Cisco Router Global Commands

Here is some follow-up to my previous post on Interface level commands. Here are some to consider for global config mode.

  1. no ip source-route – Source routing allows a packet to specify how it should be routed through a network instead of following the routers designated by the internal network’s routing protocols.
  2. no service tcp-small-servers – These services include the echo, discard, daytime, and chargen services. These services rarely serve any purpose on a modern network and should be disabled on all routers.
  3. no service udp-small-servers– These services include the echo, discard, daytime, and chargen services. These are old school services rarely of any use modern network.
  4. no ip finger – The finger service can allow remote users to find out who is logged into the router. Usernames are not something you want to easily give away.
  5. service password-encryption – This ensures passwords are not saved in the configuration unencrypted.
  6. security passwords min-length 10 [Starting IOS 12.3(1)] – This requires local passwords to be minimum ten characters in length.
  7. no service password-recovery – This option should only be used for network equipment in sites where there is not a high level of physical security or on site IT staff. Secondary warehouses, sales offices or remote distribution sites are examples of such locations. It prevents any manual password bypass of network hardware without wiping the existing configuration.
  8. security authentication failure rate 5 log – This causes a 15 second authentication delay after 5 attempts and sends a syslog alert message.
  9. login delay 15 [Starting IOS 12.3(4)T] – This causes a 15 second delay between successive login attempts. This reduces effectiveness of dictionary login attacks.
  10. login block-for 120 attempts 10 [Starting IOS 12.3(4)T] – This will block the next login attempt for 120 seconds if 10 failed attempts occur consecutively. This reduces the effectiveness of dictionary login attacks.
  11. banner motd – A login warning banner should be in use on all network devices that support it. It may be customized to be acceptable for a given country.