Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Unused Interfaces (Security Exposure?)

I always see/hear that unused interfaces on routers MUST be shutdown. However, I do not understand the security exposure in some instances. For instance, if an interface does not have an IP address, can it be exposed? I realize that for physical interfaces, the exposure is that someone could plug in to the interface's physical port on the router, but if physical security is very tight and an unused interface does not have an IP address, what is the exposure? I suppose maybe MAC addresses could be used. What is the exposure on an unused virtual interface, not a VLAN or loopback interface, but a virtual interface based off a physical interface? Basically, is this a "real" risk, or just another layer in the defense?



Re: Unused Interfaces (Security Exposure?)

Shutting down unused router interfaces is considered more of a "might as well" kind of thing rather than a must from a security standpoint. As you mention, there's little to take advantage of if the interface doesn't have an IP address configured. But you never know when someone is going to misconfigure something. One thing that could be done with an enabled but IP-less interface is to connect to it directly and DoS the router with a flood of packets. So it's considered best practice to just eliminate such possibilities by disabling unused interfaces.

Switch ports are obviously another story -- they're much more dangerous to leave open.

New Member

Re: Unused Interfaces (Security Exposure?)

Thanks for the response. That is pretty much what I thought, but I want to be sure. As for connecting directly, I understand that for physical interfaces, but I am also trying to discern whether someone could connect to an IP-less virtual interface over the network using something such as the MAC address. Off-hand, I can't think of such a possibility, but then again, I certainly don't know it all. Thanks again for the reply.