Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

no ipv6 multicast

Hi,

I'm wondering if it is possible to get rid of "ipv6 multicast rpf use-bgp" and "ipv6 multicast vrf mgmt-intf rpf use-bgp" on my ASR1002X router? The security team was saying they would like to get rid of it sense we are not using IPv6. Is there a way to get rid of this part of the config?

I tried with the no in front of the command but, no luck.

Thank you, Pat.

   

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

no ipv6 multicast

Hello Patrick,

This is an extremely tough question, considering the vast variability of IOSes, their features and versions. There is no simple answer.

I suggest getting acquainted with the Cisco SAFE Blueprint:

http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_safe.html

That is a set of Cisco Validated Designs that actually covers security in a broader context than just Cisco device hardening, but it is definitely worth reading. Do not expect these documents to actually contain an enumerative list of things to shut down or deconfigure, rather, expect it to give a more general guidance around the things to watch out for.

More specific and step-by-step information can be found in this document called Cisco Guide to Harden Cisco IOS Devices:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

And finally, while I never thought I would recommend this, have a look at the Auto Secure function usually available on ISR and ISR G2 routers. I would not personally recommend using it to harden a Cisco router, but it is worth running on a standalone clean router and seeing what commands it adds/removes to make the box arguably more hardened.

The Auto Secure is run using auto secure full from the privileged EXEC mode (not the configuration mode), and interactively asks you about features to activate/deactivate.

http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_autosecure.html

Perhaps this will help you out. I know this is hardly a quick cookbook - then again, security never worked well with cookbooks.

Best regards,

Peter

3 REPLIES
Cisco Employee

no ipv6 multicast

Patrick,

If the no form of these commands did not allow you to remove them then most probably, they can not be currently removed and simply represent a functionality that can not be deactivated. Still, if you are not using IPv6 then these commands have no effect. Your security team may be worried about unused functionality but to increase their paranoia, they should be aware that there are many features of IOS that are active by default and yet have no explicit line in the configuration. So seeing or not seeing a configuration line in the running-config by alone is not enough.

Best regards,

Peter

New Member

no ipv6 multicast

Thanks Peter,

Do you have a list of things that don't show up in the config that should be disabled?

Thank you.

Cisco Employee

no ipv6 multicast

Hello Patrick,

This is an extremely tough question, considering the vast variability of IOSes, their features and versions. There is no simple answer.

I suggest getting acquainted with the Cisco SAFE Blueprint:

http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_safe.html

That is a set of Cisco Validated Designs that actually covers security in a broader context than just Cisco device hardening, but it is definitely worth reading. Do not expect these documents to actually contain an enumerative list of things to shut down or deconfigure, rather, expect it to give a more general guidance around the things to watch out for.

More specific and step-by-step information can be found in this document called Cisco Guide to Harden Cisco IOS Devices:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

And finally, while I never thought I would recommend this, have a look at the Auto Secure function usually available on ISR and ISR G2 routers. I would not personally recommend using it to harden a Cisco router, but it is worth running on a standalone clean router and seeing what commands it adds/removes to make the box arguably more hardened.

The Auto Secure is run using auto secure full from the privileged EXEC mode (not the configuration mode), and interactively asks you about features to activate/deactivate.

http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_autosecure.html

Perhaps this will help you out. I know this is hardly a quick cookbook - then again, security never worked well with cookbooks.

Best regards,

Peter

534
Views
5
Helpful
3
Replies