When I explain how to configure a network switch, I focus on the parts that prevent real-world mistakes: getting secure access, assigning a management IP, separating traffic with VLANs, and saving a configuration that survives a reboot. In a plant room, office rack, or industrial cell, those basics matter more than any flashy feature. This guide walks through the practical setup I would use for a managed switch, from the first login to the final checks.
The essentials before you put the switch into service
- Confirm whether the device is unmanaged, smart, or fully managed before you plan the setup.
- Use a dedicated management IP and prefer SSH or HTTPS over legacy access methods.
- Separate access ports, trunk ports, and the management VLAN so traffic stays predictable.
- Shut down or isolate unused ports to reduce noise and risk.
- Test connectivity, save the running config, and back up the file before handover.
Start with the switch you actually have
I never begin with VLANs. First I confirm what the hardware can really do, because a network switch that is unmanaged behaves very differently from a smart or fully managed model. If it is unmanaged, there is almost nothing to configure. If it is smart, I usually get a web interface and basic VLAN controls. If it is fully managed, I can work with the features that matter in production: port roles, trunks, spanning tree, security controls, logging, and remote administration.
| Switch type | What I can usually configure | Best fit |
|---|---|---|
| Unmanaged | Very little, often just plug and play | Small, simple networks with no segmentation needs |
| Smart | Basic VLANs, simple QoS, a web UI, and limited security | Light industrial or small office setups that need some control |
| Managed | Full CLI or web management, VLANs, trunks, STP, monitoring, and more | Production networks, warehouses, factories, and larger sites |
That distinction matters because it shapes the rest of the job. I would not try to build an industrial segmentation plan on a device that cannot tag VLANs or manage trunks. Once I know the platform, I move straight to management access, because losing sight of the switch is the easiest way to create a messy recovery.
Build a management path before touching production ports
The first live change I make is a dedicated management setup. I give the switch a static management IP, place it on a separate management VLAN, and reach it through SSH or HTTPS instead of old, unencrypted methods. In 2026, that is still the baseline I expect in a serious network. It keeps admin traffic away from user traffic and gives me a predictable way back into the device if something else goes wrong.
enable
configure terminal
hostname SW-Plant-01
interface vlan 99
ip address 192.168.99.2 255.255.255.0
no shutdown
exit
ip default-gateway 192.168.99.1
The exact syntax changes by vendor, but the sequence stays the same: create the management interface, assign an address, add a gateway if remote access is needed, and then save the configuration. If I am working on-site, I often start with the console port or a direct patch lead so I can recover even if the management VLAN is wrong.
I also harden the management plane at this stage. That means changing default credentials, disabling Telnet and plain HTTP where possible, and syncing the clock to NTP so logs are useful later. If a switch is going into a facility with multiple teams, I would also restrict admin access to a small subnet or a jump host rather than leaving the web UI open to everyone on the LAN. Once the management path is clean, the next step is deciding how traffic should move through the switch.

Map VLANs and port roles before you connect real devices
This is where the network starts to behave like a design instead of a pile of cables. I separate ports into access ports for endpoints and trunk ports for inter-switch links or uplinks to a router, firewall, or wireless controller. In an industrial environment, that usually means keeping PLCs, HMIs, cameras, sensors, and engineering laptops in deliberate VLANs rather than letting everything share one flat broadcast domain.
My default rule is simple: one access port, one primary untagged VLAN, one clear purpose. Trunks are different. A trunk carries multiple VLANs between switches or to another network device, and tagged frames tell the far end which segment each packet belongs to. That is useful, but it also means a trunk should carry only the VLANs it actually needs. If I leave a trunk wide open, I have made troubleshooting harder and security weaker.
| Port role | How I use it | What I watch for |
|---|---|---|
| Access port | One endpoint or one device class, usually untagged | Wrong VLAN assignment breaks local connectivity quickly |
| Trunk port | Uplink between switches or to a router, firewall, or controller | Only allow the VLANs that are actually needed |
| Management port or interface | Admin access to the switch itself | Keep it isolated from general user traffic |
For a factory floor or smart manufacturing site, I often start with an example layout like this: VLAN 10 for engineering workstations, VLAN 20 for PLCs and HMIs, VLAN 30 for cameras or IoT sensors, and VLAN 99 for switch management. That is not a universal template, but it is a sensible pattern because it separates control traffic from general devices without making the network impossible to maintain. From here, the next job is reducing the chance that one bad cable or one careless change brings the whole segment down.
Harden the switch before you declare it ready
I treat switch security as practical housekeeping, not decoration. The first step is obvious: change default passwords and disable any service I do not need. The second step is just as important: shut down unused ports or move them into a quarantine VLAN so they do not become accidental entry points. On a site where people move hardware around, that simple habit prevents a surprising number of problems.
| Control | Why I use it | Trade-off |
|---|---|---|
| Unused ports disabled | Reduces accidental connections and lowers attack surface | You need a process for re-enabling ports later |
| Port security | Limits unknown devices on access ports | Legitimate device swaps can trigger shutdowns if you are too strict |
| RSTP or STP | Protects against loops in the Layer 2 topology | Incorrect tuning can delay convergence after a change |
| Trunk pruning | Keeps unnecessary VLANs off uplinks | Leaving out a required VLAN breaks downstream services |
| Firmware updates | Fix bugs and close known security gaps | Test before rolling out, especially on live production equipment |
I am careful with port security in industrial settings because maintenance swaps are common. A camera, gateway, or access point may get replaced during a shift, and overly strict MAC limits can make that look like an attack. I use security features where they solve a real problem, not because every menu has a checkbox. Once the switch is hardened, I want proof that the design actually works before anything depends on it.
Test the configuration before anyone depends on it
Testing is where weak assumptions usually surface. I start by verifying that I can still reach the management address from the right admin subnet. Then I check one endpoint in each VLAN, confirm that the access ports behave as intended, and verify that the trunk carries only the VLANs it should. If the site has older industrial devices, I also watch link negotiation closely; some legacy gear still behaves badly if the speed or duplex settings are wrong.- Ping the management IP from the admin network.
- Verify that each access port lands in the correct VLAN.
- Check that trunk links pass tagged VLANs but do not leak extras.
- Test a reboot so you know the startup config is actually saved.
- Review logs and timestamps after the switch comes back online.
The mistakes I see most often are boring, which is exactly why they keep happening. Someone puts the management address on the wrong VLAN, forgets to save the running config, leaves the default VLAN doing too much work, or opens a trunk wider than necessary. Those errors are easy to miss in the moment and annoying to diagnose later. A five-minute verification pass now is cheaper than an hour of blind troubleshooting after a production device goes dark. Once those checks pass, I move to the part that saves time on every future change.
The final checks that stop a clean setup from turning messy
Before I hand the switch over, I document the basics: hostname, management IP, VLAN IDs, uplink ports, firmware version, and any settings that are not obvious from the rack label. I also keep a backup of the configuration outside the device, because one replacement switch or one bad reset can erase a lot of work in seconds.
If the switch will sit in a factory, warehouse, or connected OT cabinet, I also keep the change process boring and controlled. Label the ports, note which VLAN serves which device class, and leave a recovery path that does not depend on a guess. That is the difference between a setup that merely works today and one that is still easy to maintain six months from now. In practice, the best switch configuration is the one the next engineer can understand without reverse-engineering your choices, and that is the standard I would keep every time.
