Cisco Hardening

Cisco IOS Hardening Guide — Production-Ready Baseline for 2026

Q: What is Cisco IOS hardening?

Cisco IOS hardening is the process of configuring a Cisco router or switch to reduce its attack surface by disabling unused services, restricting management access, enforcing strong authentication, and applying control-plane protections. A hardened Cisco IOS baseline typically follows CIS Benchmark recommendations and NCSC guidance.

Q: What services should be disabled on a hardened Cisco IOS router?

On a hardened Cisco IOS router, disable: CDP on external interfaces, HTTP/HTTPS server (if not needed for management), Telnet on all VTY lines, finger service, small TCP/UDP servers, IP source routing, IP directed broadcast, IP proxy ARP on LAN interfaces, and BOOTP server.

Q: What is the difference between enable password and enable secret in Cisco IOS?

The enable password command stores the password in a reversible or weak cipher (type 7) that can be trivially decoded. The enable secret command stores a strong one-way hash (type 5 MD5 by default, type 9 scrypt in modern IOS). Always use enable secret, never enable password, and prefer type 9 on IOS 15.3(3)M2 and later.

Q: Is the VantagePoint Networks Cisco hardening template free?

Yes. The hardened Cisco IOS template is available free under the MIT licence at focus.vpnetworks.co.uk. It covers WAN routers, access/distribution switches, and ASA firewalls, and is updated whenever a real production deployment drives a change.

3 May 2026 · 8 min read · By Hak, Senior Network Engineer

Cisco IOS hardening is the process of configuring a Cisco router or switch to reduce its attack surface — disabling unused services, restricting management access, enforcing strong authentication, and applying control-plane protections. A hardened IOS baseline typically aligns to the CIS Cisco IOS Benchmark and NCSC network device security guidance.

Most Cisco IOS deployments ship with factory defaults that were designed for ease of setup, not security. CDP broadcasting device details to every connected segment, Telnet enabled on VTY lines, HTTP management open, IP source routing active — none of these belong on a production network edge.

This guide covers the 15 most impactful hardening changes, with the config commands, the reason behind each, and the edge cases to watch for in production. A downloadable hardened template is available in the template catalog.

How to Harden a Cisco IOS Router — Step by Step

5-Step Production Hardening Process

Disable unnecessary services

Disable CDP on external interfaces, HTTP/HTTPS server, finger, small TCP/UDP servers, and IP source routing. These are exploited in reconnaissance and amplification attacks.

Secure management plane access

Restrict VTY lines to SSH only. Apply an ACL limiting SSH to your management subnet. Set exec-timeout 5 0 on all VTY and console lines. Disable Telnet completely.

Enforce strong credential storage

Use enable secret type 9 (scrypt) — never enable password. Enable service password-encryption for stored credentials. Configure security passwords min-length 12.

Configure AAA

Replace local auth with centralised AAA using TACACS+ or RADIUS. Configure aaa new-model, aaa authentication login default group tacacs+ local, and command accounting for privileged exec.

Apply Control Plane Policing (CoPP)

CoPP protects the router CPU from flood attacks. Define class-maps for ICMP, SSH, BGP, OSPF, and SNMP. Police each to appropriate rates. Critical on internet-facing routers.

The 15 Essential Hardening Commands

1. Disable unused services

no service tcp-small-servers
no service udp-small-servers
no service finger
no service pad
no ip http server
no ip http secure-server
no ip source-route
no ip proxy-arp
no ip directed-broadcast
no cdp run

Why: Small servers (echo, chargen, daytime) are used in amplification attacks. Source routing allows packet-path manipulation. CDP leaks platform, IOS version, and IP address details to any device on the segment.

2. Secure VTY lines

line vty 0 15
 transport input ssh
 exec-timeout 5 0
 login authentication default
 access-class VTY-ACL in

ip access-list standard VTY-ACL
 permit 10.10.10.0 0.0.0.255
 deny   any log

Why: Telnet sends credentials in cleartext. An ACL prevents brute-force attempts from outside the management network. The exec-timeout prevents orphaned sessions.

3. Strong enable secret and password policy

enable algorithm-type scrypt secret $tR0ngP@ss
service password-encryption
security passwords min-length 12
security authentication failure rate 3 log

Why: Type 9 (scrypt) is the strongest algorithm available in IOS. Type 5 (MD5) is no longer considered secure. The failure rate setting logs brute-force attempts.

4. SSH hardening

ip ssh version 2
ip ssh time-out 60
ip ssh authentication-retries 3
ip ssh source-interface Loopback0
crypto key generate rsa modulus 4096

Why: SSH v1 has known vulnerabilities. A 4096-bit RSA key meets current NCSC guidance. Binding SSH to a loopback prevents management traffic from taking unexpected paths.

5. Logging and NTP

service timestamps log datetime msec localtime show-timezone
logging buffered 65536 informational
logging trap informational
logging source-interface Loopback0
logging host 10.10.10.50
ntp authenticate
ntp authentication-key 1 md5 NTPkey1
ntp trusted-key 1
ntp server 10.10.10.51 key 1

Why: Accurate timestamps are essential for incident response correlation. NTP authentication prevents rogue time sources shifting log timestamps.

Hardening Configuration Comparison

Setting	Default (Insecure)	Hardened
VTY transport	Telnet + SSH	SSH only, ACL restricted
Enable credential	enable password (type 7)	enable secret type 9 (scrypt)
SSH version	v1 + v2	v2 only, 4096-bit RSA
CDP	Global + all interfaces	Disabled on external interfaces
HTTP server	Enabled	Disabled
IP source routing	Enabled	Disabled
Authentication	Local only	AAA (TACACS+/RADIUS) + local fallback
Control plane	Unprotected	CoPP applied

Common Mistakes When Hardening Production Routers

Locking yourself out: Always configure the SSH ACL and test access before removing Telnet. Stage the change in a maintenance window.
Breaking routing adjacencies: If you disable IP directed-broadcast globally, verify no HSRP/VRRP groups depend on it.
CoPP too aggressive: Overly restrictive CoPP policies can block legitimate BGP or OSPF hellos. Start with log-only mode and tune based on observed rates.
Forgetting console line timeout: Physical console access bypasses VTY restrictions. Set exec-timeout 5 0 on the console line too.
Not testing AAA fallback: If TACACS+ is unreachable, the local fallback must work. Test this in the lab before deploying to production.

Frequently Asked Questions

What services should be disabled on a hardened Cisco IOS router?

Disable: CDP on external interfaces, HTTP/HTTPS server (unless needed), Telnet on all VTY lines, finger, small TCP/UDP servers, IP source routing, IP directed broadcast, IP proxy ARP on LAN interfaces, and BOOTP server. These services are either exploited directly or leak information useful to attackers.

What is the difference between enable password and enable secret?

The enable password command uses reversible type 7 encoding that can be decoded in seconds. The enable secret command uses a one-way hash — type 5 (MD5, now considered weak) or type 9 (scrypt, recommended). Always use enable secret with algorithm-type scrypt on IOS 15.3(3)M2 and later.

Is the VantagePoint Networks Cisco hardening template free?

Yes. All templates are MIT licensed — free for commercial and non-commercial use. The hardened Cisco IOS WAN router template, access switch template, and ASA firewall baseline are all in the template catalog, no signup required.

Does Cisco IOS hardening break BGP or OSPF?

Correctly applied hardening does not break BGP or OSPF. The main risk is CoPP — an overly aggressive policy can throttle BGP keepalives or OSPF hellos. Start CoPP in log-only mode, measure the rates, then set police rates 3–5x the observed baseline. Test in a lab environment before production deployment.

Download the Free Hardened Cisco IOS Template

Production-ready hardened configs for WAN routers, access/distribution switches, and ASA firewalls. MIT licensed. No signup.

Browse Template Catalog →