User`s guide
1-39
Cisco SDM Express 2.4 User’s Guide
OL-7141-05
Chapter 1 Cisco SDM Express
Supplementary Help
Disable MOP Service
Cisco SDM Express will disable the Maintenance Operations Protocol (MOP) on
all Ethernet interfaces whenever possible. MOP is used to provide configuration
information to the router when communicating with DECNet networks. MOP is
vulnerable to various attacks.
The configuration that will be delivered to the router to disable the MOP service
on Ethernet interfaces is as follows:
no mop enabled
You can undo this fix using the Cisco SDM Security Audit feature. To learn how,
see the Security Audit online help in Cisco SDM. For more information, click
Cisco Router and Security Device Manager.
Disable IP Unreachables
Cisco SDM Express disables Internet Message Control Protocol (ICMP) host
unreachable messages whenever possible. ICMP supports IP traffic by relaying
information about paths, routes, and network conditions. ICMP host unreachable
messages are sent out if a router receives a nonbroadcast packet that uses an
unknown protocol, or if the router receives a packet that it is unable to deliver to
the ultimate destination because it knows of no route to the destination address.
These messages can be used by an attacker to gain network mapping information.
The configuration that will be delivered to the router to disable ICMP host
unreachable messages is as follows:
int
<all-interfaces>
no ip unreachables
You can undo this fix using the Cisco SDM Security Audit feature. To learn how,
see the Security Audit online help in Cisco SDM. For more information, click
Cisco Router and Security Device Manager.
Disable IP Mask Reply
Cisco SDM Express disables Internet Message Control Protocol (ICMP) mask
reply messages whenever possible. ICMP supports IP traffic by relaying
information about paths, routes, and network conditions. ICMP mask reply
messages are sent when a network device must know the subnet mask for a