Cisco IOS Devices Best Practices

This checklist is a collection of all the hardening steps that are presented in this guide. Administrators can use it as a reminder of all the hardening features used and considered for a Cisco IOS device, even if a feature was not implemented because it did not apply. Administrators are advised to evaluate each option for its potential risk before they implement the option.

Management Plane

  • Passwords
    • Enable MD5 hashing (secret option) for enable and local user passwords
    • Configure the password retry lockout
    • Disable password recovery (consider risk)
  • Disable unused services
  • Configure TCP keepalives for management sessions
  • Set memory and CPU threshold notifications
  • Configure
    • Memory and CPU threshold notifications
    • Reserve memory for console access
    • Memory leak detector
    • Buffer overflow detection
    • Enhanced crashinfo collection
  • Use iACLs to restrict management access
  • Filter (consider risk)
    • ICMP packets
    • IP fragments
    • IP options
    • TTL value in packets
  • Control Plane Protection
    • Configure port filtering
    • Configure queue thresholds
  • Management access
    • Use Management Plane Protection to restrict management interfaces
    • Set exec timeout
    • Use an encrypted transport protocol (such as SSH) for CLI access
    • Control transport for vty and tty lines (access class option)
    • Warn using banners
  • AAA
    • Use AAA for authentication and fallback
    • Use AAA (TACACS+) for command authorization
    • Use AAA for accounting
    • Use redundant AAA servers
  • SNMP
    • Configure SNMPv2 communities and apply ACLs
    • Configure SNMPv3
  • Logging
    • Configure centralized logging
    • Set logging levels for all relevant components
    • Set logging source-interface
    • Configure logging timestamp granularity
  • Configuration Management
    • Replace and rollback
    • Exclusive Configuration Change Access
    • Software resilience configuration
    • Configuration change notifications

Control Plane

  • Disable (consider risk)
    • ICMP redirects
    • ICMP unreachables
    • Proxy ARP
  • Configure NTP authentication if NTP is being used
  • Configure Control Plane Policing/Protection (port filtering, queue thresholds)
  • Secure routing protocols
    • BGP (TTL, MD5, maximum prefixes, prefix lists, system path ACLs)
    • IGP (MD5, passive interface, route filtering, resource consumption)
  • Configure hardware rate limiters
  • Secure First Hop Redundancy Protocols (GLBP, HSRP, VRRP)

Data Plane

  • Configure IP Options Selective Drop
  • Disable (consider risk)
    • IP source routing
    • IP Directed Broadcasts
    • ICMP redirects
  • Limit IP Directed Broadcasts
  • Configure tACLs (consider risk)
    • Filter ICMP
    • Filter IP fragments
    • Filter IP options
    • Filter TTL values
  • Configure required anti-spoofing protections
    • ACLs
    • IP Source Guard
    • Dynamic ARP Inspection
    • Unicast RPF
    • Port security
  • Control Plane Protection (control-plane cef-exception)
  • Configure NetFlow and classification ACLs for traffic identification
  • Configure required access control ACLs (VLAN maps, PACLs, MAC)
  • Configure Private VLANs


The three functional planes of a network – the management plane, control plane, and data plane – each provide different functionality that needs to be protected.

  • Management Plane – The management plane manages traffic that is sent to the Cisco IOS device and is made up of applications and protocols such as Secure Shell (SSH) and Simple Network Management Protocol (SNMP).
  • Control Plane – The control plane of a network device processes the traffic that is paramount to maintain the functionality of the network infrastructure. The control plane consists of applications and protocols between network devices, which includes the Border Gateway Protocol (BGP), as well as the Interior Gateway Protocols (IGPs) such as the Enhanced Interior Gateway Routing Protocol (EIGRP) and Open Shortest Path First (OSPF).
  • Data Plane – The data plane forwards data through a network device. The data plane does not include traffic that is sent to the local Cisco IOS device.

Management Plane

list of protocols is used by the management plane:

  • Simple Network Management Protocol
  • Telnet
  • Secure Shell Protocol
  • File Transfer Protocol
  • Trivial File Transfer Protocol
  • Secure Copy Protocol
  • NetFlow
  • Network Time Protocol
  • Syslog

Password Management
The enable secret command must be used, rather than the older enable password command
The service password-encryption global configuration command directs the Cisco IOS software to encrypt the passwords,
Enhanced Password Security
With the Username secret command

Login Password Retry Lockout
aaa new-model
aaa local authentication attempts max-fail <max-attempts>
aaa authentication login default local
username <name> secret <password>

No Service Password-Recovery
the No Service Password-Recovery feature does not allow anyone with console access to insecurely access the device configuration and clear the password. It also does not allow malicious users to change the configuration register value and access NVRAM.
no service password-recovery

Disable Unused Services
As a security best practice, any unnecessary service must be disabled
no ip finger
no ip bootp server
ip dhcp bootp ignore ( disable BOOTP )
no service dhcp
no mop enabled ( disable the Maintenance Operation Protocol (MOP) service )
no ip domain-lookup
no service pad ( Packet Assembler/Disassembler (PAD) service, which is used for X.25 networks. )
no ip http server
no ip http secure-server
no cdp enable ( interface ) or no cdp run ( global )
no lldp transmitand no lldp receive  ( interface ) or no lldp run ( global )

EXEC Timeout
line con 0
 exec-timeout <minutes> [seconds]
line vty 0 4
 exec-timeout <minutes> [seconds]

Keepalives for TCP Sessions
service tcp-keepalives-in
service tcp-keepalives-out

Management Interface Use
One of the most common interfaces that is used for in-band access to a device is the logical loopback interface. Loopback interfaces are always up, whereas physical interfaces can change state, and the interface can potentially not be accessible. It is recommended to add a loopback interface to each device as a management interface and that it be used exclusively for the management plane
Once the loopback interface is configured on a device, it can be used by management plane protocols, such as SSH, SNMP, and syslog, in order to send and receive traffic
interface Loopback0
 ip address

Memory Threshold Notifications
memory free low-watermark processor <threshold>
memory free low-watermark io <threshold>
memory reserve critical <value>

CPU Thresholding Notification
snmp-server enable traps cpu threshold
snmp-server host <host-address> <community-string> cpu
process cpu threshold type <type> rising <percentage> interval <seconds>
     [falling <percentage> interval <seconds>]
process cpu statistics limit entry-percentage <number> [size <seconds>]

Reserve Memory for Console Access
memory reserve console 4096

Memory Leak Detector
show memory debug leaks 

Buffer Overflow: Detection and Correction of Redzone Corruption
exception memory ignore overflow io
exception memory ignore overflow processor
Once configured, the show memory overflow command

Network Time Protocol
NTP Time Zone
NTP Authentication

Limit Access to the Network with Infrastructure ACLs
An iACL is constructed and applied in order to specify connections from hosts or networks that need to be allowed to network devices. Common examples of these types of connections are eBGP, SSH, and SNMP. After the required connections have been permitted, all other traffic to the infrastructure is explicitly denied. All transit traffic that crosses the network and is not destined to infrastructure devices is then explicitly permitted.Example :
ip access-list extended ACL-INFRASTRUCTURE-IN
! Permit required connections for routing protocols and
network management
permit tcp host <trusted-ebgp-peer> host <local-ebgp-address> eq 179
permit tcp host <trusted-ebgp-peer> eq 179 host <local-ebgp-address>
permit tcp host <trusted-management-stations> any eq 22
permit udp host <trusted-netmgmt-servers> any eq 161
! Deny all other IP traffic to any network device
deny ip any <infrastructure-address-space> <mask>
! Permit transit traffic
permit ip any any

ICMP Packet Filtering
ip access-list extended ACL-INFRASTRUCTURE-IN
Permit ICMP Echo (ping) from trusted management stations and servers
permit icmp host <trusted-management-stations> any echo
permit icmp host <trusted-netmgmt-servers> any echo
! Deny all other IP traffic to any network device
deny ip any <infrastructure-address-space> <mask>
! Permit transit traffic
permit ip any any
Filter IP Fragments
ip access-list extended ACL-FRAGMENT-EXAMPLE
 permit tcp any host eq 80
 deny tcp any host eq 22

ip access-list extended ACL-INFRASTRUCTURE-IN
!Deny IP fragments using protocol-specific ACEs to aid in
 !classification of attack traffic
 deny tcp any any fragments
 deny udp any any fragments
 deny icmp any any fragments
 deny ip any any fragments
! Deny all other IP traffic to any network device
 deny ip any <infrastructure-address-space> <mask>
! Permit transit traffic
permit ip any any

ACL Support to Filter on TTL Value

The generation and transmission of these messages is an exception process. Routers can perform this function when the number of IP packets that are due to expire is low, but if the number of packets due to expire is high, generation and transmission of these messages can consume all available CPU resources. This presents a DoS attack vector. It is for this reason that devices need to be hardened against DoS attacks that utilize a high rate of IP packets that are due to expire.

It is recommended that organizations filter IP packets with low TTL values at the edge of the network. Completely filtering packets with TTL values insufficient to traverse the network mitigates the threat of TTL-based attacks.

This example ACL filters packets with TTL values less than six. This provides protection against TTL expiry attacks for networks up to five hops in width.

ip access-list extended ACL-INFRASTRUCTURE-IN
!— Deny IP packets with TTL values insufficient to traverse the network
deny ip any any ttl lt 6
!— Deny all other IP traffic to any network device
deny ip any <infrastructure-address-space> <mask>
!— Permit transit traffic
 permit ip any any

Secure Interactive Management Sessions
Management Plane Protection (MPP) allows an administrator to restrict on which interfaces management traffic can be received by a device
control-plane host
  management-interface GigabitEthernet 0/1 allow ssh https

Encrypt Management Sessions
ip domain-name
crypto key generate rsa modulus 2048
ip ssh version 2 or not 

ip ssh time-out 60
ip ssh authentication-retries 3
ip ssh source-interface GigabitEthernet 0/1
line vty 0 4
 transport input ssh
ip scp server enable
ip http secure-server



This example configuration enables the use of RSA keys with SSHv2 on a Cisco IOS device:
! Configure a hostname for the device
hostname router
! Configure a domain name
ip domain-name
! Specify the name of the RSA key pair (in this case, “sshkeys”) to use for SSH
 ip ssh rsa keypair-name sshkeys
! Enable the SSH server for local and remote authentication on the router using
! the “crypto key generate” command
! For SSH version 2, the modulus size must be at least 768 bits

crypto key generate rsa usage-keys label sshkeys modulus 2048
! Configure an ssh timeout (in seconds)
! The following enables a timeout of 120 seconds for SSH connections
ip ssh time-out 120
! Configure a limit of five (5) authentication retries
ip ssh authentication-retries 5
! Configure SSH version 2
ip ssh version 2

Refer to Secure Shell Version 2 Enhancements for RSA Keys for more information on the use of RSA keys with SSHv2.

This example configuration enables the Cisco IOS SSH server to perform RSA-based user authentication. The user authentication is successful if the RSA public key stored on the server is verified with the public or the private key pair stored on the client.

! Configure a hostname for the device
hostname router
! Configure a domain name
ip domain-name
! Generate RSA key pairs using a modulus of 2048 bits
crypto key generate rsa modulus 2048
! Configure SSH-RSA keys for user and server authentication on the SSH server
ip ssh pubkey-chain
! Configure the SSH username
        username ssh-user
! Specify the RSA public key of the remote peer
! You must then configure either the key-string command
! (followed by the RSA public key of the remote peer) or the
key-hash command (followed by the SSH key type and version.)

Refer to Configuring the Cisco IOS SSH Server to Perform RSA-Based User Authentication for more information on the use of RSA keys with SSHv2.

This example configuration enables the Cisco IOS SSH client to perform RSA-based server authentication.

hostname router
ip domain-name cisco.c
! Generate RSA key pairs
crypto key generate rsa
! Configure SSH-RSA keys for user and server authentication on the SSH server
ip ssh pubkey-chain
! Enable the SSH server for public-key authentication on the router
        server SSH-server-name
! Specify the RSA public-key of the remote peer
! You must then configure either the key-string command
! (followed by the RSA public key of the remote peer) or the
key-hash <key-type> <key-name> command (followed by the SSH key
! type and version.)
! Ensure that server authentication takes place – The connection will be
! terminated on a failure
ip ssh stricthostkeycheck

Console and AUX Ports
line aux 0
 transport input none or transport input ssh.
 transport output none or transport output ssh.
 no exec
 exec-timeout 0 1
 no password

transport input or access-class configuration  ) IPSec can be used for encrypted and secure remote access connections to a device, if supported. If you use IPSec, it also adds additional CPU overhead to the device. However, SSH must still be enforced as the transport even when IPSec is used.

Warning Banners
Notice that the system is to be logged into or used only by specifically authorized personnel and perhaps information about who can authorize use.
Notice that any unauthorized use of the system is unlawful and can be subject to civil and criminal penalties.
Notice that any use of the system can be logged or monitored without further notice and that the resulting logs can be used as evidence in court.
Specific notices required by local laws
Authentication, Authorization, and Accounting
aaa new-model
aaa authentication login default group tacacs+
tacacs-server host <ip-address-of-tacacs-server>
tacacs-server key <key>

Authentication Fallback ( if AAA become unavailable )
enable secret <password>

Use of Type 7 Passwords

TACACS+ Command Authorization ( Example )
aaa authorization exec default group tacacs none
aaa authorization commands 0 default group tacacs none
aaa authorization commands 1 default group tacacs none
aaa authorization commands 15 default group tacacs none
aaa accounting exec default start-stop group tacacs
aaa accounting commands 0 default start-stop group tacacs
aaa accounting commands 1 default start-stop group tacacs
aaa accounting commands 15 default start-stop group tacacs


Redundant AAA Servers

  • Availability of AAA servers during potential network failures
  • Geographically dispersed placement of AAA servers
  • Load on individual AAA servers in steady-state and failure conditions
  • Network latency between Network Access Servers and AAA servers
  • AAA server databases synchronization

Fortify the Simple Network Management Protocol
It is critical that SNMP be properly secured in order to protect the confidentiality, integrity, and availability of both the network data and the network devices through which this data transits. SNMP provides you with a wealth of information on the health of network devices. This information should be protected from malicious users that want to leverage this data in order to perform attacks against the network.

SNMP Community Strings
snmp-server community READONLY RO
snmp-server community READWRITE RW 

SNMP Community Strings with ACLs
access-list 98 permit
access-list 99 permit
snmp-server community READONLY RO 98
snmp-server community READWRITE RW 99

SNMP Views
SNMP Views are a security feature that can permit or deny access to certain SNMP MIBs ( Management Information Base )
snmp-server view VIEW-SYSTEM-ONLY system include
snmp-server community LIMITED view VIEW-SYSTEM-ONLY RO

SNMP Version 3

  • no auth – This mode does not require any authentication nor any encryption of SNMP packets
  • auth – This mode requires authentication of the SNMP packet without encryption
  • priv – This mode requires both authentication and encryption (privacy) of each SNMP packet

An authoritative engine ID must exist in order to use the SNMPv3 security mechanisms
#show snmp engineID

Note: If the engineID is changed, all SNMP user accounts must be reconfigured.

The next step is to configure an SNMPv3 group
snmp-server group AUTHGROUP v3 auth
This command configures a Cisco IOS device for SNMPv3 with an SNMP server group PRIVGROUP and enables both authentication and encryption for this group with the priv keyword
snmp-server group PRIVGROUP v3 priv
This command configures an SNMPv3 user snmpv3user with an MD5 authentication password of authpassword and a 3DES encryption password of privpassword
snmp-server user snmpv3user PRIVGROUP v3 auth md5 authpassword priv 3des 

This command configures an SNMPv3 user snmpv3user with an MD5 authentication password of authpassword and a 3DES encryption password of privpassword

Management Plane Protection ( MPP )
control-plane host
 management-interface FastEthernet0/0 allow ( options ) 


Logging Best Practices

Send Logs to a Central Location
logging host <ip-address>
Or on a NonVolative Disk
logging buffered
logging persistent url disk0:/syslog size 134217728 filesize 16384

Logging Level ( 0 – 7 )
The global configuration command logging trap level is used in order to specify which logging messages are sent to remote syslog servers. The level specified indicates the lowest severity message that is sent. For buffered logging, the logging buffered level command is used.
logging trap 6
logging buffered 6

Do Not Log to Console or Monitor Sessions
no logging console
no logging monitor

Use Buffered Logging
logging buffered 16384 6
Configure Logging Source Interface
logging source-interface Loopback 0
Configure Logging Timestamps
service timestamps log datetime msec show-timezone
clock timezone PST -8
service timestamps log datetime msec localtime show-timezone



Configuration Replace and Configuration Rollback
 path disk0:archived-config
 maximum 14
 time-period 1440

Exclusive Configuration Change Access
configuration mode exclusive auto

Cisco IOS Software Resilient Configuration
secure boot-image
secure boot-config!

Configuration Change Notification and Logging
 log config
  logging enable
  logging size 200
  notify syslog


Control Plane

Control plane functions consist of the protocols and processes that communicate between network devices in order to move data from source to destination. This includes routing protocols such as the Border Gateway Protocol, as well as protocols like ICMP and the Resource Reservation Protocol (RSVP).you can disable the reception and transmission of certain types of messages on an interface in order to minimize the amount of CPU load that is required to process unneeded packets

IP ICMP Redirects
no ip redirects


ICMP Unreachables
no ip unreachables
ip icmp rate-limit unreachable

Proxy ARP
no ip proxy-arp

Limit CPU Impact of Control Plane Traffic

In order properly protect the control plane of the Cisco IOS device, it is essential to understand the types of traffic that is process switched by the CPU. Process switched traffic normally consists of two different types of traffic. The first type of traffic is directed to the Cisco IOS device and must be handled directly by the Cisco IOS device CPU. This traffic consists of this category:
Receive adjacency traffic ( show ip cef )
Access Control List logging
Unicast Reverse Path Forwarding (Unicast RPF)
IP Options
Time-to-live (TTL) Expiry
ICMP Unreachables
Traffic Requiring an ARP Request
Non-IP Traffic

Control Plane Policing
Dropping traffic from unknown or untrusted IP addresses can prevent hosts with dynamically-assigned IP addresses from connecting to the Cisco IOS device

Control Plane Protection

  • Port-filtering feature – This feature provides for policing and dropping of packets that are sent to closed or non-listening TCP or UDP ports.
  • Queue-thresholding feature – This feature limits the number of packets for a specified protocol that are allowed in the control-plane IP input queue.


Secure BGP

The Border Gateway Protocol (BGP) is the routing foundation of the Internet. As such, any organization with more than modest connectivity requirements often uses BGP. BGP is often targeted by attackers because of its ubiquity and the ?set and forget? nature of BGP configurations in smaller organizations. However, there are many BGP-specific security features that can be leveraged to increase the security of a BGP configuration.

TTL-based Security Protections
This feature often requires coordination from peering routers; however, once enabled, it can completely defeat many TCP-based attacks against BGP
router bgp <asn>
 neighbor <ip-address> remote-as <remote-asn>
 neighbor <ip-address> ttl-security hops <hop-count>

BGP Peer Authentication with MD5
router bgp <asn>
 neighbor <ip-address> remote-as <remote-asn>
 neighbor <ip-address> password <secret>

Configure Maximum Prefixes
 router bgp <asn>
 neighbor <ip-address> remote-as <remote-asn>
 neighbor <ip-address> maximum-prefix <shutdown-threshold> <log-percent>

Filter BGP Prefixes with Prefix Lists
Prefix lists allow a network administrator to permit or deny specific prefixes that are sent or received via BGP. Prefix lists should be used where possible in order to ensure network traffic is sent over the intended paths. Prefix lists should be applied to each eBGP peer in both the inbound and outbound directions
ip prefix-list BGP-PL-INBOUND seq 5 permit
ip prefix-list BGP-PL-OUTBOUND seq 5 permit
router bgp <asn>

 neighbor <ip-address> prefix-list BGP-PL-INBOUND in
 neighbor <ip-address> prefix-list BGP-PL-OUTBOUND out

Filter BGP Prefixes with Autonomous System Path Access Lists
ip as-path access-list 1 permit ^65501$
ip as-path access-list 2 permit ^$
router bgp <asn>
 neighbor <ip-address> remote-as 65501
 neighbor <ip-address> filter-list 1 in
 neighbor <ip-address> filter-list 2 out


Secure Interior Gateway Protocols


Routing Protocol Authentication and Verification with Message Digest 5

This is an example configuration for EIGRP router authentication using MD5:

key chain <key-name>
 key <key-identifier>
 key-string <password>
interface <interface>
 ip authentication mode eigrp <as-number> md5
 ip authentication key-chain eigrp <as-number> <key-name>

This is an example MD5 router authentication configuration for RIPv2. RIPv1 does not support authentication.

key chain <key-name>
 key <key-identifier>
 key-string <password>
interface <interface>
 ip rip authentication mode md5
 ip rip authentication key-chain <key-name>

This is an example configuration for OSPF router authentication using MD5. OSPF does not utilize Key Chains.

interface <interface>
 ip ospf message-digest-key <key-id> md5 <password>
router ospf <process-id>
 network area 0
 area 0 authentication message-digest

Passive-Interface Commands
router eigrp <as-number>
 passive-interface default
 no passive-interface <interface>

Route Filtering
EIGRP and RIP, usage of the distribute-list command with the out keyword limits what information is advertised, while usage of thein keyword limits what updates are processed. The distribute-list command is available for OSPF, but it does not prevent a router from propagating filtered routes. Instead, the area filter-list command can be used.

This EIGRP example filters outbound advertisements with the distribute-list command and a prefix list:

ip prefix-list <list-name> seq 10 permit <prefix>
router eigrp <as-number>
 passive-interface default
 no passive-interface <interface>
 distribute-list prefix <list-name> out <interface>

This EIGRP example filters inbound updates with a prefix list:

ip prefix-list <list-name> seq 10 permit <prefix>
router eigrp <as-number>
 passive-interface default
 no passive-interface <interface>
 distribute-list prefix <list-name> in <interface>

This OSPF example uses a prefix list with the OSPF-specific area filter-list command:

ip prefix-list <list-name> seq 10 permit <prefix>
router ospf <process-id>
 area <area-id> filter-list prefix <list-name> in

Routing Process Resource Consumption
 Routing Protocol prefixes are stored by a router in memory, and resource consumption increases with additional prefixes that a router must hold. In order to prevent resource exhaustion, it is important to configure the routing protocol to limit resource consumption. This is possible with OSPF if you use the Link State Database Overload Protection feature
router ospf <process-id>
 max-lsa <maximum-number>


Secure First Hop Redundancy Protocols
The Gateway Load-Balancing Protocol (GLBP), Hot Standby Router Protocol (HSRP), and Virtual Router Redundancy Protocol (VRRP) are all FHRPs. By default, these protocols communicate with unauthenticated communications. In order to prevent this type of attack, all FHRPs that are supported by Cisco IOS software include an authentication capability with either MD5 or text strings. Because of the threat posed by unauthenticated FHRPs, it is recommended that instances of these protocols use MD5 authentication
interface FastEthernet 1
 description *** GLBP Authentication ***
 glbp 1 authentication md5 key-string <glbp-secret>
 glbp 1 ip

interface FastEthernet 2
 description *** HSRP Authentication ***
 standby 1 authentication md5 key-string <hsrp-secret>
 standby 1 ip

interface FastEthernet 3
 description *** VRRP Authentication ***
 vrrp 1 authentication md5 key-string <vrrp-secret>
 vrrp 1 ip

Data Plane
Although the data plane is responsible for moving data from source to destination, within the context of security, the data plane is the least important of the three planes. It is for this reason that it is important to protect the management and control planes in preference over the data plane when you secure a network device

IP Options Selective Drop
There are two security concerns presented by IP options. Traffic that contains IP options must be process-switched by Cisco IOS devices, which can lead to elevated CPU load. IP options also include the functionality to alter the path that traffic takes through the network, which potentially allows it to subvert security controls
ip options {drop | ignore}  

Disable IP Source Routing
If IP options have not been completely disabled via the IP Options Selective Drop feature, it is important that IP source routing is disabled.
no ip source-route

Disable ICMP Redirects
interface FastEthernet 0
 no ip redirects

Disable or Limit IP Directed Broadcasts
If a network absolutely requires directed broadcast functionality, its use should be controlled. This is possible with the use of an access control list as an option to the ip directed-broadcast command
access-list 100 permit udp any
interface FastEthernet 0
 ip directed-broadcast 100


Filter Transit Traffic with Transit ACLs
It is possible to control what traffic transits the network with the use of transit ACLs (tACLs). This is in contrast to infrastructure ACLs that seek to filter traffic that is destined to the network itself. The filtering provided by tACLs is beneficial when it is desirable to filter traffic to a particular group of devices or traffic that transits the network

ICMP Packet Filtering
ip access-list extended ACL-TRANSIT-IN
!— Permit ICMP packets from trusted networks only
permit icmp host <trusted-networks> any
!— Deny all other IP traffic to any network device
deny icmp any any


Filter IP Fragments
ip access-list extended ACL-TRANSIT-IN
!— Deny IP fragments using protocol-specific ACEs to aid in
!— classification of attack traffic
 deny tcp any any fragments
 deny udp any any fragments
 deny icmp any any fragments
 deny ip any any fragments

ACL Support for Filtering IP Options
ip access-list extended ACL-TRANSIT-IN
!— Deny IP packets containing IP options
deny ip any any option any-options

Anti-Spoofing Protections
Many attacks use source IP address spoofing to be effective or to conceal the true source of an attack and hinder accurate traceback. Cisco IOS software provides Unicast RPF and IP Source Guard (IPSG) in order to deter attacks that rely on source IP address spoofing. In addition, ACLs and null routing are often deployed as a manual means of spoofing prevention.

Unicast RPF
Unicast RPF enables a device to verify that the source address of a forwarded packet can be reached through the interface that received the packet. You must not rely on Unicast RPF as the only protection against spoofing. Spoofed packets could enter the network through a Unicast RPF-enabled interface if an appropriate return route to the source IP address exists. Unicast RPF relies on you to enable Cisco Express Forwarding on each device and is configured on a per-interface basis
ip cef
interface <interface>
  ip verify unicast source reachable-via <mode>

IP Source Guard
IP Source Guard is an effective means of spoofing prevention that can be used if you have control over Layer 2 interfaces. IP Source Guard uses information from DHCP snooping to dynamically configure a port access control list (PACL) on the Layer 2 interface, denying any traffic from IP addresses that are not associated in the IP source binding table.
ip dhcp snooping
ip dhcp snooping vlan <vlan-range>
after DHCP snooping is enabled, these commands enable IPSG:
interface <interface-id>
ip verify source

Port Security
Port security can be enabled with the ip verify source port security interface configuration command. This requires the global configuration command ip dhcp snooping information option; additionally, the DHCP server must support DHCP option 82.
interface <interface>
  switchport mode access
  switchport port-security
  switchport port-security mac-address sticky
  switchport port-security maximum <number>
  switchport port-security violation <violation-mode>

Dynamic ARP Inspection
Dynamic ARP Inspection (DAI) can be used in order to mitigate ARP poisoning attacks on local segments. An ARP poisoning attack is a method in which an attacker sends falsified ARP information to a local segment. This information is designed in order to corrupt the ARP cache of other devices. Often an attacker uses ARP poisoning in order to perform a man-in-the-middle attack.

ip dhcp snooping
ip dhcp snooping vlan <vlan-range>
Once DHCP snooping has been enabled, these commands enable DAI:
ip arp inspection vlan <vlan-range> 
In non DHCP environments, ARP ACLs are required to enable DAI. This example demonstrates the basic configuration of DAI with ARP ACLs:
arp access-list <acl-name>
permit ip host <sender-ip> mac host <sender-mac>
ip arp inspection filter <arp-acl-name> vlan <vlan-range>

Anti-Spoofing ACLs
Manually configured ACLs can provide static anti-spoofing protection against attacks that use known unused and untrusted address space. Commonly, these anti-spoofing ACLs are applied to ingress traffic at network boundaries as a component of a larger ACL. Anti-spoofing ACLs require regular monitoring because they can frequently change. Spoofing can be minimized in traffic that originates from the local network if you apply outbound ACLs that limit the traffic to valid local addresses.

Limit CPU Impact of Data Plane Traffic
The primary purpose of routers and switches is to forward packets and frames through the device onward to final destinations. These packets, which transit the devices deployed throughout the network, can impact CPU operations of a device. The data plane, which consists of traffic that transits the network device, should be secured to ensure the operation of the management and control planes. If transit traffic can cause a device to process switch traffic, the control plane of a device can be affected which may lead to an operational disruption

Traffic Identification and Traceback
At times, you can need to quickly identify and traceback network traffic, especially during incident response or poor network performance. NetFlow and Classification ACLs are the two primary methods to accomplish this with Cisco IOS software. NetFlow can provide visibility into all traffic on the network. Additionally, NetFlow can be implemented with collectors that can provide long-term trending and automated analysis. Classification ACLs are a component of ACLs and require pre-planning to identify specific traffic and manual intervention during analysis. These sections provide a brief overview of each feature

CEF, or distributed CEF, is a prerequisite to enabling NetFlow. NetFlow can be configured on routers and switches
ip flow-export destination <ip-address> <udp-port>
ip flow-export version <version>
interface <interface> 

ip flow <ingess|egress> 

Classification ACLs
An administrator can expedite an incident response by using classification ACLs with the show access-list and clear ip access-list counters EXEC commands

ip access-list extended ACL-SMB-CLASSIFY
 remark Existing contents of ACL
 remark Classification of SMB specific TCP traffic
 deny    tcp any any eq 139
 deny    tcp any any eq 445
 deny    ip any any

show access-list ACL-SMB-CLASSIFY

Access Control with VLAN Maps and Port Access Control Lists
VACLs, or VLAN maps that apply to all packets that enter the VLAN, provide the capability to enforce access control on intra-VLAN traffic. This is not possible with ACLs on routed interfaces. For example, a VLAN map might be used in order to prevent hosts that are contained within the same VLAN from communication with each other, which reduces opportunities for local attackers or worms to exploit a host on the same network segment. In order to deny packets from using a VLAN map, you can create an access control list (ACL) that matches the traffic and, in the VLAN map, set the action to drop. Once a VLAN map is configured, all packets that enter the LAN are sequentially evaluated against the configured VLAN map. VLAN access maps support IPv4 and MAC access lists; however, they do not support logging or IPv6 ACLs.

ip access-list extended <acl-name>
 permit <protocol> <source-address> <source-port> <destination-address>
vlan access-map <name> <number>
 match ip address <acl-name>
 action <drop|forward>
This example demonstrates the use of a VLAN map in order to deny TCP ports 139 and 445 as well as the vines-ip protocol:

ip access-list extended VACL-MATCH-ANY
 permit ip any any
ip access-list extended VACL-MATCH-PORTS
 permit tcp eq 445
 permit tcp eq 139
mac access-list extended VACL-MATCH-VINES
 permit any any vines-ip
vlan access-map VACL 10
 match ip address VACL-MATCH-VINES
 action drop
vlan access-map VACL 20
 match ip address VACL-MATCH-PORTS
 action drop
vlan access-map VACL 30
 match ip address VACL-MATCH-ANY
 action forward
vlan filter VACL vlan 100  

Access Control with PACLs ( Ports ACL )
p access-list extended <acl-name>
 permit <protocol> <source-address> <source-port> <destination-address>
interface <type> <slot/port>
 switchport mode access
 switchport access vlan <vlan_number>
 ip access-group <acl-name> in


Access Control with MAC
Cat6K-IOS(config-if)#mac packet-classify

Private VLAN Use
Private VLANs (PVLANs) are a Layer 2 security feature that limits connectivity between workstations or servers within a VLAN. Without PVLANs, all devices on a Layer 2 VLAN can communicate freely. Networking situations exist where security can be aided by limiting communication between devices on a single VLAN. For example, PVLANs are often used in order to prohibit communication between servers in a publicly accessible subnet. Should a single server become compromised, the lack of connectivity to other servers due to the application of PVLANs might help limit the compromise to the one server.

There are three types of Private VLANs: isolated VLANs, community VLANs, and primary VLANs. The configuration of PVLANs makes use of primary and secondary VLANs. The primary VLAN contains all promiscuous ports, which are described later, and includes one or more secondary VLANs, which can be either isolated or community VLANs.

vlan 11
 private-vlan isolated
vlan 20
 private-vlan primary
 private-vlan association 11
interface FastEthernet 1/1
 description *** Port in Isolated VLAN ***
 switchport mode private-vlan host
 switchport private-vlan host-association 20 11


Community VLANs
vlan 12
 private-vlan community
vlan 20
 private-vlan primary
 private-vlan association 12
interface FastEthernet 1/2
 description *** Port in Community VLAN ***
 switchport mode private-vlan host
 switchport private-vlan host-association 20 12


Promiscuous Ports
Switch ports that are placed into the primary VLAN are known as promiscuous ports. Promiscuous ports can communicate with all other ports in the primary and secondary VLANs. Router or firewall interfaces are the most common devices found on these VLANs.

vlan 11
 private-vlan isolated
vlan 12
 private-vlan community
vlan 20
 private-vlan primary
 private-vlan association 11-12
interface FastEthernet 1/1
 description *** Port in Isolated VLAN ***
 switchport mode private-vlan host
 switchport private-vlan host-association 20 11
interface FastEthernet 1/2
 description *** Port in Community VLAN ***
 switchport mode private-vlan host
 switchport private-vlan host-association 20 12
interface FastEthernet 1/12
 description *** Promiscuous Port ***
 switchport mode private-vlan promiscuous
 switchport private-vlan mapping 20 add 11-12

When you implement PVLANs, it is important to ensure that the Layer 3 configuration in place supports the restrictions that are imposed by PVLANs and does not allow for the PVLAN configuration to be subverted. Layer 3 filtering with a Router ACL or firewall can prevent the subversion of the PVLAN configuration


Leave a Comment