Managed Switch Configuration Guide: VLANs, QoS, and Security Best Practices

# Managed Switch Configuration Guide: VLANs, QoS, and Security Best Practices

Managed switches are the backbone of any business network. Unlike unmanaged switches that simply forward traffic, managed switches give you control over VLANs, QoS, port security, and monitoring. Here is how to configure them properly.

## VLAN Configuration

VLANs (Virtual LANs) segment your network into isolated broadcast domains. This is essential for security, performance, and compliance.

### Recommended VLAN Structure

| VLAN ID | Name | Purpose | Subnet Example | |---------|------|---------|----------------| | 1 | Default | Management only (no user traffic) | 10.0.1.0/24 | | 10 | Data | Employee workstations | 10.0.10.0/24 | | 20 | Voice | VoIP phones | 10.0.20.0/24 | | 30 | Servers | Server and storage traffic | 10.0.30.0/24 | | 40 | Guest | Guest Wi-Fi (internet only) | 10.0.40.0/24 | | 50 | Security | IP cameras and access control | 10.0.50.0/24 | | 99 | Native | Untagged frames (unused VLAN) | — |

### Key VLAN Rules

### Trunk Ports

Trunk ports carry multiple VLANs between switches. Configure trunks to only allow the VLANs that need to cross that link — do not allow all VLANs on every trunk.

## QoS Configuration for VoIP

QoS ensures VoIP traffic gets priority over bulk data transfers. Without QoS, a large file download or cloud backup can cause choppy calls.

### QoS Priority Queue

### Voice VLAN Configuration

Most managed switches support a dedicated voice VLAN feature where a port carries both data VLAN (for the PC) and voice VLAN (for the phone). The phone and PC share one network port but operate on separate VLANs.

## Port Security

### Best Practices

• **Disable unused ports** — Any port not connected to a device should be administratively shut down
• **MAC address limiting** — Limit each port to 1-2 MAC addresses to prevent unauthorized switches or hubs
• **802.1X authentication** — For environments requiring strong access control, authenticate devices before granting network access
• **DHCP snooping** — Prevents rogue DHCP servers on the network (common attack vector)
• **Dynamic ARP inspection** — Prevents ARP spoofing attacks
• **Storm control** — Limits broadcast, multicast, and unknown unicast traffic to prevent network storms

## SNMP Monitoring

Configure SNMP v3 (not v1/v2c — those send community strings in cleartext) for switch monitoring:

• **Port utilization** — Identify saturated links before they cause problems
• **Error counters** — CRC errors, collisions, and drops indicate cabling or hardware issues
• **CPU and memory** — High utilization indicates switch overload or attack
• **Temperature** — Environmental alerts before hardware damage
• **Status changes** — Get notified when ports go up or down

## Spanning Tree Protocol (STP)

STP prevents network loops. Even if you think your network has no loops, accidental loops happen when someone plugs a patch cable into two ports on the same switch.

• **Enable BPDU Guard** on all access ports — immediately shuts down a port if a loop is detected
• **Enable Root Guard** on distribution/core uplinks — prevents rogue switches from becoming root bridge
• **Use Rapid PVST+** — Faster convergence than legacy STP

## Firmware and Maintenance

• **Keep firmware current** — Switch firmware updates fix security vulnerabilities and bugs
• **Backup configurations** — Before any changes, save the current config. Store copies off-device
• **Change management** — Document all configuration changes with date, reason, and rollback plan
• **Console access** — Always configure a console password and consider out-of-band management

## Common Mistakes

Summit DNC configures and manages network switches for businesses across Southern California. We implement proper VLAN segmentation, QoS for VoIP, security hardening, and proactive monitoring as part of our managed IT services.