Compliance Standards
SOC 2 — Access Controls (CC6)
Password Encryption
CC6.2 PASS
CC6.2 PASS
Strong Passwords
CC6.2 PASS
CC6.2 PASS
AAA Authentication
CC6.1,CC6.2 PASS
CC6.1,CC6.2 PASS
SSH Only (No Telnet)
CC6.1,CC6.7 PASS
CC6.1,CC6.7 PASS
Exec Timeout
CC6.1 PASS
CC6.1 PASS
VTY Access Control List
CC6.1,CC6.6 FAIL
CC6.1,CC6.6 FAIL
Console Security
CC6.1 FAIL
CC6.1 FAIL
Privilege Level Management
CC6.3 FAIL
CC6.3 FAIL
Login Banner
CC6.1 PASS
CC6.1 PASS
SNMP Security
CC6.7,CC7.2 FAIL
CC6.7,CC7.2 FAIL
Port Security
CC6.6 PASS
CC6.6 PASS
DHCP Snooping
CC6.6,CC6.8 FAIL
CC6.6,CC6.8 FAIL
Dynamic ARP Inspection
CC6.6 FAIL
CC6.6 FAIL
Unused Interfaces Shutdown
CC6.6 FAIL
CC6.6 FAIL
Encrypted Transport
CC6.7 PASS
CC6.7 PASS
Access Control Lists
CC6.6 PASS
CC6.6 PASS
Routing Protocol Authentication
CC6.6 FAIL
CC6.6 FAIL
SOC 2 — System Operations (CC7)
SNMP Security
CC6.7,CC7.2 FAIL
CC6.7,CC7.2 FAIL
Storm Control
CC7.1 FAIL
CC7.1 FAIL
Control Plane Protection
CC7.1 FAIL
CC7.1 FAIL
Logging Configured
CC7.2,CC7.3 PASS
CC7.2,CC7.3 PASS
NTP Configured
CC7.2 PASS
CC7.2 PASS
NetFlow / sFlow
CC7.1,CC7.2 FAIL
CC7.1,CC7.2 FAIL
SNMP Traps / Notifications
CC7.2 PASS
CC7.2 PASS
SOC 2 — Change Management (CC8)
Configuration Archive
CC8.1 FAIL
CC8.1 FAIL
NIST — Identify (ID)
Asset Identification
ID.AM-1,ID.AM-2 PASS
ID.AM-1,ID.AM-2 PASS
NIST — Protect (PR)
Password Encryption
PR.AC-1 PASS
PR.AC-1 PASS
Strong Passwords
PR.AC-1 PASS
PR.AC-1 PASS
AAA Authentication
PR.AC-1,PR.AC-7 PASS
PR.AC-1,PR.AC-7 PASS
SSH Only (No Telnet)
PR.AC-3,PR.DS-2 PASS
PR.AC-3,PR.DS-2 PASS
Exec Timeout
PR.AC-3 PASS
PR.AC-3 PASS
VTY Access Control List
PR.AC-3,PR.PT-4 FAIL
PR.AC-3,PR.PT-4 FAIL
Console Security
PR.AC-2 FAIL
PR.AC-2 FAIL
Privilege Level Management
PR.AC-4 FAIL
PR.AC-4 FAIL
Login Banner
PR.AC-7 PASS
PR.AC-7 PASS
SNMP Security
PR.DS-2,DE.CM-1 FAIL
PR.DS-2,DE.CM-1 FAIL
Port Security
PR.AC-5,PR.PT-4 PASS
PR.AC-5,PR.PT-4 PASS
DHCP Snooping
PR.PT-4 FAIL
PR.PT-4 FAIL
Dynamic ARP Inspection
PR.PT-4 FAIL
PR.PT-4 FAIL
Storm Control
PR.PT-4 FAIL
PR.PT-4 FAIL
Unused Interfaces Shutdown
PR.AC-5 FAIL
PR.AC-5 FAIL
Encrypted Transport
PR.DS-2 PASS
PR.DS-2 PASS
Access Control Lists
PR.PT-4,PR.AC-5 PASS
PR.PT-4,PR.AC-5 PASS
Control Plane Protection
PR.PT-4 FAIL
PR.PT-4 FAIL
Routing Protocol Authentication
PR.DS-2,PR.PT-4 FAIL
PR.DS-2,PR.PT-4 FAIL
NTP Configured
PR.PT-1,DE.CM-6 PASS
PR.PT-1,DE.CM-6 PASS
Configuration Archive
PR.IP-1 FAIL
PR.IP-1 FAIL
NIST — Detect (DE)
SNMP Security
PR.DS-2,DE.CM-1 FAIL
PR.DS-2,DE.CM-1 FAIL
Logging Configured
DE.CM-1,DE.AE-3 PASS
DE.CM-1,DE.AE-3 PASS
NTP Configured
PR.PT-1,DE.CM-6 PASS
PR.PT-1,DE.CM-6 PASS
NetFlow / sFlow
DE.CM-1,DE.AE-1 FAIL
DE.CM-1,DE.AE-1 FAIL
SNMP Traps / Notifications
DE.CM-1 PASS
DE.CM-1 PASS
Security Findings
-
VTY Access Control List HIGHNo ACL on VTY lines. Any IP can attempt SSH/Telnet to device [SOC 2: CC6.1,CC6.6 | NIST: PR.AC-3,PR.PT-4]Recommendation: Create ACL and apply: access-class
in -
SNMP Security HIGHSNMPv2c community strings in use. Community strings sent in cleartext — can be sniffed [SOC 2: CC6.7,CC7.2 | NIST: PR.DS-2,DE.CM-1]Recommendation: Migrate to SNMPv3 with authPriv; remove snmp-server community lines
-
Routing Protocol Authentication HIGHRouting protocols without authentication. Rogue routers can inject false routes [SOC 2: CC6.6 | NIST: PR.DS-2,PR.PT-4]Recommendation: Enable MD5/SHA authentication on OSPF/EIGRP/BGP peers
-
Console Security MEDIUMConsole may lack password or timeout. Physical console access should be secured [SOC 2: CC6.1 | NIST: PR.AC-2]Recommendation: Configure: line console 0; password
; login; exec-timeout 5 0 -
DHCP Snooping MEDIUMDHCP snooping not enabled. Network susceptible to rogue DHCP [SOC 2: CC6.6,CC6.8 | NIST: PR.PT-4]Recommendation: Enable: ip dhcp snooping; ip dhcp snooping vlan
-
Dynamic ARP Inspection MEDIUMDynamic ARP Inspection not enabled. Vulnerable to ARP spoofing / MITM on L2 [SOC 2: CC6.6 | NIST: PR.PT-4]Recommendation: Enable: ip arp inspection vlan
(requires DHCP snooping) -
Control Plane Protection MEDIUMNo CoPP / control-plane policy detected. Control plane susceptible to DoS [SOC 2: CC7.1 | NIST: PR.PT-4]Recommendation: Apply a control-plane policy to rate-limit management protocols
-
NetFlow / sFlow MEDIUMNo flow telemetry configured. Limited traffic visibility [SOC 2: CC7.1,CC7.2 | NIST: DE.CM-1,DE.AE-1]Recommendation: Configure NetFlow or sFlow for traffic analysis
-
Configuration Archive MEDIUMPartial config change tracking. Archive or change logging missing [SOC 2: CC8.1 | NIST: PR.IP-1]Recommendation: Configure: archive; log config
-
Privilege Level Management LOWAll users at default privilege 15. No role-based access differentiation [SOC 2: CC6.3 | NIST: PR.AC-4]Recommendation: Create lower-privilege user accounts for operators
-
Storm Control LOWNo storm control configured. Network may be affected by broadcast storms [SOC 2: CC7.1 | NIST: PR.PT-4]Recommendation: Configure: storm-control broadcast level 20
-
Unused Interfaces Shutdown LOWOnly 4/36 interfaces shutdown (11%). Unused ports may allow unauthorized access [SOC 2: CC6.6 | NIST: PR.AC-5]Recommendation: Review and shutdown unused interfaces
Security Best Practices
Security
Password Encryption
YES
Strong Passwords
YES
AAA Authentication
YES
SSH Only (No Telnet)
YES
Login Banner
YES
Port Security
YES
Encrypted Transport
YES
SNMP Traps / Notifications
YES
Management
Exec Timeout
YES
Logging Configured
YES
NTP Configured
YES
Operations
Access Control Lists
YES
Asset Identification
YES