Every network administrator should know how to secure their network so that they lessen the encounter of malicious activity. Sometimes it really just comes down to following some best practices in securing a Cisco switch or router. Here are 5 easy steps to secure your Cisco switch or router.

enable secret

When you use the command,

show run

do you see your passwords in plain text? That’s a no-no. Use

enable secret your-password

to encrypt it to keep nosy people from seeing your password and entering your switch or router. Enable secret will encrypt your password – AWAY WITH PLAIN TEXT.

encrypt plain text passwords

If you’ve moved over to encrypted passwords and noticed that your existing passwords are still in plain text then run the global configuration command:

service password-encryption

to encrypt all your passwords.

secure console access

Physical security should be your first line of defense. But what if you have shotty physical security? Then use console security to stop curious users from connecting to your console port:

conf t
  line con 0
  login
  password your-password

Be aware that this does not protect your Cisco device from the password recovery procedure. This is why physical security is important!

secure remote access

What protocol are you using to remote into your Cisco switches and routers for management? If you said Telnet, shame on you! Telnet does not encrypt any traffic between you and your Cisco devices. Everything you type is in cleartext. The best alternative is to use SSH. All traffic between you and your Cisco switch or router will be encrypted.

conf t
 line vty 0 4
 login local
 transport input ssh
username user password user-passwordip domain-name domain
crypto key generate rsa

The above commands will allow only SSH traffic to your Cisco switch or router and will prompt for a username and password, in which the user account should be on the switch.

parking lot or shutdown the interface

Organize your network with the use of virtual local area networks (vlans). Put accounting on their own vlan, HR on their own vlan, IT on their own vlan. Not only is it good to segment these departments, you can also create a parking lot vlan. A parking lot vlan is where you can put all unused interfaces. So if a malicious user wanted to connect to your network via an open port from the wall, they wouldn’t be able to connect to anything because that unused port would be put on a vlan that is not being used.

conf t
 vlan 3
 name parking-lot
int fa0/15
 switchport mode access
 switchport access vlan 3

A better solution would be to shutdown an unused interface. When an interface is shut down that means it cannot be used until you use the no shutdown command to bring the interface back up.

conf t
 int fa0/15
 shutdown

To bring it back to a working interface:

conf t
 int fa0/15
 no shut

And those are my 5 easy steps to securing your Cisco switch or router. There are other advanced ways but if you’re new to Cisco then the above steps will be better than having a non-secured network. If you have any questions or feedback please comment below!