Implement essential security hardening on Cisco routers and switches to protect the network infrastructure from unauthorized access, mitigate basic attacks, and adhere to CIS Benchmark recommendations.
Topology
IP Addressing
Device
Interface
IP Address
Subnet
Router1
Fa0/0
192.168.1.1
255.255.255.0
Switch1
VLAN1
192.168.1.2
255.255.255.0
PC1
NIC
192.168.1.10
255.255.255.0
PC2
NIC
192.168.1.11
255.255.255.0
PC3
NIC
192.168.1.20
255.255.255.0
PC4
NIC
192.168.1.21
255.255.255.0
Practical Scenario
You are a network administrator tasked to secure a small branch office network. You must implement security best practices on the router and switch to prevent unauthorized access, ensure safe management, and mitigate attacks like ARP spoofing and IP spoofing.
The goal is to:
Secure device access (console, VTY, and enable passwords).
Disable unused services and interfaces.
Protect against common Layer 2 attacks.
Log all security-related events.
Apply Cisco CIS Benchmark recommendations for basic hardening.
Step 1: Secure Device Access
Router1
Secure console access
Secure VTY access
Set the encrypted enable password for privileged exec mode
Encrypt all plaintext passwords in the configuration
Set the domain name for the router, required for generating RSA keys for SSH
Generate RSA key for SSH
Create a local user account with full administrative privileges (level 15) and store the password as a hashed secret for secure SSH authentication
Apply SSH version 2
Step 3: Disable Unused Services and Interfaces
Disable unused router services
Shutdown unused router interfaces
Shutdown unused switch interfaces
CIS Benchmark: Disable unnecessary services to reduce attack surface.
Step 4: Implement Layer 2 Security on Switch
Disable unused ports and assign them to an unused VLAN
Enable port security
Disable DTP to prevent VLAN hopping
Step 5: Enable Logging and Monitoring
Enable local logging and store log messages in the device buffer (4 KB size)
"informational" level includes severity 6 and more critical messages (0–6)
Add date, time, and millisecond precision timestamps to log messages
Improves forensic analysis and troubleshooting accuracy
Step 6: Configure Router ACLs for Basic Protection
Prevent private (RFC1918) addresses from entering from the Internet
Block internal network addresses coming from WAN
Block other RFC1918 ranges
Permit all other traffic
Apply it on WAN:
CIS Benchmark: Use ACLs to prevent spoofed traffic.
Step 7: Save Configuration
💖 Support Our Work
If you find this post helpful and would like to support my work, you can send a donation via TRC-20 (USDT). Your contributions help us keep creating and sharing more valuable content.
Router1(config)#crypto key generate rsa
The name for the keys will be: Router1.nerd-cafe.local
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
Router1(config)#username admin privilege 15 secret Admin123!
*Mar 1 0:23:25.687: %SSH-5-ENABLED: SSH 1.99 has been enabled
Router1(config)#ip ssh version 2
Router1(config)#no ip http server
Router1(config)#no ip http secure-server
Router1(config)#no cdp run
Router1(config)#no ip bootp server
Router1(config)#no service finger
Router1(config)#no service tcp-small-servers
Router1(config)#no service udp-small-servers
Router1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
FastEthernet0/1 unassigned YES unset administratively down down
Vlan1 unassigned YES unset administratively down down
Router1#configure terminal
Router1(config)#interface fastEthernet 0/1
Router1(config-if)#shutdown
Switch1(config)#interface range fastEthernet 0/6-24
Switch1(config-if-range)#sh
Switch1(config-if-range)#shutdown
