cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1140
Views
5
Helpful
3
Replies

no ipv6 multicast

Patrick McHenry
Level 3
Level 3

Hi,

I'm wondering if it is possible to get rid of "ipv6 multicast rpf use-bgp" and "ipv6 multicast vrf mgmt-intf rpf use-bgp" on my ASR1002X router? The security team was saying they would like to get rid of it sense we are not using IPv6. Is there a way to get rid of this part of the config?

I tried with the no in front of the command but, no luck.

Thank you, Pat.

   

1 Accepted Solution

Accepted Solutions

Hello Patrick,

This is an extremely tough question, considering the vast variability of IOSes, their features and versions. There is no simple answer.

I suggest getting acquainted with the Cisco SAFE Blueprint:

http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_safe.html

That is a set of Cisco Validated Designs that actually covers security in a broader context than just Cisco device hardening, but it is definitely worth reading. Do not expect these documents to actually contain an enumerative list of things to shut down or deconfigure, rather, expect it to give a more general guidance around the things to watch out for.

More specific and step-by-step information can be found in this document called Cisco Guide to Harden Cisco IOS Devices:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

And finally, while I never thought I would recommend this, have a look at the Auto Secure function usually available on ISR and ISR G2 routers. I would not personally recommend using it to harden a Cisco router, but it is worth running on a standalone clean router and seeing what commands it adds/removes to make the box arguably more hardened.

The Auto Secure is run using auto secure full from the privileged EXEC mode (not the configuration mode), and interactively asks you about features to activate/deactivate.

http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_autosecure.html

Perhaps this will help you out. I know this is hardly a quick cookbook - then again, security never worked well with cookbooks.

Best regards,

Peter

View solution in original post

3 Replies 3

Peter Paluch
Cisco Employee
Cisco Employee

Patrick,

If the no form of these commands did not allow you to remove them then most probably, they can not be currently removed and simply represent a functionality that can not be deactivated. Still, if you are not using IPv6 then these commands have no effect. Your security team may be worried about unused functionality but to increase their paranoia, they should be aware that there are many features of IOS that are active by default and yet have no explicit line in the configuration. So seeing or not seeing a configuration line in the running-config by alone is not enough.

Best regards,

Peter

Thanks Peter,

Do you have a list of things that don't show up in the config that should be disabled?

Thank you.

Hello Patrick,

This is an extremely tough question, considering the vast variability of IOSes, their features and versions. There is no simple answer.

I suggest getting acquainted with the Cisco SAFE Blueprint:

http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_safe.html

That is a set of Cisco Validated Designs that actually covers security in a broader context than just Cisco device hardening, but it is definitely worth reading. Do not expect these documents to actually contain an enumerative list of things to shut down or deconfigure, rather, expect it to give a more general guidance around the things to watch out for.

More specific and step-by-step information can be found in this document called Cisco Guide to Harden Cisco IOS Devices:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

And finally, while I never thought I would recommend this, have a look at the Auto Secure function usually available on ISR and ISR G2 routers. I would not personally recommend using it to harden a Cisco router, but it is worth running on a standalone clean router and seeing what commands it adds/removes to make the box arguably more hardened.

The Auto Secure is run using auto secure full from the privileged EXEC mode (not the configuration mode), and interactively asks you about features to activate/deactivate.

http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_autosecure.html

Perhaps this will help you out. I know this is hardly a quick cookbook - then again, security never worked well with cookbooks.

Best regards,

Peter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: