Below are the Comprehensive approach for router and switch configuration hardening general practices.
- Disable Unused Services and Interfaces
- Disable unnecessary services like HTTP, Telnet, FTP, and SNMP
no ip http server
no ip http secure-server
no ip telnet server
no ip ftp server
no snmp-server
- Shut down unused interfaces and switch ports
interface <interface>
shutdown
- Enable Secure Management Access
- Configure SSH for remote management
ip domain-name <domain-name>
crypto key generate rsa modulus 2048
line vty 0 15
transport input ssh
- Implement strong passwords
enable secret <password>
line console 0
password <password>
login
- Implement Access Control
- Configure Access Control Lists (ACLs) to restrict traffic
access-list 10 permit <source-ip> <destination-ip>
interface <interface>
ip access-group 10 in
- Enable port security on switches
interface <interface>
switchport port-security
switchport port-security violation shutdown
switchport port-security maximum 1
switchport port-security mac-address sticky
- Configure Logging and Monitoring
- Set up logging
logging host <syslog-server-ip>
logging trap <severity-level>
logging buffer <buffer-size>
- Enable service timestamps
service timestamps debug datetime msec show-timezone localtime
service timestamps log datetime msec show-timezone localtime
- Secure Routing and Switching Protocols
- Enable Unicast Reverse-Path Forwarding
interface <interface>
ip verify unicast reverse-path
- Disable IP source-route and directed broadcast
no ip source-route
interface <interface>
no ip directed-broadcast
- Implement VLAN Security
- Separate network segments using VLANs
vlan <vlan-id>
name <vlan-name>
interface <interface>
switchport mode access
switchport access vlan <vlan-id>
- Configure Authentication, Authorization, and Accounting (AAA)
- Set up AAA
aaa new-model
aaa authentication login default local-case
aaa authentication enable default enable
- Secure Management Protocols
- Configure SNMPv3 with strong authentication and encryption
snmp-server group <group-name> v3 priv
snmp-server user <username> <group-name> v3 auth sha <auth-password> priv aes 128 <priv-password>
- Implement Additional Security Features
- Enable DHCP snooping
ip dhcp snooping
interface <interface>
ip dhcp snooping trust
- Configure STP protection
spanning-tree portfast bpduguard default
- Regular Maintenance
- Keep firmware up-to-date
- Regularly review and update security measures
Remember to test these configurations in a lab environment before applying them to production systems.
Adapt the commands to your specific network requirements and device configurations.
Jiwan is an accomplished IT Security Engineer and Trainer with 15 years of expertise, focusing on certifications such as CCIE and CEH. Beyond his technical skills, he is a dedicated vlogger, mindfulness guide, and active social worker. Jiwan advocates for life skills, independence, and critical thinking in his teachings, empowering IT professionals, learners, and spiritual seekers alike. His holistic approach integrates technical mastery with personal development, aiming to cultivate balanced lives where both professional success and personal fulfillment thrive.