Goal: Secure management, control plane, routing, and services
🔐 1. Identity, Passwords & AAA
hostname R1
service password-encryption
security passwords min-length 10
enable secret Str0ngEnable@123
username admin privilege 15 secret Adm1n@123
aaa new-model
aaa authentication login default local
aaa authorization exec default local
🔑 2. Secure Management Access (SSH only)
ip domain-name lab.local
crypto key generate rsa modulus 2048
ip ssh version 2
ip ssh time-out 60
ip ssh authentication-retries 3
line con 0
exec-timeout 10 0
logging synchronous
line vty 0 4
transport input ssh
login local
exec-timeout 10 0
🎯 3. Restrict Management Access (VTY ACL)
ip access-list standard MGMT-ACL
permit 192.168.10.0 0.0.0.255
deny any log
line vty 0 4
access-class MGMT-ACL in
🚫 4. Disable Insecure & Unused Services
no ip http server
no ip http secure-server
no service pad
no ip source-route
no ip bootp server
no cdp run
🧠 5. Control Plane Protection (CoPP – Basic)
class-map match-any MGMT-TRAFFIC
match protocol ssh
match protocol snmp
match protocol ntp
policy-map CONTROL-PLANE-POLICY
class MGMT-TRAFFIC
police 64000 conform-action transmit exceed-action drop
control-plane
service-policy input CONTROL-PLANE-POLICY
📡 6. Interface Hardening
interface range g0/2 - 4
shutdown
description UNUSED
interface g0/0
no ip redirects
no ip proxy-arp
🧾 7. Logging & Time Sync
logging buffered 64000
logging host 192.168.10.50
logging trap warnings
ntp authenticate
ntp authentication-key 1 md5 NTPkey
ntp trusted-key 1
ntp server 192.168.10.1 key 1
📊 8. SNMP (Secure Only)
snmp-server group SECURE v3 priv
snmp-server user snmpadmin SECURE v3 auth sha Auth@123 priv aes 256 Priv@123
💾 9. Configuration Protection
archive
path flash:config-backup
write-memory
🔥 10. (Optional) Disable Password Recovery
no service password-recovery
⚠️ Enable only if physical access is controlled
✅ Final Deployment Checklist
✔ SSH v2 only
✔ CoPP enabled
✔ ACL-restricted VTY
✔ SNMPv3
✔ Logging + NTP
The Lazy Networker 
Leave a comment