Have you also used net-SNMP?
The command-line utilities, for the homebrew scripts. I've only managed lab-internal switches, and whatever I or my friends or family have at home.
(Way back in 1999, I had a Linux server acting as a NAT, DHCP, and HTTP proxy, with another serving as a file and print server for three dozen or so Macs and Windows machines; Mars NWE, Netatalk, and Samba on the same volumes. File locking didn't always work right, but then most applications didn't even try to. Even later on, you couldn't have two different users editing a different part of the same site stored on a shared volume in Frontpage or Dreamweaver. Silly applications...)
The last network setup for a lab environment I did was way back in 2004; since then, I've worked mostly in HPC cluster setups and such.
My main annoyance right now is that there are no affordable home wireless routers with both 2.4 and 5 GHz support in OpenWRT/Lede; I've an Asus RT-AC51U, and latest kernels do have the drivers needed, but OpenWRT is lagging. I have some home automation stuff, like an Odroid HC1 mini file server, I'd like to configure and play with. So I am somewhat up to date on the subject in theory (as to how to set up a local network with embedded machines, trusted users, and untrusted users, I mean); the major holes in my knowledge is what existing software projects one could use and adapt for this kind of stuff.
(I do have lots of anecdotal stuff from colleagues still doing this sort of stuff, especially wrt. remote maintenance and so on. I did, for example, create an internal Debian package that allows Uni users to register themselves as local users on a laptop two or three years ago, by logging in via Eduroam (provided by the University via WiFi), and verifying and storing the details (on both the user and the laptop) on a server; then creating the local user account with info matching their AD/LDAP records, and removing the package. It was used to register maybe a hundred laptops, until a more robust solution was done using the Uni-maintained Linux distribution, Cubbli, in the last year or two. I like the Linux-IT team at Uni of H here, and occasionally help out just to keep my edge.)
Do note that just because I said that trusting humans is the first, most important step, does not mean it ends there. I like to go all-out paranoid, not trusting even myself. (Then again, right now I have 89 IP addresses banned by my fail2ban filters on my laptop, because they have attempted to access the machines various services during the last 24 hours or so, so I'd say that is just a healthy approach.) It seems that when I describe the paranoid cases couched in personal experiences and anecdotes saving my butt, they are much more palatable to others. Not always, and not accepted nearly as often as I'd prefer, but it seems like a good approach in general.
Trust, but verify.On servers, I would have liked to implement a transparent configuration file tracker, which uses the process tree to track individual administrators (even across
sudo su - , which I heavily discourage for forensics reasons), and records the changes on a separate machine inaccessible to most admins. (I am highly irritated by intelligent people making stupid errors -- I cannot help but expect more of them, even though I have no issues dealing with people with less skills --, and I would have liked that to do some one-on-one discussions on silly, lazy mistakes and carelessness and trying to hide the trails to escape personal blame among colleagues. Bureaucrats do not need to know, unless users' information is misused. Just QC and making admins behave sensibly, really.)
If you want to talk about actual solutions, maybe need help with some maintenance/logging/utility scripts, I'm always happy to help make Linux systems more robust; feel free to email me for example. (My email should be listed in my profile, but if not, you can see it
here.)