Interfaces, commonly known as ports, are a vital component of any network. Need to connect two pieces of equipment? It could be as easy as plugging in cables—but then you’re using out of the box configurations that don’t follow best practices and are inherently insecure.
There are many things an MSP should consider when defining a standard network interface configuration. Small business and enterprise-grade equipment is known as “managed” equipment, meaning we can log into it and make changes. We can logically program each interface to behave differently based on business needs.
In this post, we’ll focus on switches (the device that typically has the highest number of physical interfaces) and help you define a baseline configuration that applies to each interface.
Standardizing as much of your service offering as possible—including the hardware and configurations running on it—simplifies training and troubleshooting with your technicians and ensures you’re delivering a consistent product and experience to your customers.
Our checklist below covers the key things you’ll want to consider the next time you’re configuring a network interface or refreshing your existing templates.
Interface configuration checklist
✔ Have a description
Include details on the purpose of the interface and where it’s connected. If the interface connects to third-party equipment, it’s useful to include relevant information such as an ISP’s circuit ID and telephone number for quick reference in the event of an issue. But don’t use too much detail. John’s workstation may be a great description today but if John moves desks it’s outdated. Think more like front reception.
✔ Use switching loop technologies
Enable switching loop technologies such as spanning tree, PortFast, or BDPU whenever possible to prevent (un)intentional loops caused by connecting a switch to itself and creating broadcast storms that overwhelm the network.
✔ Standardize key network device connections
Many MSPs configure the first port as the trunk link to an upstream (closer to the perimeter) Layer 3 device such as a firewall, and the last port as a trunk link to a downstream (closer to the user) Layer 3 device.
✔ Use link aggregation
Increase the reliability and capacity of a link by making use of technologies such as link aggregation. Link aggregation is a way of bundling a bunch of individual Ethernet links together, so they act as a single logical link. If you have a switch with a whole lot of Gigabit Ethernet ports, you can connect all of them to another device that also has a bunch of ports and balance the traffic among these links to improve performance. Many technicians will even zip-tie the cables together to distinguish the bundled connection from others physically.
✔ Match VLAN IDs
Switched virtual interfaces (SVIs) bridge the gap between the switching (Layer 2) and routing (Layer 3) within a computer network for a virtual network segment —more commonly known as a VLAN (virtual local area network). SVIs have IP addresses for routing, and you define them by the VLAN associated with them. In a small or mid-sized network, try and match VLAN IDs to Class C subnet masks to make it easy for you and your techs to remember. For example, associate VLAN 100 to 192.168.100.1/masksize.
✔ Shut off unused ports
If you aren’t planning to use an interface in the short term, shut it down. This keeps malicious or “helpful” users from plugging devices into ports they shouldn’t be using. Turning on a port later is typically a minor change and can often be done outside of a maintenance window.
✔ Minimize cross-talk
Minimize the amount of cross-talk that happens on specific ports. Say you’re managing a boarding school or dorm setup where each resident plugs in their computer. Without hardening the configuration, chances are each resident will be able to reach (and even sniff) traffic that’s destined for someone else. Flip on client isolation features where possible.
✔ Turn on supporting tools
Flip on mDNS relay and Bonjour discovery and relay only where needed. Devices such as network printers make heavy use of these protocols for auto-discovery and print jobs, but they’re not exactly known for being secure.
Interfaces are the main points of connectivity on a network, sending and receiving traffic throughout an organization. They’re also the first line of defence against hackers, rogue devices, and honest mistakes. The guidelines in this post allow you to create new, secure network interface configurations or update your existing templates.