So here is my short list of Cisco configuration items that should go into every router. I hope you find it handy, too.
no service udp-small-servers | This disables UDP echo, chargen, etc. |
no service tcp-small-servers | This disables TCP echo, chargen, etc. |
ip classless | Almost always neccessary, this allows your router to handle routes with netmasks not exactly class A, B, and C |
ip subnet-zero | This allows your router to handle the top and bottom subnets. For instance, if you have 222.111.1.0/24 broken into 16 /28 subnets, you could not use 222.111.1.0/28 and 222.111.1.240/28 without this configuration item. |
no ip source-route | Don't allow the sender to specify the path that your router will use. Long ago, this seemed like a useful option, but today it is a security issue. |
no ip directed-broadcast | Don't allow attackers to use your router as a bandwidth amplifier. The classic example is a "smurf" attack. |
no cdp enable | This is optional. If you have a low-bandwidth connection on this interface, your customer may ask you to track down some strange traffic on the line. You will eventually find out it is Cisco Discovery Protocol, and then disable it in order to get your customer to stop complaining about the 1 bit per fortnight of bandwidth "lost" because of CDP. It's easier just to disable it from the start. |
enable secret PASSWORD | Set your enable passord to PASSWORD in encrypted form. Since the encryption is one-way, nobody can reasonably get your password, even if they have the encrypted version in your config. Don't use enable password, as it is not secure. |
line vty 0 4 password PASSWORD |
This sets your telnet password to PASSWORD. You do not need it if you are only going to use a serial connection. If you do not set this password, you will not be able to connect to your router over the network (this is a security feature). |