Header Only - DO NOT REMOVE - Extreme Networks

Basic Switch Configuration Best Practices

Userlevel 2
What types of features/commands do people recommend when implementing basic Layer 2 switch configurations for replacements, or when building configuration templates what things do you make sure you hit?
So far my list looks like:

set IP
Set Timezone
Set summertime
Set SNMP v3 credentials
set spanguard (and adminedge)
set uplinks to tagged (to reduce future downtime if changes are needed)
set port alias (as applicable)

What other types of recommendations or best practices do other people have?


10 replies

basic command to backup the configuration of the switch to a notepad so that in time restore the command to a new switch
Userlevel 4
I published the following article in case this helps others in future:

Browser View: https://gtacknowledge.extremenetworks.com/articles/How_To/EOS-Basic-Switch-Layer-2-Configuration-Best-Practices

Mobile View: https://gtacknowledge.extremenetworks.com/pkb_mobile#article/How_To/kA134000000LymfCAC/s

Please let us know if this article was helpful by submitting article feedback. Thanks!

Userlevel 4
This is a good idea for a knowledge article so when we have a few more posts i will create an article for general basic L2 switch best practises and post it on this thread.

Below are my recommendations:

- disable gvrp unless you have a specific requirement for it

- Spantree

enabled by default - leave it enabled unless you have a specific case that requires disabling (eg. router connection)
Admin edge - for all edge / user ports
Spanguard - which will operate on admin edge ports
Loop Protect - on all uplink ports to LPCapable switches
Lptrap enable
use MSTP, which is default version and configure 2 instances if there is a redundant path that would otherwise be blocked

- set movedaddrtrap enable - crucial for L2 networks to get notification of moving mac addresses in the event of a loop


use dynamic lacp ( default )
manually configure aadminkey
set spantree portenable disable - disable bridging on lag physical member ports and restrict to logical lag port.
configure short timers where appropriate - The default timers for the lag are "long". The protocol transmits maintenance packets every 30 seconds.

- Set mac multicast

If user traffic consists of NLB this will be flooded on the network as unknown so will need to be scoped by manually configuring a multicast mac and static arp

- set forcelinkdown enable

- set port disable - on any unused ports for security
- set port alias - crucial to troubleshooting connectivity
- set port broadcast - prevent broadcast storms propagating

- set logging local console enable file enable sfile enable
- set logging server ( having syslog is crucial to troubleshooting )

- set system location
- set system name
- set system login

- set prompt

- set ssh enabled


As an addition to SNMP config I always clear default SNMP settings for public and ro access.
Regarding timezone, I also use:
set summertime recurring last Sunday March 02:00 last Sunday October 03:00 60 [/code]Piotr
Userlevel 1
If configuring a EOS stackable product for use in a stack, I would suggest statically configuring the SNMPv3 Engine ID.

show snmp engineid
set snmp engineid

The reason for this is the Engine ID is based off the mac address of the current manager unit. If the manager were to change from one unit to another in the stack, SNMPv3 settings would need to be reset as the Engine ID would have changed. If the Engine ID is statically configured any subsequent manager would use what is in the stack configuration instead of their own default Engine ID.
Userlevel 2
Hi all.

I recommend to configure

set forcelinkdown enable
set gvrp disable
set line-editor delete backspace default

as well.


Userlevel 2
Thank you. These devices are all EOS legacy-Red. I did have the system contact information included.

I did not have radius included because that would require also setting up their radius. I do need to setup NAC for the customer as well though so that might be a good idea.

Radius/Tacacs configuration

SNMP server and community - for any monitoring server

NTP configuration

Switch administration credentials - Read Only & Read Write

STP or EAPS configuration - Loop prevention protocol

802.1x configuration - for end user authentication

Telnet/SSH configuration - for remote access

Access policies for Telnet/SSH access.

Userlevel 6
The first thing Extreme recommends is to remove all ports from vlan default and disable it (vlan default can't be deleted):
configure vlan default delete ports all
disable vlan default

Then you should create and configure specific vlans as needed.

Userlevel 6
Hey Ben

It looks like you are using this in regards to EOS is that correct? If so then this is a good list. I would also add thinks like SNMP parameters, location contact etc. Also recommend using RADIUS for switch authentication versus local accounts.

If you are using XOS then there are other items like DoS Protect as well as IP security that are always good to have enabled. You can also have them set up as a default script that are automatically set every time the switch is factory defaulted. If you need any help there let us know.