Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Border Router Security Lockdown?

Hello there,

I've got a Cisco 2811 router which I'm installing as the link to our ISP, i.e. it's a border router

(outside our firewall and the next hop to the ISP's router).

It's a very simple setup - 2 interfaces (1 connected to the Internet and 1 to our firewall) and just

1 static route (a default route) going out to the Internet and no dynamic routing protocols.

I need to make it secure and was wondering if there was a best practices document.  So far I've

connected to the web based SDM on the router and run the security lockdown feature.  However I've

seen pictures on the Internet of a client based SDM which looked to have much more features than the

web based one.  Is this still available and if so does it have more security features?

Is there a CLI based one step lockdown for the router?

Also, should I put an access list on the outside interface?  Should I block traffic to the router

itself and just allow it to pass traffic through?  Should I be blocking private address ranges from

the Internet side?  What about multicast addresses (we are not running multicasting)? And perhaps

the address range on the outside of our firewall and inside interface of the router (anti-spoofing)?

Any advice appreciated,


Re: Border Router Security Lockdown?

Hi Pete,

Check out the best pratices for hardening  IOS based devices by cisco

Hope this helps out your query !!



Hall of Fame Super Silver

Re: Border Router Security Lockdown?

Hello Pete,

if you are good at CLI you can stop to worry about SDM.

>>Also, should I put an access list on the outside interface?

yes inbound , it should be used to deny traffic coming from private RFC 1918 addresses, from bogus addresses, and from your own public addresses (that would be spoofed)

About multicast should be just enough to have it not enabled on the router, but if you like you can block when destination is multicast in the ACL above.

Also you need to use an access-class on vty to access telnet or ssh sessions only from your own ip addresses

Hope to help


Re: Border Router Security Lockdown?

i think you need some level of security mostly to secure the traffic destined to the router it self because you have a firewall behind the router which supposed to do the firewalling toyour LAN

try to consider all or some of the following:

disable unused services such as dhcp

block all management traffic from outside coming to the router ( if you want to access the router from the Internet allow only ssh )

deny private ip range from to come from the Internet ( make sure after you deny the private range you have  a permit ip any in the end )

disable ip redirects and ip unreachable in the outside interface

exmaple :


Router(config)# no service dhcp

Router(config)# no service pad

outside interface:

Router(config)# interface fax/x (internet interface)

Router(config)# ip access-group ingress-filter in

Router(config-if)# no ip proxy-arp

Router(config-if)# no ip directed-broadcast

Router(config-if)# no ip unreachable

Router(config-if)# no ip redirect

Router(config-if)# no ip mask-reply

Router(config)# ip access-list extended in-filter

Router(config-ext-nacl)# deny ip any

Router(config-ext-nacl)# deny ip any

Router(config-ext-nacl)# deny ip any

Router(config-ext-nacl)# deny ip any host eq telnet

Router(config-ext-nacl)# permit ip any any

permit SSH only

Router(config)# username youuser privilege 15 secret youpass

Router(config)# hostname routerneame

Bullmastiff(config)# ip domain-name

Bullmastiff(config)# crypto key generate rsa

Bullmastiff(config)# line vty 0 4

Bullmastiff(config-line)# login local

Bullmastiff(config-line)# transport input ssh

Bullmastiff(config-line)# transport output ssh

if you want to go advanced level you may need to look at control plane policing

good luck

if helpful Rate

Hall of Fame Super Blue

Re: Border Router Security Lockdown?


Just to add one thing.

To be a "good" citizen on the internet you can also have an acl on the inside interface of your router specifying the source addresses that are allowed from your network to the Internet - probably only be a few public IP addresses.


New Member

Re: Border Router Security Lockdown?


             You can secure your router also with CLI . you can implement CBAC feature there . With some inspection rules you can block unwanted services and acces.



New Member

Re: Border Router Security Lockdown?

Thanks everyone for the replies on the border router security lockdown.

I've now got it pretty much locked down I think, though I'm going to take a look at the Cisco IOS lockdown procedure document that was specifiec in one of the replies.

In answer to some of my own questions...

The SDM that I connected to with the web browser was SDM Express and the functionality is limited.  I used this for a security lockdown anyway and it seemed to take care of most things.  I then found an old version of SDM client on my laptop (which I upgraded from and then connected to my new 2811 router with).  This proper client has much more functionality - I think it still connects to the web based SDM on the router.  Anyway there was a 'security audit wizard' in this which it said could be used to analyse the router.  I set it off running and 10 minutes later it was still on the hour glass so it didn't actually tell me anything at all.  I didn't want to do the 'one stop lockdown' in the client based SDM because it might have put stuff on the router that I wasn't happy with.  Maybe I'll give the security audit wizard another go but I've used another method anyway so it would be just out of curiosity to see if it finds any security problems.

Anyway I ran the 'auto secure full' command from the CLI.  This is a CLI based wizard which asks a few questions and gives you a config based on the questions.  It doesn't put the config on unless you tell it to at the end.  This was good because I ran it, it generated a config (which I copied and pasted into a text doc) and then I told it not to apply the config because it wanted to do stuff with the enable password and various other bits and pieces that I didn't want.  I compared the text doc with the current router config and then added all the stuff that I was interested in manually, so it's all good.

Then I put on an access list to block spoofed traffic and a few other things from the Internet.