When you take your switch from the box and set it up for the first time, you set the safe defaults mode. You should use the safe defaults mode, which disables Telnet, STP (Spanning Tree Protocol), and SNMP (Simple Network Management Protocol). All ports are enabled in the factory default setting; you can choose to have all unconfigured ports disabled on reboot using the interactive questions. Also, STPD (Spanning Tree Domain) s0 is enabled on the default VLAN (Virtual LAN); you have the option to disable STPD in safe defaults mode.
After you connect to the console port of the switch, or after you run unconfigure switch {all} or configure safe-default-script, you can change management access to your device to enhance security.
This switch currently has some management methods enabled for convenience reasons. Please answer these questions about the security settings you would like to use. You may quit and accept the default settings by entering 'q' at any time. !!!! NOTE: Spanning Tree default changed in ExtremeXOS 22.2 !!!! Multiple Spanning Tree Protocol (MSTP) is enabled by default to prevent broadcast storms Would you like to disable MSTP? [y/N/q]:
The switch offers an enhanced security mode. Would you like to read more, and have the choice to enable this enhanced security mode? [y/N/q]:
If you select "no," go to 4.
Enhanced security mode configures the following defaults: * Disable Telnet server. * Disable HTTP server. * Disable SNMP server. * Remove all factory default login accounts. * Force creation of a new admin (read-write) account. * Lockout accounts for 5 minutes after 3 consecutive login failures. * Plaintext password entry will not be allowed. * Generate an event when the logging memory buffer exceeds 90% of capacity. * Only admin privilege accounts are permitted to run "show log". * Only admin privilege accounts are permitted to run "show diagnostics". Would you like to use this enhanced security mode? [Y/n/q]:
If you select "yes," enhanced security mode is enabled. Go to step 8.
Telnet is enabled by default. Telnet is unencrypted and has been the target of security exploits in the past. Would you like to disable Telnet? [y/N/q]:
SNMP access is disabled by default. SNMPv1/v2c uses no encryption, SNMPv3 can be configured to eliminate this problem. Would you like to enable SNMPv1/v2c? [y/N/q]: Yes
SNMP community string is a text string that is used to authenticate SNMPv1/v2c messages. It is required for managing the switch using SNMPv1/v2c. Would you like to configure a read-only and read-write community string? [Y/n/q]: Yes Read-only community string: Re-enter read-only community string: Read-write community string: Re-enter read-write community string:
Would you like to enable SNMPv3? [y/N/q]: Yes SNMPv3 uses usernames/passwords to authenticate and encrypt SNMP messages. Would you like to create an SNMPv3 user? [Y/n/q]: Yes User name: admin Authentication password: Reenter authentication password: Privacy password: Reenter privacy password: SNMPv3 user ‘admin‘ was created with authentication protocol SHA and privacy protocol AES-128.