Using Safe Defaults Mode

When you take your switch from the box and set it up for the first time, you set the safe defaults mode. You should use the safe defaults mode, which disables Telnet, STP (Spanning Tree Protocol), and SNMP (Simple Network Management Protocol). All ports are enabled in the factory default setting; you can choose to have all unconfigured ports disabled on reboot using the interactive questions. Also, STPD (Spanning Tree Domain) s0 is enabled on the default VLAN (Virtual LAN); you have the option to disable STPD in safe defaults mode.

After you connect to the console port of the switch, or after you run unconfigure switch {all} or configure safe-default-script, you can change management access to your device to enhance security.

  1. Connect the console and log in to the switch.
    This switch currently has some management methods enabled for convenience reasons.
    Please answer these questions about the security settings you would like to use.
    You may quit and accept the default settings by entering 'q' at any time.
    
    !!!!  NOTE: Spanning Tree default changed in ExtremeXOS 22.2  !!!!
    
    Multiple Spanning Tree Protocol (MSTP) is enabled by default to prevent
    broadcast storms
    
    Would you like to disable MSTP? [y/N/q]: 
  2. Type y (to disable) or n (to enable ) MSTP (Multiple Spanning Tree Protocol).
    The switch offers an enhanced security mode. Would you like to read more,
    and have the choice to enable this enhanced security mode? [y/N/q]:

    If you select "no," go to 4.

  3. If you select "yes," the following appears:
    Enhanced security mode configures the following defaults:
    
            * Disable Telnet server.
            * Disable HTTP server.
            * Disable SNMP server.
            * Remove all factory default login accounts.
            * Force creation of a new admin (read-write) account.
            * Lockout accounts for 5 minutes after 3 consecutive login failures.
            * Plaintext password entry will not be allowed.
            * Generate an event when the logging memory buffer exceeds 90% of capacity.
            * Only admin privilege accounts are permitted to run "show log".
            * Only admin privilege accounts are permitted to run "show diagnostics".
    
    Would you like to use this enhanced security mode? [Y/n/q]:

    If you select "yes," enhanced security mode is enabled. Go to 8.

  4. If you select "no," you are prompted to disable Telnet:
    Telnet is enabled by default. Telnet is unencrypted and has been the target of
    security exploits in the past.
    
    Would you like to disable Telnet? [y/N/q]:
    
  5. You are prompted to enable SNMPv1/v2c:
    SNMP access is disabled by default. 
    SNMPv1/v2c uses no encryption, SNMPv3 can be configured to eliminate this problem. 
    Would you like to enable SNMPv1/v2c? [y/N/q]: Yes 
  6. You are prompted to set up the community string:
    SNMP community string is a text string that is used to authenticate SNMPv1/v2c messages. 
    It is required for managing the switch using SNMPv1/v2c.  
    Would you like to configure a read-only and read-write community string? [Y/n/q]: Yes 
    
    Read-only community string:  
    Re-enter read-only community string:  
    Read-write community string:  
    Re-enter read-write community string: 
  7. You are prompted to enable SNMPv3:
    Would you like to enable SNMPv3? [y/N/q]: Yes 
    
    SNMPv3 uses usernames/passwords to authenticate and encrypt SNMP messages. 
    Would you like to create an SNMPv3 user? [Y/n/q]: Yes 
    
    User name: admin 
    Authentication password: 
    Reenter authentication password: 
    Privacy password: 
    Reenter privacy password: 
    
    SNMPv3 user ‘admin‘ was created with authentication protocol SHA and privacy protocol AES-128. 
    
  8. Reboot the switch.