Border Router Security Lockdown?

Unanswered Question
Jan 7th, 2010
User Badges:

Hello there,

I've got a Cisco 2811 router which I'm installing as the link to our ISP, i.e. it's a border router

(outside our firewall and the next hop to the ISP's router).

It's a very simple setup - 2 interfaces (1 connected to the Internet and 1 to our firewall) and just

1 static route (a default route) going out to the Internet and no dynamic routing protocols.

I need to make it secure and was wondering if there was a best practices document.  So far I've

connected to the web based SDM on the router and run the security lockdown feature.  However I've

seen pictures on the Internet of a client based SDM which looked to have much more features than the

web based one.  Is this still available and if so does it have more security features?

Is there a CLI based one step lockdown for the router?

Also, should I put an access list on the outside interface?  Should I block traffic to the router

itself and just allow it to pass traffic through?  Should I be blocking private address ranges from

the Internet side?  What about multicast addresses (we are not running multicasting)? And perhaps

the address range on the outside of our firewall and inside interface of the router (anti-spoofing)?

Any advice appreciated,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.4 (7 ratings)
Giuseppe Larosa Thu, 01/07/2010 - 04:20
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Pete,

if you are good at CLI you can stop to worry about SDM.

>>Also, should I put an access list on the outside interface?

yes inbound , it should be used to deny traffic coming from private RFC 1918 addresses, from bogus addresses, and from your own public addresses (that would be spoofed)

About multicast should be just enough to have it not enabled on the router, but if you like you can block when destination is multicast in the ACL above.

Also you need to use an access-class on vty to access telnet or ssh sessions only from your own ip addresses

Hope to help


Marwan ALshawi Thu, 01/07/2010 - 04:24
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

i think you need some level of security mostly to secure the traffic destined to the router it self because you have a firewall behind the router which supposed to do the firewalling toyour LAN

try to consider all or some of the following:

disable unused services such as dhcp

block all management traffic from outside coming to the router ( if you want to access the router from the Internet allow only ssh )

deny private ip range from to come from the Internet ( make sure after you deny the private range you have  a permit ip any in the end )

disable ip redirects and ip unreachable in the outside interface

exmaple :


Router(config)# no service dhcp

Router(config)# no service pad

outside interface:

Router(config)# interface fax/x (internet interface)

Router(config)# ip access-group ingress-filter in

Router(config-if)# no ip proxy-arp

Router(config-if)# no ip directed-broadcast

Router(config-if)# no ip unreachable

Router(config-if)# no ip redirect

Router(config-if)# no ip mask-reply

Router(config)# ip access-list extended in-filter

Router(config-ext-nacl)# deny ip any

Router(config-ext-nacl)# deny ip any

Router(config-ext-nacl)# deny ip any

Router(config-ext-nacl)# deny ip any host eq telnet

Router(config-ext-nacl)# permit ip any any

permit SSH only

Router(config)# username youuser privilege 15 secret youpass

Router(config)# hostname routerneame

Bullmastiff(config)# ip domain-name

Bullmastiff(config)# crypto key generate rsa

Bullmastiff(config)# line vty 0 4

Bullmastiff(config-line)# login local

Bullmastiff(config-line)# transport input ssh

Bullmastiff(config-line)# transport output ssh

if you want to go advanced level you may need to look at control plane policing

good luck

if helpful Rate

Jon Marshall Thu, 01/07/2010 - 05:23
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


Just to add one thing.

To be a "good" citizen on the internet you can also have an acl on the inside interface of your router specifying the source addresses that are allowed from your network to the Internet - probably only be a few public IP addresses.


tarnhundal Thu, 01/07/2010 - 07:33
User Badges:


             You can secure your router also with CLI . you can implement CBAC feature there . With some inspection rules you can block unwanted services and acces.



Peter.D.Brown Sat, 01/09/2010 - 06:45
User Badges:

Thanks everyone for the replies on the border router security lockdown.

I've now got it pretty much locked down I think, though I'm going to take a look at the Cisco IOS lockdown procedure document that was specifiec in one of the replies.

In answer to some of my own questions...

The SDM that I connected to with the web browser was SDM Express and the functionality is limited.  I used this for a security lockdown anyway and it seemed to take care of most things.  I then found an old version of SDM client on my laptop (which I upgraded from and then connected to my new 2811 router with).  This proper client has much more functionality - I think it still connects to the web based SDM on the router.  Anyway there was a 'security audit wizard' in this which it said could be used to analyse the router.  I set it off running and 10 minutes later it was still on the hour glass so it didn't actually tell me anything at all.  I didn't want to do the 'one stop lockdown' in the client based SDM because it might have put stuff on the router that I wasn't happy with.  Maybe I'll give the security audit wizard another go but I've used another method anyway so it would be just out of curiosity to see if it finds any security problems.

Anyway I ran the 'auto secure full' command from the CLI.  This is a CLI based wizard which asks a few questions and gives you a config based on the questions.  It doesn't put the config on unless you tell it to at the end.  This was good because I ran it, it generated a config (which I copied and pasted into a text doc) and then I told it not to apply the config because it wanted to do stuff with the enable password and various other bits and pieces that I didn't want.  I compared the text doc with the current router config and then added all the stuff that I was interested in manually, so it's all good.

Then I put on an access list to block spoofed traffic and a few other things from the Internet.




This Discussion