OC Security Audit | Infrastructure Security
Router and Switch Security Audit Checklist
Review the routers, switches, VLANs, trunks, management interfaces, firmware, ACLs, logs, and backups that keep users, servers, cloud services, branch offices, and business applications connected.
Executive Summary
Internal network devices can quietly become the path of least resistance.
Firewalls matter, but routers and switches decide how internal traffic moves. A flat VLAN design, exposed management interface, weak SNMP configuration, stale firmware, permissive trunk, or undocumented route can create serious business risk even when the perimeter looks clean.
OC Security Audit helps business owners, IT managers, CISOs, CIOs, and compliance leaders review network infrastructure from both a technical and business-risk perspective. The goal is practical: find gaps, prioritize remediation, collect evidence, and support a cleaner internal security baseline.
What this review helps clarify
- Which routers and switches are unsupported, unpatched, undocumented, or exposed.
- Whether management access is limited to approved administrators and trusted networks.
- Where VLAN, trunk, routing, ACL, or Layer 2 controls need stronger segmentation.
- Whether monitoring, logging, backups, diagrams, and change controls support incident response.
Audit Coverage
What the router and switch audit covers.
The page is organized around the major internal infrastructure areas that commonly create security exposure in Cisco, HPE Aruba, HP, and mixed-vendor switching and routing environments.
Firmware and OS
Patch levels, boot images, vendor advisories, support lifecycle, rollback planning, and update procedures.
Management Plane
SSH, HTTPS, console access, management VLANs, allowed admin sources, AAA, and privileged access.
VLANs and Segmentation
User, server, guest, IoT, voice, management, trunking, inter-VLAN routing, and route-control review.
Switch Port Security
Unused ports, trunk restrictions, MAC limits, NAC/802.1X readiness, and rogue-device prevention.
Layer 2 Protections
DHCP Snooping, Dynamic ARP Inspection, BPDU Guard, Root Guard, and storm-control configuration.
ACLs and Routing
Router ACLs, management ACLs, route filtering, dynamic routing authentication, and branch connectivity.
Monitoring and Backups
SNMPv3, syslog, NTP, configuration backups, alerting, log retention, and performance baselines.
Documentation
Inventory, standards, baseline configurations, diagrams, owners, change control, and evidence records.
Business Risk
A secure firewall does not fix a weak internal network.
Attackers often move through trusted internal paths after a phishing compromise, stolen VPN credential, exposed admin workstation, vulnerable server, or unmanaged device. Router and switch controls help define where traffic can go, who can administer the network, and whether suspicious events can be investigated later.
- Management interfaces should not be reachable from ordinary user, guest, or IoT networks.
- VLANs and ACLs should reflect real business access requirements, not old assumptions.
- Switch ports, trunks, and Layer 2 protections should reduce unauthorized access and disruption.
- Logs, backups, and diagrams should support recovery, audits, and executive decision-making.
Process
Our router and switch security audit process.
The review turns technical configuration details into prioritized remediation guidance for IT teams and leadership.
Discover
Collect inventory, topology, device roles, firmware versions, VLANs, routing paths, and management interfaces.
Review
Analyze configurations, management access, passwords, SNMP, ACLs, trunks, Layer 2 protections, and monitoring.
Prioritize
Score findings by likelihood, impact, and business risk so remediation is practical and defensible.
Validate
Confirm which controls work, which are missing, and which need operational or change-control review.
Recommend
Provide secure configuration recommendations for firmware, passwords, VLANs, port security, ACLs, and monitoring.
Document
Deliver checklist results, evidence notes, risk scoring, and remediation steps for IT and leadership review.
HTML Checklist
Router and switch security audit items.
Use this checklist as a starting point for internal security audits, infrastructure reviews, network hardening projects, evidence collection, and remediation planning. The full original checklist is preserved below.
| Category | Item | Description | Likelihood | Impact | Security Risk | How to Secure | Status |
|---|---|---|---|---|---|---|---|
| Inventory & Ownership | Device inventory accuracy | Document all routers, switches, stacks, serial numbers, models, OS versions, locations, owners, and support status. | Medium | Medium | Unknown network assets create blind spots during incidents and upgrades. | Maintain an approved inventory and reconcile it during every audit cycle. | Open / Review / Complete |
| Inventory & Ownership | Lifecycle and support status | Confirm whether Cisco, HPE Aruba, and HP devices are under vendor support and not end-of-life. | High | High | Unsupported devices may not receive critical firmware or security updates. | Replace unsupported devices or document compensating controls and upgrade timelines. | Open / Review / Complete |
| Firmware & OS | Firmware version review | Compare firmware and network OS versions against vendor advisories and approved baselines. | High | High | Outdated firmware can expose routers and switches to known vulnerabilities. | Upgrade through a controlled change window after backup and compatibility review. | Open / Review / Complete |
| Firmware & OS | Boot image integrity | Verify approved boot images, startup configuration integrity, and unauthorized image changes. | Medium | High | Unapproved images may introduce instability, backdoors, or misconfiguration. | Restrict image changes and validate hashes where supported. | Open / Review / Complete |
| Firmware & OS | Patch management process | Review how firmware updates are tested, approved, scheduled, and documented. | Medium | High | Unstructured updates increase outage risk or leave devices unpatched. | Create a repeatable patch process with maintenance windows and rollback steps. | Open / Review / Complete |
| Management Plane | SSH-only administration | Confirm Telnet is disabled and SSH is configured using secure versions and approved ciphers where supported. | High | High | Clear-text management protocols expose credentials and configuration data. | Disable Telnet and require SSH from trusted management networks. | Open / Review / Complete |
| Management Plane | HTTPS management review | Confirm HTTP is disabled and HTTPS uses trusted certificates where web management is required. | Medium | High | Insecure web management can leak credentials or expose admin portals. | Use HTTPS only, restrict access, and disable web management if not needed. | Open / Review / Complete |
| Management Plane | Management VLAN isolation | Verify router and switch management interfaces are isolated from user VLANs and guest networks. | High | High | Flat access to management interfaces increases takeover risk. | Place management access in a dedicated VLAN or subnet with ACL restrictions. | Open / Review / Complete |
| Management Plane | Allowed management sources | Review ACLs that limit device administration to approved jump boxes, VPNs, or admin workstations. | High | High | Broad administrative access expands the attack surface. | Permit management only from approved source IP ranges. | Open / Review / Complete |
| Authentication | Default credentials removed | Confirm vendor default usernames, passwords, and setup accounts are removed or disabled. | High | High | Default credentials are commonly abused during internal compromise. | Remove defaults and use unique named accounts or centralized authentication. | Open / Review / Complete |
| Authentication | AAA / RADIUS / TACACS+ | Review centralized authentication, authorization, and accounting for administrators. | Medium | High | Local-only accounts reduce accountability and delay offboarding. | Use AAA with least privilege, fallback controls, and admin logging. | Open / Review / Complete |
| Authentication | Privileged account review | Validate admin roles, named accounts, emergency accounts, and privilege levels. | Medium | High | Excessive admin rights can lead to unauthorized network changes. | Limit privileges and review access regularly. | Open / Review / Complete |
| Authentication | Password policy | Review password complexity, rotation expectations, encrypted secrets, and local account storage. | Medium | High | Weak or reusable passwords can lead to device compromise. | Use long unique credentials, encrypted secrets, and vault-based access. | Open / Review / Complete |
| SNMP & Monitoring | SNMP version | Confirm SNMPv1 and SNMPv2c are disabled unless there is an approved exception. | High | High | Weak SNMP versions can expose device data and community strings. | Use SNMPv3 with authentication and encryption. | Open / Review / Complete |
| SNMP & Monitoring | Community string exposure | Review SNMP community strings, ACLs, and read/write permissions. | High | High | Exposed or writable community strings can reveal or change device configuration. | Remove public/private strings and restrict SNMP to monitoring servers only. | Open / Review / Complete |
| SNMP & Monitoring | Syslog forwarding | Confirm logs are forwarded to centralized syslog/SIEM systems. | Medium | High | Local-only logs may be lost after reboot or compromise. | Forward logs to a protected logging platform with retention. | Open / Review / Complete |
| SNMP & Monitoring | NTP configuration | Verify devices use trusted NTP sources and consistent time zones. | Medium | Medium | Incorrect time breaks incident timelines and log correlation. | Configure reliable NTP and document time settings. | Open / Review / Complete |
| Segmentation | VLAN design review | Review VLANs for users, servers, voice, printers, guest, IoT, cameras, and management. | High | High | Poor segmentation allows unnecessary lateral movement. | Separate sensitive zones and document VLAN purpose and ownership. | Open / Review / Complete |
| Segmentation | Inter-VLAN routing control | Review routing between VLANs and confirm only required flows are permitted. | High | High | Overly permissive inter-VLAN routing exposes critical systems. | Use ACLs, firewall policy, or routed segmentation for controlled access. | Open / Review / Complete |
| Segmentation | Guest network isolation | Confirm guest and visitor networks cannot reach internal resources. | High | High | Guest access can become an entry point into the corporate network. | Isolate guest VLANs and route them directly to internet-only access. | Open / Review / Complete |
| Segmentation | Voice VLAN security | Review voice VLAN separation and whether phones can bridge into data networks. | Medium | Medium | Voice networks can become a lateral movement path. | Apply voice VLAN controls, DHCP options, and port-level restrictions. | Open / Review / Complete |
| Switch Port Security | Unused ports disabled | Confirm unused switch ports are administratively disabled and assigned to an unused VLAN. | High | Medium | Open ports allow unauthorized internal access. | Disable unused ports and monitor link-up events. | Open / Review / Complete |
| Switch Port Security | Port security / MAC limits | Review MAC address limits, sticky MAC policies, and violation actions where appropriate. | Medium | High | Unauthorized devices can be connected to active ports. | Enable port security for access ports based on operational needs. | Open / Review / Complete |
| Switch Port Security | 802.1X / NAC readiness | Evaluate support for 802.1X, MAC authentication bypass, or NAC integration. | Medium | High | Uncontrolled network access increases insider and rogue-device risk. | Implement phased NAC for sensitive or high-risk areas. | Open / Review / Complete |
| Switch Port Security | Trunk port review | Confirm trunk ports are approved, documented, and restricted to required VLANs. | High | High | Misconfigured trunks can expose multiple VLANs to one connection. | Limit allowed VLANs and disable trunk negotiation where appropriate. | Open / Review / Complete |
| Layer 2 Protection | BPDU Guard | Review BPDU Guard on access ports to reduce rogue switch risk. | Medium | High | Rogue switches can disrupt spanning tree and network availability. | Enable BPDU Guard on access ports. | Open / Review / Complete |
| Layer 2 Protection | Root Guard | Review root bridge placement and Root Guard on appropriate ports. | Medium | High | Unexpected root bridge changes can destabilize switching paths. | Define root bridge strategy and enforce it with guard features. | Open / Review / Complete |
| Layer 2 Protection | DHCP Snooping | Review DHCP Snooping for user VLANs and trust boundaries. | Medium | High | Rogue DHCP servers can redirect or disrupt user traffic. | Enable DHCP Snooping and trust only legitimate uplink/server ports. | Open / Review / Complete |
| Layer 2 Protection | Dynamic ARP Inspection | Review ARP protection where DHCP Snooping bindings are available. | Medium | High | ARP spoofing can enable traffic interception or disruption. | Enable Dynamic ARP Inspection on supported access VLANs. | Open / Review / Complete |
| Layer 2 Protection | Storm control | Review broadcast, multicast, and unknown unicast storm-control thresholds. | Medium | Medium | Layer 2 storms can create outages. | Configure storm control on access ports with tested thresholds. | Open / Review / Complete |
| Access Control Lists | Router ACL review | Review inbound and outbound ACLs on routed interfaces. | High | High | Overly broad ACLs may expose sensitive networks or management services. | Apply least privilege and document business justification. | Open / Review / Complete |
| Access Control Lists | Management ACLs | Confirm management services are protected by explicit ACLs. | High | High | Attackers on internal networks may attempt direct device access. | Restrict SSH/HTTPS/SNMP to approved management hosts. | Open / Review / Complete |
| Access Control Lists | Any-any rules | Identify permissive allow-all rules and undocumented exceptions. | High | High | Broad rules undermine segmentation and increase blast radius. | Replace with specific source, destination, and service rules. | Open / Review / Complete |
| Routing Security | Static route review | Validate static routes, default routes, and route ownership. | Medium | High | Incorrect routes can expose traffic or create black holes. | Document route purpose and remove stale routes. | Open / Review / Complete |
| Routing Security | Dynamic routing authentication | Review OSPF, EIGRP, BGP, or other protocol authentication where used. | Medium | High | Unauthenticated routing can allow route injection or disruption. | Enable protocol authentication and route filtering where supported. | Open / Review / Complete |
| Routing Security | Route filtering | Review route redistribution and filtering between sites, WAN, VPN, and internal zones. | Medium | High | Uncontrolled redistribution can leak routes between environments. | Filter routes and document accepted prefixes. | Open / Review / Complete |
| Site Connectivity | WAN and branch links | Review routers/switches supporting branch, data center, and cloud connectivity. | Medium | High | Weak inter-site controls can allow compromise to spread across locations. | Validate routing, ACLs, monitoring, and redundancy for site links. | Open / Review / Complete |
| Site Connectivity | Site-to-site VPN interfaces | Review router interfaces, routes, ACLs, and monitoring tied to VPN connectivity. | Medium | High | VPN-connected networks often have excessive trust. | Limit reachable subnets and monitor tunnel health. | Open / Review / Complete |
| Resilience | Configuration backups | Confirm scheduled configuration backups are captured and protected. | High | Medium | No backup increases downtime after failure or misconfiguration. | Automate backups and test restoration. | Open / Review / Complete |
| Resilience | Change control | Review change tickets, approval workflow, and post-change validation. | Medium | High | Untracked changes make incidents harder to diagnose. | Require documented changes for routing, VLAN, ACL, and firmware updates. | Open / Review / Complete |
| Resilience | High availability links | Review stack members, uplinks, LACP, redundant power, and failover paths. | Medium | High | Single points of failure can interrupt business operations. | Document redundancy and test failover scenarios. | Open / Review / Complete |
| Physical Security | Rack and closet access | Review physical access to network closets, MDFs, IDFs, and data center racks. | Medium | High | Physical access can bypass logical controls. | Restrict access, lock cabinets, and log entry where feasible. | Open / Review / Complete |
| Physical Security | Console port control | Review console access procedures, adapters, and local recovery controls. | Medium | Medium | Uncontrolled console access can allow device reconfiguration. | Control physical console access and protect emergency credentials. | Open / Review / Complete |
| Documentation | Network diagrams | Validate current logical and physical diagrams. | Medium | Medium | Outdated diagrams slow troubleshooting and audits. | Update diagrams with VLANs, uplinks, trunks, and routing paths. | Open / Review / Complete |
| Documentation | Standards and baseline configs | Review standard templates for Cisco, HPE Aruba, and HP devices. | Medium | High | Inconsistent configs create security gaps and support issues. | Create approved baseline configurations by device role. | Open / Review / Complete |
This checklist is for initial guidance and planning. It does not replace a professional cybersecurity audit, compliance assessment, penetration test, or legal/compliance review.
Monitoring Applications
Tools commonly used to monitor routers and switches.
Monitoring tools can support availability, interface health, bandwidth usage, SNMP metrics, alerting, configuration awareness, and faster incident response. Vendor fit depends on network size, budget, skill level, and operational requirements.
Platform Focus
Cisco, HPE Aruba, and HP router/switch environments.
OC Security Audit can help review common configuration and operational risks across mixed-vendor environments, including older HP switching, HPE Aruba access layers, and Cisco routing and switching platforms.
Cisco routers and switches
Review IOS/IOS XE configuration hygiene, SSH/AAA, ACLs, SNMPv3, routing controls, VLANs, trunking, spanning-tree protections, configuration backups, and logging.
HPE Aruba switching
Review AOS-CX or ArubaOS-Switch settings, management access, VLAN design, port security, firmware, SNMP, syslog, role-based access, and uplink controls.
HP legacy networks
Review lifecycle risk, older firmware, insecure protocols, switch closet exposure, undocumented VLANs, missing backups, and migration or hardening priorities.
After the Audit
From router and switch findings to implementation support.
OC Security Audit identifies security gaps, risk priorities, and evidence needs. When the next step is operational implementation, remediation coordination, network maintenance, monitoring, firmware planning, or ongoing infrastructure support, the related IT Perfection service is network infrastructure management.
This keeps the two companies clear: OC Security Audit performs the specialized security review; IT Perfection can help with practical network infrastructure work when a business needs managed IT support after the assessment.
Related operational support
- Router and switch configuration maintenance, troubleshooting, and documentation.
- Firmware update planning, maintenance windows, and operational handoff.
- Network monitoring, alert review, log collection, and visibility improvements.
- Branch, VPN, wireless, firewall, and network infrastructure support.
Related OC Security Audit Resources
Continue with the security review path that matches your environment.
Ali Hassani, CISO
Senior-level network security, compliance, and infrastructure guidance.
Ali Hassani is a CISO and cybersecurity consultant with 25+ years of experience across IT operations, cybersecurity, compliance auditing, Microsoft infrastructure, Microsoft 365 security, network security, firewall security, vulnerability management, cloud security, and infrastructure leadership. His practical background helps organizations connect executive risk, technical controls, and compliance readiness. Learn more about Ali's experience at OC Security Audit's Ali Hassani profile.
FAQ
Router and switch security audit questions.
What is included in a router and switch security audit?
A professional review usually includes inventory, firmware and lifecycle status, management access, AAA, password controls, SNMP, logging, VLANs, trunk ports, ACLs, routing, Layer 2 protections, backups, diagrams, change controls, and remediation priorities.
Is this different from a firewall audit?
Yes. A firewall audit focuses on perimeter and zone policy, VPN, NAT, logging, and rulebase exposure. A router and switch review focuses on the internal network paths, management plane, VLANs, trunks, access ports, routing, and switch-layer controls that support internal security.
Which platforms can be reviewed?
OC Security Audit can review common Cisco, HPE Aruba, HP, and mixed-vendor environments. The review can be adapted for small-business networks, branch offices, larger switching environments, and data-center or campus-style designs.
Can this checklist help with compliance readiness?
Yes. Router and switch evidence can support cybersecurity risk management, internal control validation, audit preparation, cyber insurance conversations, and compliance readiness where network segmentation, access control, logging, and change management matter.
Can OC Security Audit help prioritize remediation?
Yes. Findings can be prioritized by likelihood, impact, business exposure, and operational difficulty so technical teams can address the highest-risk items first without turning the review into a generic checklist exercise.
Need help reviewing router and switch security?
OC Security Audit helps organizations identify infrastructure security gaps, prioritize remediation, and improve internal network resilience across routers, switches, VLANs, site connectivity, management access, monitoring, and documentation.