Switch Configuration Best Practices
The following table outlines recommended best practices for switch configuration. Each entry describes the practice, explains its importance, provides guidance on implementation, and highlights the potential impact if the practice is not followed.
| Best Practice | Scope | Why It Matters | How to Enable / Configure | Impact if Not Configured |
|---|---|---|---|---|
|
Enable BPDU Guard / STP Edge on access ports |
Per port profile |
Protects the Spanning Tree topology by disabling the port if unexpected BPDUs are received, helping prevent loops and broadcast storms caused by unauthorized switches. |
Enable STP Edge for access port profiles in the Shared Elements—Port Profiles section of the switch template. For more information, refer to Define Port Profiles. |
Unauthorized switches can cause L2 loops, broadcast storms, and complete VLAN-wide outages. |
|
Enable Storm Control |
Per port profile |
Limits broadcast, multicast, and unknown unicast traffic from overwhelming the network. |
Configure appropriate storm control thresholds for all port profiles in the Shared Elements—Port Profiles section of the switch template. This configuration helps administrators monitor traffic levels and automatically drop broadcast, multicast, and unknown unicast packets when the traffic exceeds a traffic level. For more information, refer to Define Port Profiles. |
A single misbehaving NIC or loop can saturate switch backplanes, causing packet loss and management plane instability. |
|
Enable Protection of Routing Engine |
Per switch template |
Protects the switch Routing Engine from DoS attacks and excessive control plane traffic. |
Enable Protection of Routing Engine for each switch template. For more information, refer to Protection of Routing Engine. |
Unprotected RE can hit 100 percent CPU usage from ARP or DHCP floods, causing OSPF or BGP drops, STP recalculations, and loss of management access. |
|
Preprovision Virtual Chassis |
Per Virtual Chassis |
Ensures deterministic member roles, preventing split-brain and unexpected role elections during failovers. |
Enable ‘Preprovision Virtual Chassis’ for each Virtual Chassis under Modify Virtual Chassis. For more information, refer to Preprovision a Virtual Chassis. |
Dynamic role elections during a member failure or replacement can cause extended downtime and split-brain conditions. |
|
Use a virtual device ID for Virtual Chassis |
Per Virtual Chassis |
Moving to a virtual device ID provides a consistent and centralized way to represent and manage a Virtual Chassis as a single logical entity, making future operations cleaner and more reliable. |
Each new Virtual Chassis device is enabled with a Virtual MAC address by default. For all older Virtual Chassis devices onboarded previously, convert them to use a Virtual Device ID. For more information, refer to Convert a Virtual Chassis to Use a Virtual Device ID. |
Without a virtual MAC address, replacing or removing a member switch may cause inconsistencies in how the Virtual Chassis is represented, potentially disrupting connectivity. |
| Deploy the recommended Junos OS version | Per switch |
Every switch should follow the current suggested release which contains critical security patches and stability fixes backported for production use. |
Consider selecting a suggested Junos version while upgrading a switch. For more information, refer to Upgrade Junos OS on Switches. |
Outdated firmware may have known CVEs and bugs. Note: Consider version recommendations as guidance. An older
version does not necessarily require an upgrade, as it may already be stable.
|