🔐 Cisco Device Hardening & Security Best Practices

(Routers, Switches, IOS / IOS-XE / NX-OS – CCNA / CCNP / Real-World)

Device hardening reduces the attack surface and protects your Cisco infrastructure from unauthorized access, misconfiguration, and exploits.

1️⃣ Secure Device Access (Management Plane)

🔹 Use Strong Authentication (AAA)

• Prefer AAA with TACACS+ / RADIUS
• Fallback to local user if AAA fails

aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local

🔹 Use Local User Accounts (Minimum)

username admin privilege 15 secret Str0ngP@ssw0rd

❌ Avoid:

enable password cisco

✔ Use:

enable secret En@bleS3cret

🔹 Secure VTY Access (SSH Only)

ip domain-name lab.local
crypto key generate rsa modulus 2048
ip ssh version 2

line vty 0 4
 transport input ssh
 login local
 exec-timeout 10 0

❌ Disable Telnet

2️⃣ Management Access Control (ACLs)

Allow only trusted IPs to access the device.

ip access-list standard MGMT-ACL
 permit 192.168.10.0 0.0.0.255

line vty 0 4
 access-class MGMT-ACL in

3️⃣ Disable Unused & Insecure Services

no ip http server
no ip http secure-server
no service pad
no ip source-route
no ip bootp server

✔ Keep device minimal

4️⃣ Password & Session Security

service password-encryption
security passwords min-length 10

line con 0
 exec-timeout 10 0

line vty 0 4
 exec-timeout 10 0

5️⃣ SNMP Hardening

❌ Avoid SNMP v1/v2c (community strings)

✔ Use SNMPv3

snmp-server group SECURE v3 priv
snmp-server user snmpadmin SECURE v3 auth sha AuthP@ss priv aes 256 PrivP@ss

6️⃣ Control Plane Protection (CoPP)

Protect CPU from attacks like DoS, scanning, routing floods

class-map match-any MGMT-TRAFFIC
 match protocol ssh
 match protocol snmp

policy-map CONTROL-PLANE-POLICY
 class MGMT-TRAFFIC
  police 64000

control-plane
 service-policy input CONTROL-PLANE-POLICY

7️⃣ Interface Hardening

🔹 Shut Unused Interfaces

interface range g0/2 - 4
 shutdown

🔹 Disable CDP on Untrusted Interfaces

no cdp enable

🔹 Enable Port Security (Switch)

interface g1/0/5
 switchport mode access
 switchport port-security
 switchport port-security maximum 1
 switchport port-security violation restrict
 switchport port-security mac-address sticky

8️⃣ Layer-2 Security (Switches)

ip dhcp snooping
ip dhcp snooping vlan 10

ip arp inspection vlan 10
spanning-tree portfast default
spanning-tree bpduguard default

9️⃣ Routing Protocol Security

🔹 OSPF Authentication

interface g0/1
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 OSPFkey

🔹 BGP Security

• Use TTL security
• Use MD5 authentication
• Prefix filtering

🔟 Logging, Time & Monitoring

🔹 Enable Logging

logging buffered 64000
logging host 192.168.10.50

🔹 Use NTP with Authentication

ntp authenticate
ntp authentication-key 1 md5 NTPkey
ntp trusted-key 1
ntp server 192.168.10.1 key 1

1️⃣1️⃣ IOS & Configuration Protection

🔹 Secure Configuration Files

service config
archive
 path flash:backup
 write-memory

🔹 Disable Password Recovery (Physical Security)

no service password-recovery

⚠️ Use carefully (lab vs production)

1️⃣2️⃣ Firmware & Patch Management

✔ Keep IOS updated
✔ Remove unused images
✔ Verify image integrity (MD5/SHA)

verify /md5 flash:image.bin

1️⃣3️⃣ Best Practice Summary Checklist

✅ SSH v2 only
✅ AAA + TACACS+/RADIUS
✅ Strong passwords & secrets
✅ ACL-restricted management
✅ SNMPv3 only
✅ Disable unused services
✅ Interface & L2 security
✅ Logging + NTP
✅ Regular backups

🧠 CCNA / CCNP / Interview Focus

• Difference between Control Plane / Data Plane / Management Plane
• Why CoPP is important
• SSH vs Telnet risks
• SNMPv3 vs v2c