Security is a basic consideration which should always be kept in mind when building, engineering and deploying voice and data networks of any size. The following is a quick checklist to reference for very basic router security.
-Set Logon and Passwords
-Disable the web server(s) (i.e. http and https)
-(config)#no ip http server (no ip http secure)
-Limit the remote access subnets (access-list)
-Use SSH whenever possible
-(config)#logging buffered 64000
-(config)#logging A.B.C.D (IP address of Syslog server ex. Kiwi Syslog)
-Limit CDP reach (when possible – required for IP phones). CDP broadcasts being sent out by switch every 60 seconds which can be sniffed with all switch information.
-(config)#no cdp run
-(config-if)#no cdp enable
-Use BPDU Guard on portfast ports. If a BPDU is detected by the switch on the port it will shut the port down since ‘portfast’ ports should not have other switches connected to them.
-(config-if)#spanning-tree bpduguard (Don’t accept BPDUs on this interface)
**BPDU Filter: Do not send or receive BPDUs on the interface. It will ignore BPDUs coming into the port; can be dangerous since detection is not available with BPDU filter turned on.