When configuring switches, it’s helpful to have a guide that can walk you through the basics. Security is also important, and switches can be configured to be an effective part of your network security. In this post, we’ll cover switch basics as well as some ways to incorporate security in your switch setup.
Switch Basics
When configuring a new router, there are a few settings that should be applied. By consistently applying these settings to all of your routers, your network management will be streamlined because you won’t have to look up specific settings for each individual switch. You may also want to review your current devices to ensure that these settings are consistent across your network.
Set the Default Route or Gateway
Without a management IP address, you can’t manage a device on the network. But often, the default route or gateway is forgotten, and this can cause issues down the line, such as the switch becoming unmanaged because network management tools can’t find it or don’t see it. Traffic can reach the switch but without a defined default route or gateway off the network the switch is using it won’t make it off that network.
Set the Correct Time
Without the correct time on a switch, your log entries from that switch will not indicate the actual time and date of the logs. This will make troubleshooting more difficult than it needs to be. There are three common ways to set the time on a switch, manual time, Simple Network Time Protocol and TimeP/Network Time Protocol. It’s also recommended that you have a time server to keep your network in sync. Depending on your environment, you can quickly configure a time server with a few clicks.
Set Up Logging
Network logging and monitoring are important to keeping your network secure and running the way it’s intended to. Event notification and real-time alerts of events on the network rely upon setting up logging. Most switches are able to send event data to a central repository via Simple Network Management Protocol (SNMP). Take a look at the network management tools you have and decide what makes the most sense for you.
Set Up Neighbor Discovery
If your switch can’t talk to its neighbors or they don’t know it’s there, it’s not really doing its job. Setting up neighborhood discovery protocols allow network management tools to see everything on the network. Each switch manufacturer supports a different mix of protocols. The most commonly used are Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP). It’s recommended that you enable all neighbor discovery options.
Set Up SNMP Communities
We’ve mentioned SNMP when talking about logging and monitoring devices on the network, but it is also used to define communities with different access rights. These typically include a read-only string or a read-write string. Read-only lets monitoring tools recognize and gather information from the switch. Read-write also allows management tools to make configuration changes and other changes to the switch. By setting up strings right off the bat, it can be managed by your network management applications right away.
Switch Security Best Practices
Once you have configured your switches according to the basic set up instructions above, it’s time to think about security.
- Set Passwords and Usernames for Console and CLI Access – Configure strong, unique passwords for CLI Access method and levels of authorization. While usernames aren’t required, it’s a good opportunity to set them up as well to avoid any complications with third-party management tools that may have issue with blank username fields.
- Secure SNMP with Custom Strings – Communications sent via SNMP are not encrypted and can be intercepted or sniffed unless you set up custom strings. Also, disable any default strings. Update your network management tools once you’ve changed the strings.
- Enable SSH and Disable Telnet – SSH encrypts communications between the terminal and the switch to prevent man-in-the-middle attacks. Create a public/private SSH key for each switch. Test to make sure it’s working and then disable Telnet.
- Enable HTTPS and Disable HTTP – Create a certificate that the switch will use to authenticate with the browser. HTTPS ensures that management traffic, including login and other sensitive information on the web, will be encrypted.
You can use this post as a checklist when configuring and installing switches on your network or consider adding this information to your documentation. By following these best practices and security tips, you’re setting up your network to be stable and secure, as well as easy to troubleshoot when things do go wrong.