Device Hardening

Shrink the attack surface of every switch, router and host — and always pick the encrypted protocol.

// hardening checklist

Change default credentials; enforce strong passwords + MFA
Disable unused services (Telnet, HTTP) — use SSH / HTTPS
Patch firmware & OS promptly
Port security + 802.1X on access ports
Enable DHCP snooping + Dynamic ARP Inspection
Shut unused switchports; park them in a black-hole VLAN
Protect the management plane (ACLs, CoPP, out-of-band)
Centralize logging (Syslog) and time (NTP)
Role-based access through AAA

Avoid	Use
Telnet (23)	SSH (22)
HTTP (80)	HTTPS (443)
FTP (21)	SFTP / FTPS
SNMP v1 / v2c	SNMPv3
TFTP	SCP

// hardening by plane

Management plane	SSH only, ACL on VTY, AAA + MFA, role-based CLI, logging & NTP
Control plane	Routing-protocol auth, CoPP, BPDU guard, DHCP snooping, DAI
Data plane	Port security, ACLs, private VLANs, storm control, uRPF

device hardening · cisco ios

service password-encryption
security passwords min-length 12
enable secret <strong-secret>
!
aaa new-model
username admin privilege 15 secret <strong-secret>
!
ip domain-name example.com
crypto key generate rsa modulus 2048
ip ssh version 2
!
line vty 0 4
 transport input ssh
 access-class MGMT in
 exec-timeout 5 0
 login authentication default
!
no ip http server
ip http secure-server
login block-for 60 attempts 3 within 30
banner login ^Authorized access only^

verify

show ip ssh
show running-config | include service|aaa|login
show users
show ip access-lists MGMT