140 Chapter 4 Cisco Perimeter Router Problems and Solutions

Hands-On Lab

The lab in this section will have you configure the perimeter router in your network with security using the Cisco IOS. You will need to have at least a 2600 router or RouterSim software to complete this lab.

Lab 4.1: Controlling TCP/IP Services

This lab will have you control TCP/IP services on the perimeter router. This lab protects exposed services with Cisco IOS software commands.

1.Log in to your perimeter router.

2.Go to global configuration mode, then to interface configuration mode for every interface (one at a time, of course!).

3.On each interface, enter the following command:

Lab_B(config-if)#no ip proxy-arp

This command disables the proxy ARP on an interface. Typically, you need to do this only on a LAN interface, not on a serial interface.

4.Enter the no ip redirects command on each interface:

Lab_B(config-if)#no ip redirects

This command disables the sending of redirect messages if the router is forced to resend a packet through the same interface on which it was received.

5.Now, on each interface, use the no ip route-cache command:

Lab_B(config-if)#no ip route-cache

This command disables the use of a high-speed switching cache for IP routing and the use of autonomous switching.

6.Enter the no ip unreachables command on each interface as follows:

Lab_B(config-if)#no ip unreachables

This command disables the generation of ICMP unreachable messages on a specified interface.

7.Turn off the TCP small servers:

Lab_B(config-if)#no service tcp-small-servers

This command disables the rarely used TCP diagnostic services.

8.Turn off the UDP small servers:

Lab_B(config-if)#no service udp-small-servers

This command disables the rarely used UDP diagnostic services.

Hands-On Lab 141

9.Turn off the multicast route cache on each interface:

Lab_B(config-if)#no ip mroute-cache

10.Turn off the Finger service. This is done in global configuration mode, not at the interface level:

Lab_B(config)#no service finger

This command disallows the Finger protocol requests made to the network server.

11.Set the no ip source-route command from global configuration mode:

Lab_B(config)#no ip source-route

This command causes the system to discard any IP datagram containing a source-route option.

12.From the global configuration mode, turn off the BOOTP server service:

Lab_B(config)#no ip bootp server

13.Verify your configuration with the show running-config command.