The Complete Cisco IOS Security Hardening Checklist (2026)
Cisco IOS powers the majority of enterprise network infrastructure worldwide. Yet most production configurations contain preventable security misconfigurations — from plaintext passwords to unprotected management interfaces.
This checklist covers the most critical Cisco IOS and IOS-XE hardening items based on CIS Benchmarks, NIST 800-53 controls, and real-world audit findings. Each item includes the vulnerable configuration, the hardened fix, and the SentriFlow rule that detects it automatically.
Automate this checklist. Every item below can be validated automatically with SentriFlow. Install the CLI and run sentriflow router.conf to audit your configurations in seconds.
1. Password and Authentication Security
1.1 Never Use Plaintext Passwords
The password command stores credentials in plaintext or weak Type 7 encoding, which is trivially reversible.
Vulnerable configuration:
enable password cisco123
!
line vty 0 4
password cisco123
loginHardened configuration:
enable algorithm-type scrypt secret MyStr0ngP@ss!
!
line vty 0 4
login local
!
username admin privilege 15 algorithm-type scrypt secret MyStr0ngP@ss!Why it matters: Type 0 (plaintext) and Type 7 passwords can be decoded instantly with freely available tools. Type 5 (MD5) is considered weak. Use Type 8 (PBKDF2) or Type 9 (scrypt) for strong encryption.
SentriFlow rule: NET-SEC-001 — Detects plaintext or weakly encrypted passwords across Cisco IOS and NX-OS configurations.
1.2 Use Strong Enable Secret
The enable secret protects privileged EXEC mode. Always use scrypt hashing.
Hardened configuration:
enable algorithm-type scrypt secret <strong-password>SentriFlow rule: NET-AAA-003 — Ensures the enable secret uses strong encryption (scrypt recommended).
1.3 Configure AAA Authentication
Centralized authentication via TACACS+ or RADIUS provides accountability and stronger access control.
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
!
tacacs-server host 10.1.1.100 key 0 <encrypted-key>
tacacs-server host 10.1.1.101 key 0 <encrypted-key>Why it matters: Local-only authentication doesn’t provide centralized audit trails. If a credential is compromised, you must touch every device individually to rotate it.
2. SSH and Remote Access Hardening
2.1 Enforce SSH Version 2
SSH version 1 has known cryptographic weaknesses and should never be used in production.
Vulnerable configuration:
ip ssh version 1Hardened configuration:
ip ssh version 2
ip ssh time-out 60
ip ssh authentication-retries 32.2 Restrict VTY Line Access
VTY lines (virtual terminal lines) control remote access to the router. They should be locked down with ACLs and SSH-only transport.
Vulnerable configuration:
line vty 0 4
password cisco123
login
transport input allHardened configuration:
ip access-list standard VTY-ACCESS
permit 10.0.0.0 0.0.0.255
deny any log
!
line vty 0 4
access-class VTY-ACCESS in
transport input ssh
login local
exec-timeout 5 0
logging synchronous
line vty 5 15
access-class VTY-ACCESS in
transport input ssh
login local
exec-timeout 5 0Key hardening items:
transport input ssh— Disables telnet, allowing only encrypted SSH connectionsaccess-class VTY-ACCESS in— Restricts which IP addresses can connectexec-timeout 5 0— Automatically disconnects idle sessions after 5 minutes- Configure all VTY lines (0-15), not just 0-4
SentriFlow rule: JSON-CISCO-005 — Ensures VTY lines have access-class configured for SSH access control.
2.3 Disable Telnet Everywhere
Telnet sends everything in plaintext, including credentials.
line vty 0 15
transport input ssh
!
line con 0
transport output ssh3. SNMP Security
3.1 Never Use Default Community Strings
The community strings public and private are the first things attackers try.
Vulnerable configuration:
snmp-server community public RO
snmp-server community private RWHardened configuration:
! Use SNMPv3 with authentication and encryption
snmp-server group MONITORING v3 priv
snmp-server user monitor MONITORING v3 auth sha <auth-pass> priv aes 256 <priv-pass>
!
! If SNMPv2c is required, use complex strings and ACLs
snmp-server community xK9#mP2$vL7@nQ RO SNMP-ACL
!
ip access-list standard SNMP-ACL
permit 10.1.1.0 0.0.0.255
deny any logWhy it matters: SNMP with read-write access and a default community string gives an attacker full control over the device configuration.
4. Network Segmentation and Layer 2 Security
4.1 Disable DTP on All Trunk Ports
Dynamic Trunking Protocol (DTP) can be exploited for VLAN hopping attacks.
Vulnerable configuration:
interface GigabitEthernet0/1
switchport mode trunkHardened configuration:
interface GigabitEthernet0/1
switchport mode trunk
switchport nonegotiate
switchport trunk allowed vlan 10,20,30SentriFlow rules:
- NET-TRUNK-001 — Detects trunk ports without
switchport nonegotiate - JSON-CISCO-001 — Ensures trunk ports have an explicit allowed VLAN list
- JSON-CISCO-004 — Flags trunk ports without DTP disabled (tagged: vlan-hopping)
4.2 Explicitly Configure Access Ports
Don’t rely on default port modes. Explicitly set access mode and assign VLANs.
Hardened configuration:
interface GigabitEthernet0/2
description User Access - Desk 42A
switchport mode access
switchport access vlan 10
spanning-tree portfast
spanning-tree bpduguard enableSentriFlow rules:
- NET-ACCESS-001 — Ensures interfaces have explicit
switchport mode access - JSON-CISCO-002 — Checks that access ports have spanning-tree portfast enabled
4.3 Secure Unused Ports
Unused ports are a common attack vector for physical access.
interface range GigabitEthernet0/10-24
switchport mode access
switchport access vlan 999
shutdown
!
vlan 999
name BLACKHOLE5. Logging and Monitoring
5.1 Configure Adequate Logging Buffer
A small logging buffer loses critical forensic information.
Vulnerable configuration:
logging buffered 4096Hardened configuration:
logging buffered 131072 informational
logging trap informational
logging source-interface Loopback0
logging host 10.1.1.200
logging host 10.1.1.201
!
service timestamps log datetime msec localtime show-timezone
service timestamps debug datetime msec localtime show-timezoneRecommended buffer sizes:
| Device Role | Minimum Buffer Size |
|---|---|
| Access switch | 64 KB (65536) |
| Distribution switch | 128 KB (131072) |
| Core router | 256 KB (262144) |
| Internet edge | 512 KB (524288) |
5.2 Enable Remote Syslog
Local logging alone is insufficient. Send logs to a centralized SIEM.
logging host 10.1.1.200 transport tcp port 6514
logging host 10.1.1.201 transport tcp port 65146. Service Hardening
6.1 Disable Unnecessary Services
Every enabled service is a potential attack surface.
no ip http server
no ip http secure-server
no cdp run
no ip source-route
no ip finger
no service pad
no service udp-small-servers
no service tcp-small-servers
no ip bootp server
no ip gratuitous-arps6.2 Configure a Login Banner
Login banners provide legal notice and deter unauthorized access.
banner login ^
*********************************************************************
* UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED. *
* All connections are monitored and recorded. *
* Disconnect IMMEDIATELY if you are not an authorized user. *
*********************************************************************
^7. Interface Documentation
7.1 Add Descriptions to All Interfaces
Interface descriptions are essential for operational clarity during outages and audits.
Missing documentation:
interface GigabitEthernet0/1
ip address 10.0.0.1 255.255.255.252
no shutdownProperly documented:
interface GigabitEthernet0/1
description [WAN] Link to ISP-A | Circuit: CKT-12345 | 1Gbps
ip address 10.0.0.1 255.255.255.252
no shutdownSentriFlow rule: JSON-CISCO-003 — Ensures all interfaces have a description for documentation.
8. Routing Protocol Security
8.1 Authenticate Routing Protocols
Unauthenticated routing protocols allow attackers to inject malicious routes.
router ospf 1
area 0 authentication message-digest
!
interface GigabitEthernet0/1
ip ospf message-digest-key 1 md5 <key>
ip ospf authentication message-digestrouter bgp 65001
neighbor 10.0.0.2 remote-as 65002
neighbor 10.0.0.2 password <key>Quick Reference Checklist
Use this checklist during your next configuration review:
| # | Item | Priority | SentriFlow Rule |
|---|---|---|---|
| 1 | No plaintext or Type 7 passwords | Critical | NET-SEC-001 |
| 2 | Strong enable secret (scrypt) | Critical | NET-AAA-003 |
| 3 | SSH version 2 only | Critical | — |
| 4 | VTY access-class configured | Critical | JSON-CISCO-005 |
| 5 | Transport input SSH on VTY lines | Critical | — |
| 6 | DTP disabled on trunk ports | High | JSON-CISCO-004 |
| 7 | Explicit VLAN list on trunks | High | JSON-CISCO-001 |
| 8 | Explicit access mode on ports | Medium | NET-ACCESS-001 |
| 9 | Portfast on access ports | Medium | JSON-CISCO-002 |
| 10 | SNMP v3 or complex community + ACL | High | — |
| 11 | Adequate logging buffer | Medium | — |
| 12 | Remote syslog configured | Medium | — |
| 13 | Unnecessary services disabled | Medium | — |
| 14 | Interface descriptions | Low | JSON-CISCO-003 |
| 15 | Routing protocol authentication | High | — |
| 16 | Unused ports shut down | Medium | — |
Automate Your Cisco IOS Audits
Manually reviewing configurations doesn’t scale. SentriFlow automates this entire checklist across your fleet:
Install SentriFlow
npm
bash npm install -g @sentriflow/cli Validate a Single Configuration
sentriflow router.confScan Your Entire Config Repository
sentriflow -D ./configs -R --progressIntegrate with CI/CD
Generate SARIF output for GitHub Advanced Security:
sentriflow -f sarif router.conf > results.sarifSee the full CI/CD integration guide.
Further Reading
- SentriFlow Rule Catalog — Browse all 59 built-in security rules
- Custom Rules Guide — Add organization-specific checks
- GitHub Actions Integration — Automate validation in your pipeline
- CLI Reference — Full command-line documentation