I audit network device configurations for Indian enterprise resellers. After reviewing 50+ Cisco IOS-XE configurations from production environments, I’ve found that 80% of them expose more than they should. Here are the 10 checks your network team probably forgot.
1. Telnet Still Enabled
The finding: Line VTY still permits protocol telnet alongside protocol ssh.
The risk: Telnet sends passwords in cleartext over the network. On an internal network where any compromised workstation can sniff traffic, this exposes your admin credentials to anyone on the same broadcast domain.
The fix:
line vty 0 15
transport input ssh
2. Default SNMP Community Strings
The finding: snmp-server community public RO or snmp-server community private RW
The risk: Default strings like “public” and “private” are the first thing an attacker tries. With read-write access, an attacker can modify routing tables, add backdoor VLANs, or change interface configurations.
The fix:
snmp-server community YourComplexStringHere RO
snmp-server community DifferentStringHere RW
no snmp-server community public
no snmp-server community private
3. No AAA on Console Port
The finding: The console port requires no authentication — line con 0 with no login local or login authentication.
The risk: Physical access to the router equals full admin access. In colocation setups, shared data centers, or branch offices where equipment rooms aren’t locked, this is a trivial compromise.
The fix:
line con 0
login local
exec-timeout 5 0
4. VTY Lines Without Access-Class
The finding: No access-class restriction on VTY lines, meaning SSH access is available from any IP.
The risk: Your management interface is exposed to the entire internal network — and sometimes the internet. Indian ISPs often don’t filter management ports.
The fix:
access-list 10 permit 10.0.0.0 0.0.0.255
access-list 10 deny any
line vty 0 15
access-class 10 in
5. CDP Enabled on External Interfaces
The finding: cdp enable on interfaces facing external networks or customers.
The risk: Cisco Discovery Protocol broadcasts device information (model, IOS version, IP addresses, VLANs) to anyone on the same link. This is reconnaissance gold for an attacker.
The fix:
interface GigabitEthernet0/0
no cdp enable
6. No CoPP (Control Plane Policing)
The finding: No control-plane configuration with rate-limiting.
The risk: An attacker can flood the control plane with traffic (BGP updates, ICMP, SSH attempts), causing the router to CPU-throttle and drop routing protocol keepalives. Result: routing table instability or complete outage.
The fix:
control-plane
service-policy input CoPP-Policy
7. DHCP Snooping Disabled or Misconfigured
The finding: ip dhcp snooping not enabled on access VLANs, or no ip dhcp snooping trust on uplink ports.
The risk: A rogue DHCP server on an access port can hand out malicious gateway addresses, redirecting traffic through an attacker’s machine for MITM.
The fix:
ip dhcp snooping
ip dhcp snooping vlan 10,20,30
interface GigabitEthernet0/24
ip dhcp snooping trust
8. Default HTTP/HTTPS Server Enabled
The finding: ip http server still enabled on devices that should be managed via SSH only.
The risk: HTTP server exposes an unencrypted web management interface. Even HTTPS can be vulnerable to downgrade attacks.
The fix:
no ip http server
no ip http secure-server
9. No Logging Configuration
The finding: No logging host or logging buffered configured.
The risk: When an incident occurs, you have zero audit trail. You can’t determine what happened, when, or from where.
The fix:
logging host 10.0.0.5
logging trap notifications
logging source-interface Loopback0
logging buffered 16384
10. BGP Authentication Missing
The finding: BGP neighbor statements without password configured.
The risk: Without MD5/TCP-AO authentication, an attacker can inject false BGP routes, hijacking IP prefixes for your organization. This is how RouteLeak attacks happen.
The fix:
router bgp 65000
neighbor 10.0.0.1 password YourBgpPassword
The Bottom Line
These aren’t advanced attacks. They’re the networking equivalent of leaving your front door unlocked. I find at least 3 of these 10 misconfigurations in every audit I do.
Want a full config audit? I’ll review your Cisco/Palo Alto/Fortinet/Juniper configurations against 30+ CIS-aligned checks and deliver a professional PDF report in 24 hours. ₹5,000 per device.