7 things you should do to every switch

So often I see organizations purchase a new switch and throw it into production without any configuration. This is poor management and terribly insecure. Therefore I’m going to offer my quick guide to 7 things you should do to every switch.

This is by no means a complete guide to security or best practices this is the bare minimum. The commands will vary depending on your switch model (these commands are specific to HP Procurve switches) so download the manual for your switch and it will walk you through the correct commands. This guide is also for business class switches, not for the unmanaged kind off the shelf at the local box store. Do yourself a favor and get a real switch.

Finally this guide is for command line only (CLI = command line interface), web management takes too long and often doesn’t provide all the commands needed. CLI is easy so don’t be afraid. Connect to the switch with the serial cable that came with the switch (if a serial cable isn’t provided you didn’t get a business class switch). Download and run Teraterm, select serial and the correct COM port. (If you don’t know the COM port just try them all and hit enter a couple of times until some text comes up in the windows. The prompt should look like switchtype#).  One final note all commands begin with “config t” which starts the configuration context and end with “wr mem”” which saves the config.

On to the list.

Change the Hostname

Giving your switches good hostnames makes them easier to identify and document.

The Commands:

config t
hostname switchID_model_location *
wr mem

Command Notes:
* Use whatever hostname you like but if you have multiple switches use the same naming scheme on all switches and remember that networks change so don’t name this switch “Sw3_marketing” because it might be the sales dept next year. Narrow naming schemes lead to out dated documentation. I use a format like Sw1_5412zl_1FL

Enable HTTPS web management

HTTP sends all information in cleartext and you don’t want everyone to see your config and login information. Enabling HTTPS is a easy step to securing your installation.

The Commands:

crypto key generate cert 1024
*
web-management ssl 443 **
no web-management plaintext
wr mem

Command Notes:
* The switch will ask for some organization information and for the certificate validity end date. Choose an end date well into the future. I normally add 10 years.
** Port 443 is the default for HTTPS if you want to change this you will have to enter https://x.x.x.x:port# in your address bar to access the web management interace.

Enable SSH for CLI management

Telnet is transmitted in plaintext and you are sending your usernames and passwords across the wire without any security. Most telnet clients (Teraterm and puTTY are my preferred clients) all support SSH.

The Commands:

crypto key generate cert 1024
crypto host-cert generate self-signed
*
no ip plaintext **
wr mem

Command Notes:
*The switch will ask for some organization information and for the certificate validity end date. Choose an end date well into the future. I normally add 10 years.
**This command disables telnet so if you are telnetting across the network your session will end. Use the console or enable SSH and then close telnet, open SSH to the switch and complete the last two commands.

Set Username and Passwords

Everyone knows what the default username and passwords are so you MUST change them to have any chance at security. It’s fine to make all the switches use the same credentials, standardization is your friend.

The Commands:
password operator user-name (read username)
*
password manager user-name (admin username)
*
wr mem

Command Notes:
* at this point the switch will ask you to enter the password twice, type carefully and DOCUMENT!

Set a static IP

Most switches have DHCP enabled by default and few will require an IP to function but if you want to manage and monitor your switches it’s best to assign static IP addresses.

The Commands:

config t
vlan 1 *
ip address x.x.x.x y.y.y.y **
wr mem

Command Notes:
* This is the default VLAN on most switches. If you are using multiple VLANs or management VLANs then I hope you already understand IP addressing and routing.
* x.x.x.x is the IP y.y.y.y is the subnet usually the long form 255.255.255.0 or CIDR notation /24 is accepted

Save a copy of the config

This will be a great addition to your network documentation and can’t alleviate troubleshooting time in the future.

The Commands:

wr mem
copy running-config tftp x.x.x.x filename.txt * **

Command Notes:
* x.x.x.x is the IP address of the TFTP server
** It’s a good idea to name the filename the same are you hostname (e.g. Sw1_5412zl_1FL_config1.txt)

Upgrade Firmware

The latest firmware is essential to stability and performance. Download Solarwinds TFTP server and the latest version of firmware. Make sure to read the notes to ensure you don’t have to do an intermediate upgrade. For example if you switch is running version 7 and the latest in version 11 you might have to load version 8 before upgrading to 11. READ! Once you have the firmware and copy the .swi file into your tftp root directory (C:TFTP-Root by default)

The Commands:

copy tftp flash x.x.x.x filename.swi secondary *
sh flash **
boot system flash secondary ***
confirm boot

Command Notes:
* x.x.x.x is the IP address of your TFTP server
** sh flash shows you

Leave a Reply