Disable unused Access Ports

Internal security policies may mandate that an unused port must be protected by several layers to disallow access to the network. (i.e, shutdown the ports)

Task: Disable interfaces Gi0/1 to G10/24 on switch7

Solution:

switch7(config)#interface range Gi0/1-24
switch7(config-if)#shutdown

See links for more explanations

Configure a username and secret on Cisco Switch and Router

Here is the needed syntax to have this configured on a Cisco Router or Switch

Switch#username christian privilege 15 secreet passwordhere

Now you have to configure your line console needed for console access and vty ports need for telnet and ssh login.

For Line Console 0, enter the line configuration mode using the commands below followed by “login local” at the next prompt.

Switch#line console 0
- login local

For VTY Access via SSH and Telnet (Note: Using Telnet is not recommended). Enter the following command below followed by entering “login local” at the next prompt.

Switch#line vty 0 5
- login local

Note: You will have to set up (configure SSH differently)

LACP Configuration on Cisco 3650 Switch

LACP is part of the IEEE specification 802.3ad that allows you to bundle several physical ports to form a single logical channel. When you change the number of active bundled ports on a port-channel, traffic patterns will reflect the rebalanced state of the port channel.

Here are the steps needed to configure LACP on a Cisco Switch. For more details on the commands used, see the links below.

Step 1: Enter global configuration mode and specifies the port channel interface. This enters interface configuration mode as shown below

Switch#configure terminal
Switch(config)#interface port-channel 5
  • No need to configure IP etc.

Step 2: Next bundle it to the interface

switch(config)# interface fastethernet 0/1

and if you have more than one port use port range to bundle this together. i.e, 

switch(config)# interface range fastethernet 0/1 - 4

Step 3: Assigns the interface to a port channel group and sets the LACP mode.

 switch(config-if)# channel-group 5 mode active

Below are the types of LACP modes that can be assigned to a channel group

Active: Places a port into an active negotiating state, in which the port initiates negotiations with other ports by sending LACP packets.

Passive: Places a port into a passive negotiating state, in which the port responds to LACP packets it receives but does not initiate LACP negotiation. In this mode, the channel-group attaches the interface to the bundle.

On: All static EtherChannels, that is, the port is not running LACP messaging but static bundling. With this mode, the switch or the other end switch will not recognize any problem with ether channel and will not tell about the problem.

See the links below for more
https://www.grandmetric.com/knowledge-base/design_and_configure/how-to-configure-lacp-on-cisco/
https://www.cisco.com/c/en/us/td/docs/ios/12_2sb/feature/guide/gigeth.html

Console Port Password on Cisco Router / Switch Configuration

Configuration Procedure: In this example, a password is configured for users attempting to use the console.

From the privileged EXEC or “enable” prompt, enter configuration mode and then switch to line configuration mode using the following commands as shown below.

Note: The prompts changes to reflect the current mode.

router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
router(config)#line con 0
router(config-line)#

Configure the password, and enable password checking at login.

router(config-line)#password techpass0
router(config-line)#login
Exit configuration mode.
router(config-line)#end
router#
%SYS-5-CONFIG_I: Configured from the console by console
Note: Do not save configuration changes to line con 0 until your ability to log in has been verified.

Note: This is actually not the best form of securing the console port as the password assigned here will be displayed in plain text and can be viewed from the running configuration etc.

This installation package could not be opened. Verify that the package exists and that you can access it …

This installation package could not be opened. Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package.

The command (syntax) below prompted this error and below the syntax are steps to mitigate or resolve this error.

msiexec /i PasswordServerSelfServe_x64.msi URLPROPERTY=https://xxxxxxxxxxxxx.com INSTALLFOLDER="C:Programssoftware"

Solution:
There is actually no direct answer to this error, having to troubleshoot, you could find answers why this error person

  1. Ensure you run command-line (cmd) with administrative privilege)
  2. Ensure you run the installer in the right user path in command-line (Ensure the path where you are running this application from is the same where the installer is saved)
  3. Ensure you have privileged access to the INSTALL FOLDER or else you will also have this error

Security Best Practice to secure your Cisco Router and Switches

Here are some vital points to be considered when setting up and configuring your cisco devices.

  • Physically secure the device
  • Use secure passwords (secrets)
  • Enable SSH access
  • Enable port security
  • Disable HTTP and HTTPS access
  • Disable unused ports
  • Disable Telnet (Ensure only SSH is enabled and secured with a secret password) or any other form of Authentication.

Kindly scroll through the blog post under the category “Cisco” to see how these steps are performed (configured).
https://techdirectarchive.com/2019/07/31/how-to-disable-web-console-in-cisco-switches-disable-http-access/

Error – Command rejected: An interface whose trunk encapsulation is “Auto” can not be configured to “trunk” mode

switch(config-if)#switchport mode trunk
Command rejected: An interface whose trunk encapsulation is “Auto” can not be configured to “trunk” mode.

This is a result of a missing encapsulation command type (That is 802.1Q on that port)
– Enter the interface configuration mode and enter the following command below

switch(config-if)#switchport trunk encapsulation dot1q

Before proceeding with the rest configuration
– The port can now be set as a trunk port without any issue.

switch(config-if)switchport mode trunk