Important note The guide bellow instructs how to secure Cisco router/switch. Not all commands will work on every device series (router/switch) or on every IOS version. It is highly recommended to test each setting in a test lab before implementing changes to production systems.
Hardening phase Configure AAA service: aaa new-model
Configure AAA Authentication for Login: aaa authentication login default local-case
Configure AAA Authentication for Enable Mode: aaa authentication enable default enable
Configure AAA Authentication for Local Console Line: line console 0 login authentication default exit
Configure AAA Authentication for VTY Lines: line vty 0 4 login authentication default exit line vty 5 15 login authentication default exit
Set and secure passwords: service password-encryption enable secret 0 <password>
Configure Local User and Encrypted Password: username <username> password <password> Note: Use the following syntax for version after 12.0(18)S, 12.1(8a)E, 12.2(8)T: username <username> secret <password>
Configure SSH: hostname <device_hostname> domain-name <domain-name> crypto key generate rsa modulus 2048
Configure SSH for Remote Device Access: ip ssh timeout 60 ip ssh authentication-retries 3
Configure VTY Transport SSH: line console 0 transport input ssh exit line vty 0 4 transport input ssh exit line vty 5 15 transport input ssh exit
Configure Timeout for Login Sessions: line vty 0 4 exec-timeout 5 0 exit line vty 5 15 exec-timeout 5 0 exit
Disable Auxiliary Port: line aux 0 no exec exec-timeout 0 10 transport input none exit
Disable SNMP server (in-case not in use): no snmp-server
Disable SNMP Community Strings private and public: no snmp-server community private no snmp-server community public
Configure Clock Timezone - GMT: clock timezone GMT <hours>
Disable Router Name and DNS Name Resolution (in-case not in use): no ip domain-lookup
Disable CDP Run Globally: no cdp run
Disable PAD service (in-case not in use): no service pad
Disable Finger Service: no service finger
Disable Maintenance Operations Protocol (MOP): interface <interface-id> no mop enabled exit
Disable DHCP server (in-case not in use): no service dhcp
Disable IP BOOTP server (in-case not in use): no ip bootp server
Disable Identification Service: no identd
Disable IP HTTP Server (in-case not in use): no ip http server
Disable Remote Startup Configuration: no boot network no service config
Configure TCP keepalives Services: service tcp-keepalives-in service tcp-keepalives-out
Disable small-servers: no service tcp-small-servers no service udp-small-servers
Disable TFTP Server: no tftp-server
Configure Logging: logging on logging buffered 16000 logging console critical
Configure Service Timestamps for Debug and Log Messages: service timestamps debug datetime msec show-timezone localtime service timestamps log datetime msec show-timezone localtime
Disable IP source-route: no ip source-route
Disable Directed Broadcast: interface <interface-id> no ip directed-broadcast exit
Configure Unicast Reverse-Path Forwarding: interface <interface-id> ip verify unicast reverse-path exit
Disable IP Proxy ARP: interface <interface-id> no ip proxy-arp exit
Disable Gratuitous-Arps: no ip gratuitous-arps
Configure switch port-security: switchport port-security switchport port-security violation shutdown switchport port-security maximum 1 switchport port-security mac-address sticky
Save the changes: wr