Cisco IOS XE Device Hardening: The Complete Enterprise Security Guide
Table of Contents
Network devices are the skeleton of your enterprise infrastructure — and like any skeleton, they need to be hardened against impact. A misconfigured Cisco router or switch sitting at the edge of your network is not merely a vulnerability; it is an open door. The good news? Cisco IOS XE ships with an exhaustive suite of hardening controls. The bad news? They are almost entirely off by default.
This guide distills the Cisco PSIRT Device Hardening Guide into actionable, prioritized steps that network engineers, security architects, and NOC teams can apply in real production environments. We cover all four security planes — Management, AAA, Control, and Data — with exact IOS XE commands, priority ratings, and a field-tested 40-point sign-off checklist.
1. Management Plane Hardening
The management plane governs how administrators access and control the device. It is the highest-value attack surface — and the most commonly under-hardened.
1.1 Password Management — Use Type-8, Never Type-5
Cisco IOS XE supports multiple password-hashing algorithms. Type-5 (MD5) is broken — trivially cracked with modern GPU hashcat rigs in minutes. Type-7 is reversible with a 30-second online tool. There is no excuse for using either in production.
The modern standard is Type-8 (PBKDF2-SHA-256). Always configure the enable secret and all local user accounts with the algorithm-type sha256 flag.
! CRITICAL — Set privileged exec password with PBKDF2 (Type-8)
enable algorithm-type sha256 secret Str0ng@Pass!
! CRITICAL — Create local admin with Type-8 password
username admin privilege 15 algorithm-type sha256 secret Str0ng@Pass!
! Remove the legacy enable password if it exists
no enable password
! Enable AES encryption for Type-6 credentials (OSPF, NTP keys)
key config-key password-encrypt MyAESMasterKey123!
password encryption aes
⚠ Key Point: Type-7 is still acceptable for legacy protocol keys (OSPF, NTP) only where Type-8 is unsupported — never for human-facing credentials.
1.2 Login Security & Lockout
Without login rate-limiting, your VTY interfaces are exposed to brute-force attacks 24/7. The login block-for command is your first line of defense — it globally throttles authentication attempts and triggers a quiet mode that only allows access from a pre-defined management ACL.
! Enable AAA — required before any AAA commands
aaa new-model
! Lock account after 5 failed attempts
aaa local authentication attempts max-fail 5
! Block VTY logins for 120s after 5 failed attempts in 60s
login block-for 120 attempts 5 within 60
! Allow only management ACL during quiet mode
login quiet-mode access-class ACL-MGMT
! Log both failed and successful logins
login on-failure log
login on-success log
1.3 SSH Hardening — Kill Telnet Permanently
Telnet transmits credentials in cleartext. Full stop. If your production devices still accept Telnet in 2024, that is a critical finding in any security audit. The fix is simple: force SSHv2 exclusively, generate a strong RSA key, and lock down the VTY lines with a source-IP ACL.
! Generate 4096-bit RSA key (2048 minimum)
ip domain-name corp.example.com
crypto key generate rsa modulus 4096
! Force SSHv2 only
ip ssh version 2
ip ssh time-out 60
ip ssh authentication-retries 3
ip ssh dh-min-size 2048
! Remove weak cipher and enforce strong MACs
no ip ssh server algorithm encryption 3descbc
ip ssh server algorithm mac hmac-sha2-256 hmac-sha2-512
! Lock down all 16 VTY lines
line vty 0 15
transport input ssh
transport output none
exec-timeout 10 0
access-class ACL-MGMT in vrf-also
logging synchronous
1.4 Disable Unused Services — The Attack Surface Reduction Checklist
Every running service is a potential entry point. IOS XE enables several legacy services by default that have no place in modern production networks. The most dangerous is Cisco Smart Install (vstack) — actively exploited in the wild for remote code execution and mass config exfiltration.
! CRITICAL — Disable Smart Install (exploited in the wild)
no vstack
! Disable cleartext services
no ip http server
no service tcp-small-servers
no service udp-small-servers
no ip finger
no ip bootp server
! Disable discovery protocols on external interfaces
no cdp run
no lldp run
! Disable IP source routing and prevent config TFTP load
no ip source-route
no service config
no ip domain-lookup
🚨 Critical Warning: no vstack must be applied immediately on all switches. CVE exploits targeting Smart Install (TCP/4786) are trivially scriptable and have been used in mass-compromise campaigns.
1.5 Session Timeouts & AUX Port Lockdown
Idle sessions left open on a device are a pivot point for physical or logical intruders. Configure short EXEC timeouts everywhere, and effectively disable the AUX port — it serves no function in modern networks and is often forgotten in hardening reviews.
line con 0
exec-timeout 10 0
logging synchronous
! Effectively disable AUX port
line aux 0
exec-timeout 0 1
no exec
transport input none
! Remove orphaned TCP sessions
service tcp-keepalives-in
service tcp-keepalives-out
1.6 Legal Banners — What Not to Say
Banners are legally significant. Courts in multiple jurisdictions have ruled that a "Welcome" banner undermines prosecution of unauthorized access cases because it implies consent. Never use welcome language. Always include explicit authorization warnings and monitoring disclosures. Consult your legal team for exact wording.
1.7 Management Plane Protection (MPP)
MPP restricts which physical interfaces can receive management traffic (SSH, SNMP, HTTPS). On a multi-homed device, this means your in-band data-plane interfaces cannot be used to access the management plane — even if someone somehow reaches them.
! Only Gi0/0 (OOB management) will accept SSH/SNMP/HTTPS
control-plane host
management-interface GigabitEthernet0/0 allow ssh snmp https
1.8 NTP Authentication
Unauthenticated NTP allows an attacker to manipulate system time — breaking log correlation, invalidating certificates, and potentially triggering time-based access control windows. Always authenticate your NTP sources and restrict which hosts can query the device.
ntp authenticate
ntp authentication-key 10 md5 NTP-SECRET-KEY
ntp trusted-key 10
ntp server 10.0.0.1 key 10 prefer
ntp access-group peer ACL-NTP-PEERS
clock timezone UTC 0 0
ntp source Loopback0
1.9 SNMP Hardening — Upgrade to v3 authPriv
SNMPv1 and v2c transmit community strings in cleartext. Anyone sniffing network traffic can capture your community string and read — or even write — the full device configuration. SNMPv3 with authPriv (authentication + encryption) is the only acceptable configuration for production.
! Remove default communities immediately
no snmp-server community public
no snmp-server community private
! Configure SNMPv3 with AES-256 encryption
snmp-server view READONLY-VIEW iso included
snmp-server group ADMINS v3 priv read READONLY-VIEW
snmp-server user SNMPUSER ADMINS v3 auth sha AuthPass123! priv aes 256 PrivPass456!
snmp-server host 10.0.0.5 version 3 priv SNMPUSER
snmp-server enable traps snmp authentication
2. AAA — Authentication, Authorization & Accounting
The AAA framework is the backbone of centralized access control. For device administration, TACACS+ is always preferred over RADIUS — it encrypts the entire packet body, supports granular per-command authorization, and provides full accounting trails.
2.1 TACACS+ Configuration
! Define TACACS+ servers
tacacs server TACACS-PRIMARY
address ipv4 10.0.0.100
key 7 <encrypted-key>
timeout 5
tacacs server TACACS-SECONDARY
address ipv4 10.0.0.101
key 7 <encrypted-key>
aaa group server tacacs+ TACACS-GROUP
server name TACACS-PRIMARY
server name TACACS-SECONDARY
ip tacacs source-interface Loopback0
! Authentication: VTYs use TACACS+ with local fallback
aaa authentication login CON-AUTH local
aaa authentication login VTY-AUTH group TACACS-GROUP local
aaa authentication enable default group TACACS-GROUP enable
! Authorization: per-command at privilege levels 1 and 15
aaa authorization exec default group TACACS-GROUP local
aaa authorization commands 1 default group TACACS-GROUP local
aaa authorization commands 15 default group TACACS-GROUP local
! Accounting: full audit trail
aaa accounting exec default start-stop group TACACS-GROUP
aaa accounting commands 1 default start-stop group TACACS-GROUP
aaa accounting commands 15 default start-stop group TACACS-GROUP
! Console uses LOCAL only (break-glass access)
line con 0
login authentication CON-AUTH
line vty 0 15
login authentication VTY-AUTH
✔ Best Practice: Console authentication must always use LOCAL credentials as a break-glass mechanism. Never configure the console to depend on a TACACS+ server — if your AAA server is unreachable, you must be able to recover via console.
3. Control Plane Hardening
The control plane is the brain of your routing device. CPU-exhaustion attacks — by flooding the route processor with crafted packets — can bring down an entire network segment. This section shows you how to protect it.
3.1 Control Plane Policing (CoPP)
CoPP is the single most impactful control-plane protection available on IOS XE. It classifies all traffic destined for the device CPU and applies rate-limiting policies per traffic class. BGP and IGP traffic gets high priority; undesirable traffic (spoofed packets, scanning noise) gets dropped at a low threshold.
Always deploy CoPP in monitoring mode first — run show policy-map control-plane to baseline normal traffic rates before converting to enforcement mode.
! Step 1: Define traffic classes
class-map match-any CoPP-CRITICAL
match access-group name ACL-COPP-BGPIGP
class-map match-any CoPP-IMPORTANT
match access-group name ACL-COPP-MGMT
class-map match-any CoPP-NORMAL
match access-group name ACL-COPP-ICMP
class-map match-any CoPP-UNDESIRABLE
match access-group name ACL-COPP-DENY
! Step 2: Apply rate-limiting policy
policy-map COPP-POLICY
class CoPP-CRITICAL
police rate 4000 pps conform-action transmit exceed-action drop
class CoPP-IMPORTANT
police rate 1000 pps conform-action transmit exceed-action drop
class CoPP-NORMAL
police rate 500 pps conform-action transmit exceed-action drop
class CoPP-UNDESIRABLE
police rate 10 pps conform-action drop exceed-action drop
class class-default
police rate 200 pps conform-action transmit exceed-action drop
! Step 3: Apply to control plane
control-plane
service-policy input COPP-POLICY
3.2 Infrastructure ACLs (iACL)
iACLs are applied on external-facing interfaces to protect your infrastructure address space. They explicitly deny fragmented packets, packets with IP options, and low-TTL packets before permitting required protocols. The final implicit permit ensures transit traffic is unaffected.
! Key iACL structure
ip access-list extended ACL-INFRASTRUCTURE-IN
remark === DENY IP FRAGMENTS (prevent frag attack) ===
deny tcp any any fragments
deny udp any any fragments
deny ip any any fragments
remark === DENY IP OPTIONS ===
deny ip any any option any-options
remark === DENY LOW TTL (anti-TTL expiry attack) ===
deny ip any any ttl lt 6
remark === PERMIT EBGP FROM KNOWN PEER ===
permit tcp host <EBGP-PEER> host <LOCAL-IP> eq 179
remark === PERMIT MANAGEMENT (SSH, SNMP, NTP) ===
permit tcp <MGMT-SUBNET> <WILDCARD> any eq 22
permit udp <NMS-SERVER> host <LOOPBACK> eq 161
remark === DENY ALL TO INFRASTRUCTURE, PERMIT TRANSIT ===
deny ip any <INFRA-SUBNET> <WILDCARD>
permit ip any any
3.3 BGP Security
BGP is the routing protocol of the internet and a common target for prefix hijacking, session reset attacks, and route leaks. Three controls are non-negotiable for eBGP: MD5 authentication, GTSM (TTL Security), and maximum-prefix limits.
| Command | Purpose | Priority |
|---|---|---|
| neighbor x.x.x.x password <key> | MD5 authentication for BGP session | HIGH |
| neighbor x.x.x.x ttl-security hops 1 | GTSM: accept BGP only from directly connected peer | HIGH |
| neighbor x.x.x.x maximum-prefix 500000 80 | Alert at 80%, drop session at 500k prefixes | CRITICAL |
| neighbor x.x.x.x prefix-list PL-INGRESS in | Filter inbound prefixes to prevent route leaks | CRITICAL |
3.4 IGP Authentication (OSPF with HMAC-SHA-256)
Unauthenticated OSPF allows an adversary on the segment to inject fake LSAs, redirect traffic, or cause routing loops. Use key chains with HMAC-SHA-256. Additionally, passive-interface default is arguably the most important OSPF security command — it prevents OSPF hellos from being sent on user-facing ports, blocking rogue adjacency formation.
key chain OSPF-KEYS
key 1
key-string OSPF-SECRET
cryptographic-algorithm hmac-sha-256
interface GigabitEthernet0/1
ip ospf authentication key-chain OSPF-KEYS
router ospf 1
passive-interface default
no passive-interface GigabitEthernet0/1
4. Data Plane Hardening
The data plane carries your actual network traffic. Hardening here prevents spoofing attacks, VLAN hopping, ARP poisoning, and Layer 2 exploitation.
4.1 Anti-Spoofing Controls
Unicast Reverse Path Forwarding (uRPF) drops packets whose source address has no matching return path in the routing table — effectively blocking IP address spoofing at the ingress point. Use strict mode on single-homed edge interfaces and loose mode on multi-homed or transit interfaces where asymmetric routing is expected.
! Strict uRPF on single-homed edge
interface GigabitEthernet0/0
ip verify unicast source reachable-via rx
! DHCP Snooping + DAI on access layer
ip dhcp snooping
ip dhcp snooping vlan 10-100
ip arp inspection vlan 10-100
! Disable ICMP redirects and Proxy ARP everywhere
interface range GigabitEthernet0/0 - 24
no ip redirects
no ip unreachables
no ip proxy-arp
no ip directed-broadcast
4.2 VLAN & Layer 2 Security
VLAN hopping attacks exploit dynamic trunking (DTP) to gain access to VLANs other than the one the attacker is assigned to. The defense is simple: disable DTP on all ports, tag native VLANs on trunks, and enable BPDU Guard globally on all PortFast-enabled access ports.
! Disable DTP and force explicit access mode
interface range FastEthernet0/1 - 48
switchport mode access
switchport nonegotiate
switchport access vlan 20
! Tag native VLAN on trunks
vlan dot1q tag native
! BPDU Guard globally + Root Guard on distribution uplinks
spanning-tree portfast bpduguard default
spanning-tree loopguard default
! Limit broadcast storms
storm-control broadcast level 10.00
5. Testing & Validation
Hardening without verification is theater. After every change, validate from your jump host:
| Test | Command | Expected Result |
|---|---|---|
| SSHv2 Only | ssh -vvv admin@<device> | Connected with SSHv2; SSHv1 rejected |
| Telnet Blocked | telnet <device> 23 | Connection refused |
| SNMPv1/v2c Blocked | snmpget -v2c -c public <device> | Timeout or auth error |
| SNMPv3 Works | snmpget -v3 -l authPriv -u SNMPUSER ... | Returns sysName value |
| Smart Install Disabled | nmap -p 4786 <device> | Port filtered/closed |
Always verify your IOS XE software version against the Cisco PSIRT Software Checker at sec.cloudapps.cisco.com before deployment. Subscribe to Cisco Security Advisories and review monthly.
6. Production Hardening Quick Checklist (40 Items)
Use this as your pre-deployment sign-off. Each item maps to the sections above.
| # | Hardening Item | Plane |
|---|---|---|
| 1 | Type-8 passwords for all local users and enable secret | MGMT |
| 2 | AAA new-model with TACACS+/RADIUS configured | MGMT |
| 3 | Login lockout (login block-for / max-fail) configured | MGMT |
| 4 | SSHv2 only; Telnet disabled on all VTYs | MGMT |
| 5 | RSA key ≥ 2048 bits (4096 recommended) | MGMT |
| 6 | VTY access-class restricting management sources | MGMT |
| 7 | EXEC timeout ≤ 10 minutes on VTY and console | MGMT |
| 8 | AUX port disabled or timeout 0 1 | MGMT |
| 9 | Legal warning banner deployed (no welcome language) | MGMT |
| 10 | Management Plane Protection (MPP) on mgmt interface | MGMT |
| 11 | SNMP upgraded to v3 authPriv; v1/v2c disabled | MGMT |
| 12 | Default SNMP communities (public/private) removed | MGMT |
| 13 | Syslog to central SIEM with timestamps | MGMT |
| 14 | NTP authenticated with trusted server; UTC timezone | MGMT |
| 15 | Config change notification/archive logging enabled | MGMT |
| 16 | Smart Install (vstack) disabled | MGMT |
| 17 | CDP/LLDP disabled on external/untrusted interfaces | MGMT |
| 18 | HTTP server disabled; HTTPS disabled if not used | MGMT |
| 19 | ip source-route disabled | DATA |
| 20 | Infrastructure ACL (iACL) applied on all external interfaces | CTRL |
| 21 | IP fragments filtered at top of iACL | CTRL |
| 22 | IP options packets denied in iACL | CTRL |
| 23 | Low TTL packets (< 6) denied in iACL | CTRL |
| 24 | Control Plane Policing (CoPP) deployed and enforcing | CTRL |
| 25 | BGP MD5 authentication on all BGP peers | CTRL |
| 26 | BGP GTSM (ttl-security) on eBGP peers | CTRL |
| 27 | BGP maximum-prefix limits configured on all peers | CTRL |
| 28 | IGP authentication (HMAC-SHA-256) on routing interfaces | CTRL |
| 29 | passive-interface default for IGP routing processes | CTRL |
| 30 | uRPF enabled on edge interfaces (strict/loose) | DATA |
| 31 | DHCP snooping and Dynamic ARP Inspection on access layer | DATA |
| 32 | ip directed-broadcast disabled on all interfaces | DATA |
| 33 | ip redirects disabled on all interfaces | DATA |
| 34 | ip unreachables rate-limited or disabled on external interfaces | DATA |
| 35 | Proxy ARP disabled on all interfaces | DATA |
| 36 | Port security / BPDU Guard on access switch ports | DATA |
| 37 | DTP disabled (switchport nonegotiate) on all ports | DATA |
| 38 | Memory and CPU threshold notifications configured | MGMT |
| 39 | IOS XE version checked against Cisco Software Checker | OPS |
| 40 | Configuration backup tested and archived offline | OPS |
Final Thoughts
Cisco IOS XE device hardening is not a one-time event — it is an ongoing operational discipline. The 40-item checklist above covers the essentials, but the real security posture of your network depends on the consistency with which these controls are maintained, monitored, and audited over time.
Every change you make to a production device should go through the 15-step change control sequence: backup, test AAA locally, verify reachability, apply controls in monitoring mode first, then enforce. Never skip the lab. Never skip the rollback plan.
For the most current vulnerability information, always verify at the Cisco IOS XE Software Hardening Guide.
Based on the Cisco PSIRT IOS XE Device Hardening Guide. Always validate changes in a lab before production deployment. Consult your organization's security policy for compliance requirements.
