Using Safe Defaults Mode

When you take your switch from the box and set it up for the first time, you set the safe defaults mode. You should use the safe defaults mode, which lets you configure IP management connectivity if you choose not to use Auto Provisioning It also lets you choose whether to enable or disable Telnet, STP, and SNMP. All ports are enabled in the factory default setting; you can choose to have all unconfigured ports disabled on reboot using the interactive questions. Also, STPD s0 is enabled on the default VLAN; you have the option to disable STPD in safe defaults mode.

After you connect to the console port of the switch, or after you run unconfigure switch {all} or run provisioning, you can change management access to your device to enhance security.

  1. Connect the console and log in to the switch.
    This switch currently has some management methods enabled for convenience reasons.
    Please answer these questions about the security settings you would like to use.
    You may quit and accept the default settings by entering 'q' at any time.
    
    Would you like to change the switch OS to Fabric Engine? [y/N/q]
  2. You are prompted to select your network operating system: Switch Engine (default) or Fabric Engine:
    • For Switch Engine, type N.
    • For Fabric Engine, type y.
  3. Type y (to disable) or n (to enable ) auto-provisioning.
    By default, Auto-Provisioning uses DHCP on all Ethernet ports as this switch
    attempts to connect to an Extreme Networks management product.
    Instead of using DHCP, do you want to 'disable auto-provision' and
    configure a static IP address, default gateway and DNS server now? [y/N/q]: y

    Select y to be prompted for a port to use for management, an IP address and subnet mask length, an optional default gateway IP address, a DNS name server and DNS domain suffix.

  4. Type y (to disable) or n (to enable ) MSTP.
    The switch offers an enhanced security mode. Would you like to read more,
    and have the choice to enable this enhanced security mode? [y/N/q]:

    If you select "no," go to 6.

  5. If you select "yes," the following appears:
    Enhanced security mode configures the following defaults:
    
            * Disable Telnet server.
            * Disable HTTP server.
            * Disable SNMP server.
            * Remove all factory default login accounts.
            * Force creation of a new admin (read-write) account.
            * Lockout accounts for 5 minutes after 3 consecutive login failures.
            * Plaintext password entry will not be allowed.
            * Generate an event when the logging memory buffer exceeds 90% of capacity.
            * Only admin privilege accounts are permitted to run "show log".
            * Only admin privilege accounts are permitted to run "show diagnostics".
    
    Would you like to use this enhanced security mode? [Y/n/q]:

    If you select "yes," enhanced security mode is enabled. Go to step 10.

  6. If you select "no," you are prompted to disable Telnet:
    Telnet is enabled by default. Telnet is unencrypted and has been the target of
    security exploits in the past.
    
    Would you like to disable Telnet? [y/N/q]:
    
  7. You are prompted to enable SNMPv2c:
    SNMP access is disabled by default. 
    SNMPv2c uses no encryption, SNMPv3 can be configured to eliminate this problem. 
    Would you like to enable SNMPv2c? [y/N/q]: Yes 
  8. You are prompted to set up the community string:
    SNMP community string is a text string that is used to authenticate SNMPv2c messages. 
    It is required for managing the switch using SNMPv2c.  
    Would you like to configure a read-only and read-write community string? [Y/n/q]: Yes 
    
    Read-only community string:  
    Re-enter read-only community string:  
    Read-write community string:  
    Re-enter read-write community string: 
  9. You are prompted to enable SNMPv3:
    Would you like to enable SNMPv3? [y/N/q]: Yes 
    
    SNMPv3 uses usernames/passwords to authenticate and encrypt SNMP messages. 
    Would you like to create an SNMPv3 user? [Y/n/q]: Yes 
    
    User name: admin 
    Authentication password: 
    Reenter authentication password: 
    Privacy password: 
    Reenter privacy password: 
    
    SNMPv3 user ‘admin‘ was created with authentication protocol SHA and privacy protocol AES-128. 
    
  10. Reboot the switch.