Turning Off the X.25 PAD Service

Packet assembler/disassembler (PAD) connects asynchronous devices such as terminals, IC-card readers, and computers to public/private X.25 networks. Since every computer in the world is pretty much IP savvy, and X.25 has gone the way of the dodo bird, there is no reason to leave this service running. Use the following command to disable the PAD service:

Lab_B(config)#no service pad

Enabling the Nagle TCP Congestion Algorithm

The Nagle TCP congestion algorithm is useful for small-packet congestion, but if you’re using a higher setting than the default MTU of 1500 bytes, it can create an above-average traffic load. To enable this service, use the following command:

Lab_B(config)#service nagle

It is important to understand that the Nagle congestion service can break XWindow connections to an Xserver, so don’t use it if you’re using XWindow.

Logging Every Event

Using the Cisco ACS server as a Syslog server can log events for you to verify. Use the logging trap debugging command and the logging ip_address command to turn this feature on:

Lab_B(config)#logging trap debugging

Lab_B(config)#logging 192.168.254.251

Lab_B(config)#exit

Lab_B#sh logging

Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Console logging: level debugging, 15 messages logged

Monitor logging: level debugging, 0 messages logged

Buffer logging: disabled

Trap logging: level debugging, 19 message lines logged

Logging to 192.168.254.251, 1 message lines logged

The show logging command provides you with statistics of the log on the router.

Disabling Cisco Discovery Protocol

Cisco Discovery Protocol (CDP) does just that—it’s a Cisco proprietary protocol that discovers Cisco devices on the network. But because it’s a Data Link–layer protocol, it can’t find Cisco devices on the other side of a router. Plus, by default, Cisco switches don’t forward CDP packets, so you can’t see Cisco devices attached to any other port on a switch.

130 Chapter 4 Cisco Perimeter Router Problems and Solutions

When you are bringing up your network for the first time, CDP can be a really helpful protocol for verifying your network. But because you’re going to be thorough and document your network, you don’t need the CDP after that. And because CDP does discover Cisco routers and switches on your network, you should disable it. You do that in global configuration mode, which turns off CDP completely for your router or switch:

Lab_B(config)#no cdp run

Or you can turn off CDP on each individual interface using the following command:

Lab_B(config-if)#no cdp enable

Disabling the Default Forwarded UDP Protocols

When you use the ip helper-address command as follows on an interface, your router will forward UDP broadcasts to the listed server or servers:

Lab_B(config)#interface f0/0

Lab_B(config-if)#ip helper-address 192.168.254.251

You would generally use the ip helper-address command when you want to forward DHCP client requests to a DHCP server. The problem is that not only does this forward port 67 (BOOTP server request), it forwards seven other ports as well. To disable the unused ports, use the following commands:

Lab_B(config)#no ip forward-protocol udp 69

Lab_B(config)#no ip forward-protocol udp 53

Lab_B(config)#no ip forward-protocol udp 37

Lab_B(config)#no ip forward-protocol udp 137

Lab_B(config)#no ip forward-protocol udp 138

Lab_B(config)#no ip forward-protocol udp 68

Lab_B(config)#no ip forward-protocol udp 49

Now, only the BOOTP server request (67) will be forwarded to the DHCP server. If you want to forward a certain port, say TACACS+, use the following command:

Lab_B(config)#ip forward-protocol udp 49

Here’s a list of available ports that you can opt to forward from the router, as well as the ports that are forwarded by default if you use the ip helper-address command: