Disable Topology Discovery Tools
Tools such as Cisco Discovery Protocol and Link Layer Discovery Protocol can provide unnecessary information to devices outside of your control. Disable the services on these interfaces with the commands no cdp enable, no lldp transmit, and no lldp receive
Disable TCP and UDP Small Services
The commands service tcp-keepalive-in and tcp-keepalive-out ensure that devices send TCP keepalives for inbound and outbound TCP sessions. This will ensure devices on the remote end of the link is still accessible and that half open or orphaned connections are removed from the device.
Disable IP Redirect Services
An ICMP redirect is used to inform a device of a better path to a destination network. An IOS device will send a ICMP redirect if it detects network traffic hair pinning. This can be disabled with the command no ip redirects
Disable proxy Address Resolution Protocol (ARP)
Proxy ARP allows a router to answer ARP requests that are intended for a different router.
The router fakes its identity and sends out an ARP response for the router that it is responsible for that network.
Disable proxy ARP on the interface with the command no ip proxy-arp
Disable service configuration
Cisco devices support automatic configuration from remote devices through TFTP and other methods. This can be disabled with the command no service config
Disable the Maintenance Operation Protocol (MOP) Service
The MOP service is not needed and should be disabled globally with the command no mop enabled
Disable the packet assembler/disassembler (PAD) Service
The PAD service is used for X.25 and is not required. It can be disabled with the command no service pad
Leave a Reply