Skip to content
Industrial Networking for Busy Professionals

12.4 Configuration Best Practices

The previous chapters introduced the Hirschmann product families, HiOS, and HiVision. This chapter consolidates that knowledge into a practical checklist for deploying switches in production. Every step addresses a real failure mode observed in industrial networks.

Why Checklists Matter

Section titled “Why Checklists Matter”

A switch deployed with default credentials, HTTP enabled, and VLAN 1 on all ports is a security risk and a troubleshooting nightmare. A checklist ensures every switch meets the same baseline before it enters production.

Initial Setup Checklist

Section titled “Initial Setup Checklist”

Security

Section titled “Security”
  1. Change the default admin password.
  2. Disable HTTP. Enable HTTPS only.
  3. Disable Telnet. Enable SSH only.
  4. Disable SNMPv1/v2c. Enable SNMPv3 only.
  5. Configure a management VLAN. Restrict management access to that VLAN.
  6. Enable login timeout (auto-logout after inactivity).
  7. Configure syslog to send events to a central log server.

Network

Section titled “Network”
  1. Set static IP address, subnet mask, and default gateway.
  2. Set the correct hostname (matches network documentation).
  3. Set the correct time (NTP server).
  4. Configure VLANs as designed.
  5. Set PVID correctly on all access ports.
  6. Configure trunk ports with an explicit allowed VLAN list.
  7. Disable unused ports and assign them to VLAN 4094.

Redundancy

Section titled “Redundancy”
  1. Configure MRP (if ring topology).
  2. Set MRM on exactly one switch per ring.
  3. Verify MRP domain UUID matches across all ring switches.
  4. Verify MRP VLAN matches across all ring switches.
  5. Configure RSTP on non-ring ports.
  6. Enable Edge Port on all access ports.
  7. Enable BPDU Guard on Edge Ports.

Documentation

Section titled “Documentation”
  1. Record IP address, hostname, location, and firmware version.
  2. Record VLAN assignments per port.
  3. Record MRP role and domain UUID.
  4. Back up configuration to version control.

VLAN Design Guidelines

Section titled “VLAN Design Guidelines”

Do not use VLAN 1 for production traffic. VLAN 1 is the default, and ports left unconfigured end up in it. Use a dedicated management VLAN. Separate PROFINET/MRP traffic from other traffic with a dedicated VLAN. Assign unused ports to VLAN 4094 to prevent unauthorized access. Document every VLAN: name, ID, purpose, and port membership.

MRP Configuration Guidelines

Section titled “MRP Configuration Guidelines”

Key Takeaways

Section titled “Key Takeaways”

Follow the checklist for every switch

Complete the initial setup checklist before deploying any switch to production.

Configure exactly one MRM per ring

Verify the MRM explicitly. Two MRMs cause ring instability.

Back up configurations

Store configuration backups in version control. A backup enables rapid switch replacement.

What Comes Next

Section titled “What Comes Next”

Parts 1 through 3 covered networking foundations, services, and industrial protocols. Part 4 shifts to security: how attacks work at the packet level, how OT networks are targeted, and how to defend them using the IEC 62443 framework and practical hardening steps.

References

Section titled “References”
  • Hirschmann. (2023). Security Hardening Guide: HiOS. Belden/Hirschmann.
  • IEC 62443-4-2:2019 — Technical security requirements for IACS components
  • NIST SP 800-82 Rev. 3 — Guide to Operational Technology (OT) Security (2023)