So far my list looks like:
Set SNMP v3 credentials
set spanguard (and adminedge)
set uplinks to tagged (to reduce future downtime if changes are needed)
set port alias (as applicable)
What other types of recommendations or best practices do other people have?
It looks like you are using this in regards to EOS is that correct? If so then this is a good list. I would also add thinks like SNMP parameters, location contact etc. Also recommend using RADIUS for switch authentication versus local accounts.
If you are using XOS then there are other items like DoS Protect as well as IP security that are always good to have enabled. You can also have them set up as a default script that are automatically set every time the switch is factory defaulted. If you need any help there let us know.
SNMP server and community - for any monitoring server
Switch administration credentials - Read Only & Read Write
STP or EAPS configuration - Loop prevention protocol
802.1x configuration - for end user authentication
Telnet/SSH configuration - for remote access
Access policies for Telnet/SSH access.
Thank you. These devices are all EOS legacy-Red. I did have the system contact information included.
I did not have radius included because that would require also setting up their radius. I do need to setup NAC for the customer as well though so that might be a good idea.
show snmp engineid
set snmp engineid <EngineID>
The reason for this is the Engine ID is based off the mac address of the current manager unit. If the manager were to change from one unit to another in the stack, SNMPv3 settings would need to be reset as the Engine ID would have changed. If the Engine ID is statically configured any subsequent manager would use what is in the stack configuration instead of their own default Engine ID.
Below are my recommendations:
- disable gvrp unless you have a specific requirement for it
enabled by default - leave it enabled unless you have a specific case that requires disabling (eg. router connection)
Admin edge - for all edge / user ports
Spanguard - which will operate on admin edge ports
Loop Protect - on all uplink ports to LPCapable switches
use MSTP, which is default version and configure 2 instances if there is a redundant path that would otherwise be blocked
- set movedaddrtrap enable - crucial for L2 networks to get notification of moving mac addresses in the event of a loop
use dynamic lacp ( default )
manually configure aadminkey
set spantree portenable <port-list> disable - disable bridging on lag physical member ports and restrict to logical lag port.
configure short timers where appropriate - The default timers for the lag are "long". The protocol transmits maintenance packets every 30 seconds.
- Set mac multicast
If user traffic consists of NLB this will be flooded on the network as unknown so will need to be scoped by manually configuring a multicast mac and static arp
- set forcelinkdown enable
- set port disable - on any unused ports for security
- set port alias - crucial to troubleshooting connectivity
- set port broadcast - prevent broadcast storms propagating
- set logging local console enable file enable sfile enable
- set logging server ( having syslog is crucial to troubleshooting )
- set system location
- set system name
- set system login
- set prompt
- set ssh enabled
Browser View: https://gtacknowledge.extremenetworks.com/articles/How_To/EOS-Basic-Switch-Layer-2-Configuration-Best-Practices
Please let us know if this article was helpful by submitting article feedback. Thanks!