Summary: Common security hardening configurations for Cisco IOS-XE devices, covering access control, AAA, SSH, SNMP, CoPP, and Layer 2 protections.
Securing access to the device itself is paramount.
line con 0
password <YOUR_PASSWORD>
login local
transport input none
exec-timeout 10 0
logging synchronous
password <YOUR_PASSWORD>: Sets a password for console access.login local: Uses local username/password database for authentication.transport input none: Prevents any incoming connections on the console.exec-timeout 10 0: Sets the console timeout to 10 minutes.logging synchronous: Prevents console messages from interrupting command input.line vty 0 15
password <YOUR_PASSWORD>
login local
transport input ssh
exec-timeout 10 0
logging synchronous
transport input ssh: Disables insecure Telnet and enables SSH for remote access.login local: Uses local username/password database for authentication.Creating local user accounts with strong passwords.
username <YOUR_USERNAME> privilege 15 secret <YOUR_STRONG_PASSWORD>
privilege 15: Grants full administrative access. Adjust privilege level as needed for different users.secret: Stores the password in an encrypted format (MD5 or SHA256, depending on IOS-XE version).Securing privileged EXEC mode access.
enable secret <YOUR_STRONG_ENABLE_PASSWORD>
enable password.Detailed configuration for secure shell access.
ip domain-name <YOUR_DOMAIN_NAME>
crypto key generate rsa modulus 2048
ip ssh version 2
ip ssh authentication-retries 3
ip ssh timeout 60
ip domain-name: Required for RSA key generation.crypto key generate rsa modulus 2048: Generates RSA keys for SSH. 2048-bit modulus is recommended.ip ssh version 2: Enforces SSHv2, which is more secure than SSHv1.ip ssh authentication-retries: Limits the number of authentication attempts.ip ssh timeout: Sets the SSH session timeout.Integrating with external AAA servers (e.g., TACACS+ or RADIUS) for centralised authentication.
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
tacacs-server host <TACACS_SERVER_IP> key <TACACS_KEY>
aaa new-model: Enables the AAA framework.aaa authentication login default group tacacs+ local: Uses TACACS+ first, then local database as fallback.aaa authorization exec default group tacacs+ local: Command authorisation using TACACS+ first, then local.aaa accounting exec default start-stop group tacacs+: Enables accounting for EXEC sessions.tacacs-server host: Defines the TACACS+ server and shared key.Securing Network Time Protocol to prevent time synchronisation attacks.
ntp authentication-key 1 md5 <YOUR_NTP_KEY>
ntp authenticate
ntp server <NTP_SERVER_IP> key 1
ntp authentication-key: Defines an authentication key.ntp authenticate: Enables NTP authentication globally.ntp server <NTP_SERVER_IP> key 1: Configures the NTP server with the specified key.Securing Simple Network Management Protocol access.
snmp-server group <GROUP_NAME> v3 auth priv read <VIEW_NAME> write <VIEW_NAME>
snmp-server user <USER_NAME> <GROUP_NAME> v3 auth md5 <AUTH_PASSWORD> priv des <PRIV_PASSWORD>
snmp-server view <VIEW_NAME> iso included
snmp-server community <READ_ONLY_COMMUNITY> RO
snmp-server community <READ_WRITE_COMMUNITY> RW
snmp-server host <NMS_IP> community <READ_ONLY_COMMUNITY>
⚠️ SNMPv2c Community Strings
SNMPv2c community strings are sent in plain text. Use strong, non-default strings and restrict access with ACLs.
Protecting the device's control plane from excessive traffic.
access-list 100 permit ip any any
class-map match-all CoPP_MANAGEMENT
match access-group 100
!
policy-map CoPP_POLICY
class CoPP_MANAGEMENT
police rate 8000 conform-action transmit exceed-action drop
!
control-plane
service-policy input CoPP_POLICY
Preventing DHCP and ARP-related attacks on switches.
ip dhcp snooping
ip dhcp snooping vlan <VLAN_ID>
ip dhcp snooping database flash:dhcp_snooping.db
ip dhcp snooping trust interface <TRUSTED_INTERFACE>
ip dhcp snooping trust: Marks interfaces connected to legitimate DHCP servers as trusted.ip arp inspection vlan <VLAN_ID>
ip arp inspection trust interface <TRUSTED_INTERFACE>
Limiting the number of MAC addresses on an access port.
interface GigabitEthernet0/1
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security maximum: Limits the number of MAC addresses.switchport port-security violation restrict: Drops packets from insecure MAC addresses and generates a syslog message.switchport port-security mac-address sticky: Dynamically learns MAC addresses and adds them to the running configuration.Shutting down unused physical interfaces.
interface GigabitEthernet0/2
shutdown
description *** UNUSED PORT ***
Configuring logging to a syslog server for security auditing.
logging host <SYSLOG_SERVER_IP>
logging trap informational
service timestamps debug datetime msec
service timestamps log datetime msec
Restricting access to management interfaces and critical services.
ip access-list standard SSH_MANAGEMENT
permit <MANAGEMENT_NETWORK> 0.0.0.255
deny any
!
line vty 0 15
access-class SSH_MANAGEMENT in