index_61
UNCLASSIFIED
Implementing Security on Cisco Routers
Version 1.0g
UNCLASSIFIED
61
4.2.2. How to Disable Unneeded Features and Services
Each sub-section below describes how to disable or restrict particular services and
features under Cisco IOS 11.3 and 12.0.
CDP
The Cisco Discovery Protocol is a proprietary protocol that Cisco routers use to
identify each other on a LAN segment. It is useful only in specialized situations, and
is considered deleterious to security. To turn off CDP entirely, use the commands
shown below in global configuration mode.
Central# config t
Enter configuration commands, one per line. End with
CNTL/Z.
Central(config)# no cdp run
Central(config)# exit
Central# show cdp
% CDP is not enabled
In the unlikely event that CDP is needed for part of a network, it can be enabled and
disabled for each interface. To enable CDP use the cdp run command in global
configuration mode, and then disable it on each interface where it is not needed using
the no cdp enable command in interface configuration mode.
TCP and UDP Small Servers
The TCP and UDP protocol standards include a recommended list of simple services
that hosts should provide. In virtually all cases, it is not necessary for routers to
support these services, and they should be disabled. The example below shows how
to test whether the TCP small servers are running, and how to disable the TCP and
UDP small servers.
Central# ! if connect success, then tcp-small-servers are running
Central# connect 14.2.9.250 daytime
Trying 14.2.9.250, 13 ... Open
Monday, April 3, 2000 11:48:39-EDT
[Connection to 14.2.9.250 closed by foreign host]
Central# config t
Enter configuration commands, one per line. End with CNTL/Z.
Central(config)# no service tcp-small-servers
Central(config)# no service udp-small-servers
Central(config)# exit
Central# connect 14.2.9.250 daytime
Trying 14.2.9.250, 13 ...
% Connection refused by remote host
Central#