DO:

  1. Give VLANs descriptive names.
  2. Comment configuration lines as much as reasonably possible.
  3. Disable TELNET! Use SSH instead. (Requires crypto image on Cisco)
  4. Have a dedicated management VLAN and IP subnet.
  5. Limit access to the SSH console with layer 3 ACLs if possible.
  6. For correct timestamps, configure the clock to synchronize with a Network Time Protocol (NTP) server.
  7. Set up a syslog server, configure all network devices to log to it, and verify that the syslog server is successfully receiving events from each device.
  8. Set up an Authentication, Authorization, and Accounting (AAA) server like RADIUS or TACACS, and configure your network devices to use it.
  9. Configure a local administrative user for each device in the event of a AAA failure–BUT DO NOT USE IT UNLESS ABSOLUTELY NECESSARY!
  10. Back up settings to FTP or TFTP regularly.
  11. Keep historical configurations in a version control system (like Git or Mercurial).
  12. Use SNMP v2 or higher for monitoring and administration.
  13. Add description tags to ports that interface with other switches and ISPs.
  14. Upgrade switch firmware when new release versions are available.
  15. Consistently enable the same spanning tree protocol across all interconnected devices.
  16. Configure hostname, default domain, and DNS servers for each network device.
  17. Ensure that all cables are run and terminated in a professional way (correct color code, proper twist distance, not crimped on the conductors, not overbent, etc)
  18. Use “show lldp neighbor” (or “show cdp neighbor” on old Ciscos) to map out adjacent switches and connecting ports.
  19. If the device provides SSH access, disable the web management console.
  20. If your switch provides it, enable DHCP guarding to block rogue DHCP servers.

DO NOT:

  1. Do not use the default VLAN (VLAN 1 on Cisco).
  2. Do not trunk VLANs uneccessarily.
  3. Do not use SNMPv1 (credentials are sent in clear text).
  4. Do not store passwords as plain text. At least use the MD5 hash if it is available. Public key authentication is even better!
  5. Do not statically set duplex and speed unless it is absolutely necessary.
  6. Do not leave make or model information in banners and messages of the day (motd).
  7. Do not use DHCP to assign IP addresses to critical IT systems (switches, firewalls, servers, and the like).  Assign static IPs instead, and make sure that those statically assigned IPs are excluded from the DHCP lease range.

Newer →

Leave a Reply

You must be logged in to post a comment.