Problem solve Get help with specific problems with your technologies, process and projects.

Tasks for initial switch configuration

Sometimes we have to get back to basics and since switches are usually plug-and-play, you're probably overlooking a few things that can make the switch more manageable and secure.

In most instances, you can take any brand of switch out of the box and turn it on and without any configuration...

whatsoever, have it provide the connectivity you need much like an unmanaged hub would. In this tip, we'll look at when you need to configure something extra.

First things first; there's a minimum level of security that every network device should meet. That would include:

  • setting the password. (You won't like it if an intruder sets it for you.)
  • setting community strings or turning off SNMP if you don't intend to use it (especially if they're set to "public" and "private")
  • turning off all the methods of administration you won't use, especially the Web interface
  • configuring logins or an authentication server (RADIUS or TACACS+) if you have one
  • configuring a syslog server to store log entries remotely

The rest of our configuration list depends on what you intend to do with the switch and to some extent, how complex your environment is.

  • If you have more than one switch in a broadcast domain, you'll want to configure Spanning Tree Protocol. This will probably be turned on and work by default, but it might select a root bridge that will give you suboptimal convergence. Set the bridge priority on the switch you want to be root, and leave the rest default.
  • If you have more than one IP subnet on a switch, you may need to configure VLANs or trunk ports. Don't forget to put user ports into the appropriate VLANs after you create them. Note that if you are using a Cisco switch, even if you only have one subnet, I strongly recommend that you do NOT use the default VLAN 1 as this behaves somewhat differently than other VLANs. Create another VLAN and put all the ports into it.
  • If you plan to connect IP phones, then you may need to configure "voice VLANs" and also enable Power over Ethernet. PoE may be disabled by default.

There are of course, dozens of other things you can do to make your network better, like configuring labels on each port to help you track what device is plugged into them, or manually setting the speed and duplex on some ports, or turning off unneeded protocols like PAgP. But this list should be sufficient to get most networks up and running with a reasonable effort.

Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years experience in the networking industry, and co-author of several books on networking, most recently, CCSPTM: Secure PIX and Secure VPN Study Guide published by Sybex.


This was last published in May 2005

Dig Deeper on Network Infrastructure

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.