central(config)# no service tcp-small-servers Central(config)# no service udp-small-servers Central(config)# exit Central# connect 14.2.9.250 daytime Trying 14.2.9.250, 13 ... % Connection refused by remote host Central#