NTP Service
Cisco routers and other hosts use the Network Time
Protocol (NTP) to keep their time-of-day clocks accurate and in synchrony. If
possible, configure all routers as part of an NTP hierarchy. If an NTP
hierarchy is not available on the network, then disable NTP as shown in Figure
.
Disabling
NTP on an interface will not prevent NTP messages from traversing the router.
To reject all NTP messages at a particular interface, use an access list.
SNMP Services
The Simple Network Management Protocol (SNMP) is
the standard Internet protocol for automated remote monitoring and
administration. There are several different versions of SNMP with different
security properties. If a network has an SNMP infrastructure in place for
administration, then all routers on that network should be configured to
securely participate in it. In the absence of a deployed SNMP scheme, all SNMP
facilities on all routers should be disabled using the following steps:
- Erase existing community strings, and set a hard-to-guess, read-only
community string.
- Apply a simple IP access list to SNMP denying all traffic.
- Disable SNMP system shutdown and trap features.
Disable SNMP
Figure
shows
how to disable SNMP. It starts with listing the current configuration to find
the SNMP community strings. The configuration listing is often quite long, but
there is no other mechanism in Cisco IOS for viewing the configured SNMP
community strings. The command no snmp-server shuts down
all SNMP processing on the router. When SNMP processing is shut down, SNMP
configuration will not appear in any listing of the running configuration, but
it may still be there.
Router Name and DNS Name Resolution
Cisco IOS supports looking up
host names with the Domain Name System (DNS). DNS provides the mapping between
names, such as central.mydomain.com to IP addresses, such as 14.2.9.250.
Unfortunately, the basic DNS protocol offers no authentication or integrity
assurance. By default, name queries are sent to the broadcast address
255.255.255.255. If one or more name servers are available on the network, and
it is desirable to use names in IOS commands, then explicitly set the name
server addresses using the global configuration command ip
name-server addresses. Otherwise, turn off DNS name
resolution with the command no ip domain-lookup
. It is also a
good idea to give the router a name, using the command
hostname. The name given to the router will appear in the
prompt. Figure
shows how to set
the router name, and set up a main and backup DNS server address.