Basic Switch Configuration Best Practices

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
What types of features/commands do people recommend when implementing basic Layer 2 switch configurations for replacements, or when building configuration templates what things do you make sure you hit?
So far my list looks like:

set IP
Set SNTP
Set Timezone
Set summertime
Set SNMP v3 credentials
set spanguard (and adminedge)
set uplinks to tagged (to reduce future downtime if changes are needed)
set port alias (as applicable)

What other types of recommendations or best practices do other people have?

Thanks,


Photo of Ben Parker

Ben Parker

  • 842 Points 500 badge 2x thumb

Posted 4 years ago

  • 0
  • 1
Photo of Paul Russo

Paul Russo, Alum

  • 9,694 Points 5k badge 2x thumb
Hey Ben

It looks like you are using this in regards to EOS is that correct? If so then this is a good list.  I would also add thinks like SNMP parameters, location contact etc. Also recommend using RADIUS for switch authentication versus local accounts.

If you are using XOS then there are other items like DoS Protect as well as IP security that are always good to have enabled.  You can also have them set up as a default script that are automatically set every time the switch is factory defaulted.  If you need any help there let us know.

Thanks
P
Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
The first thing Extreme recommends is to remove all ports from vlan default and disable it (vlan default can't be deleted):
configure vlan default delete ports all
disable vlan default

Then you should create and configure specific vlans as needed.

Daniel
Photo of Sathish Arul

Sathish Arul, Alum

  • 420 Points 250 badge 2x thumb

Radius/Tacacs configuration

SNMP server and community - for any monitoring server

NTP configuration

Switch administration credentials - Read Only & Read Write

STP or EAPS configuration - Loop prevention protocol

802.1x configuration - for end user authentication

Telnet/SSH configuration - for remote access

Access policies for Telnet/SSH access.

Photo of Ben Parker

Ben Parker

  • 842 Points 500 badge 2x thumb
Paul,
Thank you. These devices are all EOS legacy-Red. I did have the system contact information included. 

I did not have radius included because that would require also setting up their radius.  I do need to setup NAC for the customer as well though so that might be a good idea.

Photo of aloeffle

aloeffle

  • 966 Points 500 badge 2x thumb
Hi all.

I recommend to configure

set forcelinkdown enable
set gvrp disable
set line-editor delete backspace default

as well.

regards
Alex


Photo of Michael Langley

Michael Langley, Employee

  • 620 Points 500 badge 2x thumb
If configuring a EOS stackable product for use in a stack, I would suggest statically configuring the SNMPv3 Engine ID. 

show snmp engineid
set snmp engineid <EngineID>

The reason for this is the Engine ID is based off the mac address of the current manager unit.  If the manager were to change from one unit to another in the stack, SNMPv3 settings would need to be reset as the Engine ID would have changed.  If the Engine ID is statically configured any subsequent manager would use what is in the stack configuration instead of their own default Engine ID.
Photo of Piotr Owczarek

Piotr Owczarek

  • 484 Points 250 badge 2x thumb
Hello

As an addition  to SNMP config I always clear default SNMP settings for public and ro access.
Regarding timezone, I also use:
 set summertime recurring last Sunday March 02:00 last Sunday October 03:00 60

Piotr
Photo of Straw, Glyn

Straw, Glyn, Employee

  • 2,112 Points 2k badge 2x thumb
This is a good idea for a knowledge article so when we have a few more posts i will create an article for general basic L2 switch best practises and post it on this thread.

Below are my recommendations:

- disable gvrp unless you have a specific requirement for it

- Spantree

  enabled by default - leave it enabled unless you have a specific case that requires disabling (eg. router connection)
  Admin edge - for all edge / user ports
  Spanguard - which will operate on admin edge ports
  Loop Protect - on all uplink ports to LPCapable switches
  Lptrap enable
  use MSTP, which is default version and configure 2 instances if there is a redundant path that would otherwise be blocked

- set movedaddrtrap enable  - crucial for L2 networks to get notification of moving mac addresses in the event of a loop

- LACP 

  use dynamic lacp ( default )
  manually configure aadminkey 
  set spantree portenable <port-list> disable - disable bridging on lag physical member ports and restrict to logical lag port.
  configure short timers where appropriate - The default timers for the lag are "long". The protocol transmits maintenance packets every 30 seconds. 

- Set mac multicast 

  If user traffic consists of NLB this will be flooded on the network as unknown so will need to be scoped by manually configuring a multicast mac and static arp
  https://gtacknowledge.extremenetworks.com/articles/How_To/EOS-How-to-configure-multicast-mac-to-stop...

- set forcelinkdown enable 

- set port disable - on any unused ports for security
- set port alias - crucial to troubleshooting connectivity
- set port broadcast - prevent broadcast storms propagating 

- set logging local console enable file enable sfile enable
- set logging server   ( having syslog is crucial to troubleshooting )

- set system location 
- set system name 
- set system login

- set prompt 

- set ssh enabled 
Photo of Straw, Glyn

Straw, Glyn, Employee

  • 2,112 Points 2k badge 2x thumb
I published the following article in case this helps others in future:

Browser View: https://gtacknowledge.extremenetworks.com/articles/How_To/EOS-Basic-Switch-Layer-2-Configuration-Best-Practices

Mobile View: https://gtacknowledge.extremenetworks.com/pkb_mobile#article/How_To/kA134000000LymfCAC/s

Please let us know if this article was helpful by submitting article feedback. Thanks!