The IP protocol supports source routing options that allow the sender of an IP datagram to control the route that datagram will take toward its ultimate destination, and generally the route that any reply will take. These options are rarely used for legitimate purposes in real networks. Some older IP implementations do not process source-routed packets properly, and it may be possible to crash machines running these implementations by sending them datagrams with source routing options.
A Cisco router with no ip source-route set will never forward an IP packet, which carries a source routing option. You should use this command unless you know that your network needs source routing.
It is strongly recommended to disable the IP source routing option in ST MPLS network.
ICMP Redirects
An ICMP redirect message instructs an end node to use a specific router as its path to a particular
destination. In a properly functioning IP network, a router will send redirects only to hosts on its own local subnets, no end node will ever send a redirect, and no redirect will ever be traversed more than one
network hop. However, an attacker may violate these rules; some attacks are based on this. It is a good idea to filter out incoming ICMP redirects at the input interfaces of any router that lies at a border between administrative domains, and it is not unreasonable for any access list that is applied on the input side of a Cisco router interface to filter out all ICMP redirects. This will cause no operational impact in a correctly configured network.
Note that this filtering prevents only redirect attacks launched by remote attackers. It's still possible for attackers to cause significant trouble using redirects if their host is directly connected to the same segment as a host that's under attack.
CDP
Cisco Discovery Protocol (CDP) is used for some network management functions, but is dangerous in that it allows any system on a directly connected segment to learn that the router is a Cisco device, and to determine the model number and the Cisco IOS software version being run. This information may in turn be used to design attacks against the router. CDP information is accessible only to directly connected systems. The CDP protocol may be disabled with the global configuration command no cdp running. CDP may be disabled on a particular interface with no cdp enable.
NTP
The Network Time Protocol (NTP) is a protocol used to time-synchronize network devices. NTP runs over UDP and is documented in RFC 1305. An NTP stratum 1 server should get its time from an authoritative time source, such as a GPS system or an atomic clock attached to a timeserver. NTP then distributes this time across the network. NTP is a very sophisticated and efficient protocol, which only needs one packet per minute to synchronize two machines to within a millisecond of one another.
NTP uses the concept of a "stratum" to describe how many NTP "hops" away a machine is from an authoritative time source. A "stratum 1" time source has a reference clock such as a GPS or atomic clock directly attached, a "stratum 2" time source receives its time from a "stratum 1" time source, and so on. This “hop” count isn’t related to the IP hops between two NTP time sources. A device running NTP automatically chooses the lowest stratum timeserver as its time source. It only talks and listens to servers, which it has a configuration entry for.
To avoid synchronization problems NTP has two methods to determine the validity of the time source. NTP will never synchronize to a device, which is not synchronized itself. It will also not synchronize to a source; whichs time is significantly different than all the other time sources.
The NTP configuration is usually static. Every device has a list of IP addresses with which it will exchange NTP messages. These communication agreements are called associations. On LAN segments NTP can use IP broadcast messages as well.
With Cisco two mechanisms are available to secure the communication: an access list-based restriction scheme and an encrypted authentication mechanism. A limitation of Cisco’s implementation is that it doesn’t support stratum 1 service, which means a reference clock such as a GPS or atomic clock cannot be connected directly to the Cisco box.
NTP is a very valuable tool for reporting and troubleshooting, because cause and effect of problems can be clearly correlated. Care must be taken, where the time information comes from, especially if additional time sources from the Internet are used as a reference. Confusing the time system can render system log files completely useless.
The Network Time Protocol (NTP) will be used to synchronize router clocks. NTP authentication will used to have secure NTP associations. The loopback0 address is used to form NTP associations.
ntp authentication-key 1 md5 *&^^&*_(_ 7 ntp authenticate
ntp trusted-key 1 ntp source Loopback0 ntp update-calendar
ntp server <P1 loopback> key 1 ntp server <P2 loopback> key 1
P1 and P2 shall synchronise with an external timeserver. P1 and P2 routers synchronise among themselves as NTP peers to increase the stability. Any other device in ST network becomes a NTP client of P1 and P2.
ntp peer <P1 loopback>
ntp server <ST public NTP server> ntp master 5
ntp update-calendar
The PE routers synchronise with the P routers. ntp server <Primary P>