Skip to content
Industrial Networking for Busy Professionals

12.4 Configuration Best Practices

The previous chapters introduced the Hirschmann product families, HiOS, and HiVision. This chapter consolidates that knowledge into a practical checklist for deploying switches in production. Every step addresses a real-world issue observed in industrial networks.

Why Checklists Matter

Section titled “Why Checklists Matter”

A switch deployed with default credentials, HTTP enabled, and VLAN 1 on every port creates a security gap and a troubleshooting burden. A checklist brings every switch to the same baseline before the switch enters production.

Initial Setup Checklist

Section titled “Initial Setup Checklist”

Security

Section titled “Security”
  1. Change the default admin password.
  2. Disable HTTP. Enable HTTPS only.
  3. Disable Telnet. Enable SSH only.
  4. Disable SNMPv1/v2c. Enable SNMPv3 only.
  5. Configure a management VLAN. Restrict management access to that VLAN.
  6. Enable login timeout (auto-logout after inactivity).
  7. Configure syslog to send events to a central log server.

Network

Section titled “Network”
  1. Set a static IP address, subnet mask, and default gateway.
  2. Set the correct hostname (matching network documentation).
  3. Set the correct time (NTP server).
  4. Configure VLANs as designed.
  5. Set PVID correctly on every access port.
  6. Configure trunk ports with an explicit allowed VLAN list.
  7. Disable unused ports and assign unused ports to VLAN 4094.

Redundancy

Section titled “Redundancy”
  1. Configure MRP (for ring topology).
  2. Set MRM on exactly 1 switch per ring.
  3. Verify the MRP domain UUID matches across every ring switch.
  4. Verify the MRP VLAN matches across every ring switch.
  5. Configure RSTP on non-ring ports.
  6. Enable Edge Port on every access port.
  7. Enable BPDU Guard on Edge Ports.

Documentation

Section titled “Documentation”
  1. Record IP address, hostname, location, and firmware version.
  2. Record VLAN assignments per port.
  3. Record MRP role and domain UUID.
  4. Back up the configuration to version control.

VLAN Design Guidelines

Section titled “VLAN Design Guidelines”

Reserve VLAN 1 exclusively as the default. Ports left unconfigured land in VLAN 1. Use a dedicated management VLAN. Separate PROFINET/MRP traffic from other traffic with a dedicated VLAN. Assign unused ports to VLAN 4094 to block unauthorized access. Document every VLAN: name, ID, purpose, and port membership.

MRP Configuration Guidelines

Section titled “MRP Configuration Guidelines”

Key Takeaways

Section titled “Key Takeaways”

Follow the checklist for every switch

Complete the initial setup checklist before deploying any switch to production.

Configure exactly 1 MRM per ring

Verify the MRM explicitly. 2 MRMs cause ring instability.

Back up configurations

Store configuration backups in version control. A backup enables rapid switch replacement.

What Comes Next

Section titled “What Comes Next”

Parts 1 through 3 covered networking foundations, services, and industrial protocols. Part 4 shifts to security: how attacks work at the packet level, how OT networks are targeted, and how to defend OT networks using the IEC 62443 framework and practical hardening steps.

References

Section titled “References”
  • Hirschmann. (2023). Security Hardening Guide: HiOS. Belden/Hirschmann.
  • IEC 62443-4-2:2019 — Technical security requirements for IACS components
  • NIST SP 800-82 Rev. 3 — Guide to Operational Technology (OT) Security (2023)