Best Practices for Switch Deployment at Customer Locations

From Notes_Wiki

Purpose This document provides a standardized checklist and deployment procedure for network switches installed at customer sites. The goal is to ensure secure, stable, and consistent switch configurations across all customer environments, minimizing configuration gaps and improving network reliability.

Scope This procedure applies to all managed switch deployments (Layer 2 / Layer 3) performed by the network implementation or field engineering team at customer premises. It covers post-installation configuration and verification steps for both access and distribution layer switches.

Home > Enterprise security devices or applications > Best Practices for Switch Deployment at Customer Locations

Prerequisites

Before starting switch configuration, ensure:

  • Power and physical network connectivity are verified.
  • Switch is running the approved firmware version.
  • Access to the switch console or management IP is available.
  • Network design document and IP plan are reviewed.

Configuration Steps

Configure Management Interface and Gateway

Assign the switch management interface (e.g., VLAN interface) a static IP as per the customer’s IP plan. 

interface vlan <Mgmt_VLAN_ID>
ip address <Mgmt_IP> <Subnet_Mask>
ip default-gateway <Mgmt_GW_IP>

Ensure connectivity to the NOC or management system via ping or traceroute.

Note: Avoid using VLAN 1 as the management VLAN to prevent potential security risks and traffic leaks.

Set Strong Administrative Passwords

Configure a strong local admin password: 

 username admin password <Complex_Password>

Note: Enforce password complexity as per organization policy (minimum 8–12 characters, mix of upper/lowercase, numbers, and symbols).


Apply Access Control Lists (ACLs) for Management Access

Restrict SSH/Telnet management to authorized IP ranges only: 

ip access-list standard MGMT_ACCESS
permit <Authorized_MGMT_Subnet>
deny any
line vty 0 4
access-class MGMT_ACCESS in
transport input ssh

Disable Telnet if not required:
line vty 0 4
transport input ssh



Configure Spanning Tree Protocol (STP) Consistently

Verify STP mode (RSTP/MSTP) matches across all switches in the site. Set appropriate STP priorities for root and secondary switches: 

 spanning-tree vlan <VLAN_ID> priority 4096     Root
 spanning-tree vlan <VLAN_ID> priority 8192     Secondary

Enable Port Security (If Applicable)

Limit the number of MAC addresses on access ports: 

interface <access-port>
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security violation restrict

Enable Storm Control (If Needed)

Protect against broadcast/multicast/unicast flooding: 

interface <port>
storm-control broadcast level 5.00
storm-control multicast level 5.00
storm-control action shutdown

Verify LACP Status

Ensure all configured LACP interfaces are in participant/active mode: 

show lacp interface

Resolve any mismatched or suspended ports.

Disable Unused Ports

Identify and shut down unused ports: 

 interface range <ports>
 shutdown
 description UNUSED_PORT

Optionally, assign them to an isolated VLAN (e.g., VLAN 999).

Configure Jumbo MTU (If Required)

For environments requiring large frame transmission (e.g., storage or virtualization): 

 system mtu 9216

Reboot if necessary for changes to take effect.


Set Date, Time, and NTP Configuration

Configure timezone and NTP servers: 

clock timezone IST 5 30
ntp server <NTP_IP> prefer

Verify synchronization: 

show ntp status

Configure Syslog

Forward logs to customer or central syslog server: 

logging host <Syslog_Server_IP>
logging trap informational

Verify logging functionality.

Enable SNMP or NMS Monitoring

Configure SNMP for monitoring if required: 

 snmp-server community <Community_String> ro
 snmp-server host <NMS_IP> version 2c <Community_String>

Verify reachability from the NMS platform.

Backup Configuration

Save and export switch configuration after deployment: 

write memory
copy running-config tftp:<Server_IP>/<Switch_Name>_config.cfg

Store backups in the project documentation.

Firmware and Configuration Baseline

Ensure switch runs on the approved/stable firmware version.

→ Outdated firmware may cause security vulnerabilities or protocol mismatches.

Save default configuration before changes for rollback or audit purposes.


Hostname and Device Naming Convention

Set a meaningful hostname following the standard naming scheme (e.g., SITE-FLR-SW01). This helps identify the device easily in monitoring tools and logs.

Configure a login banner for legal and security compliance: 

banner motd  Unauthorized access is prohibited

VLAN and Trunk Configuration Validation

Ensure all VLANs are created as per design.

Check trunk ports for allowed VLANs: 

 show interfaces trunk

Loop Protection / BPDU Guard

Enable BPDU Guard or Root Guard on access ports to prevent accidental loops: 

 spanning-tree portfast bpduguard enable

Temperature and Hardware Health Check

Validate fan status, temperature, and power supply health before handover: 

 
 show environment

Interface Description and Documentation

Add clear descriptions on each interface for traceability: 

 interface Gi1/0/1
 description Uplink_to_Core_SW01

Post-Deployment Handover

  1. Submit configuration backup to project documentation.
  2. Update asset register with management IP, hostname, and location details.
  3. Inform NOC/Monitoring team for inclusion in monitoring system.


Conclusion

Following these deployment best practices ensures secure, consistent, and reliable switch configurations at customer sites. Proper management access, security controls, monitoring, and backups help maintain network stability and simplify ongoing maintenance.

Home > Enterprise security devices or applications > Best Practices for Switch Deployment at Customer Locations

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Best_Practices_for_Switch_Deployment_at_Customer_Locations&oldid=9797"