Over the last 15+ years, when I get brought in to look at a CCTV or security network, it is almost a guarantee that the network devices are not configured correctly. Or just not configured at all.
Switches running factory defaults. No VLANs. No port security. Default credentials on everything. No redundancy between switches. Management interfaces sitting wide open on the same network as cameras. These are systems protecting physical assets, running on networks that nobody thought to protect.
Over the years I have built a set of configuration templates that provide initial setup, baseline hardening, and performance tuning for security network switches. This is one of them. It is focused on the Alcatel-Lucent Enterprise OmniSwitch series running AOS Release 8 and covers VLAN segmentation, SSH access, AAA, port security, QoS, trunk hardening, and inter-switch connectivity.
This is not a one-size-fits-all configuration. Every environment is different. Review each section against your requirements and test before deploying into production.
A note on AOS syntax. AOS Release 8 uses a flat command structure. Commands take effect immediately. There is no commit step. Before making changes that affect management access, save your current configuration with write memory, and have a console connection open. If you lose remote access, the console is your recovery path.
Change every placeholder before deploying. The double-hash placeholder (##) appears throughout this template where site-specific values belong. Deploying a configuration with placeholder values intact is a misconfiguration waiting to cause problems.
Initial System Configuration
system name SWITCH_NAME
user admin password ##CHANGEME## read-write all
session timeout cli 5
system name sets the device identity. Use a consistent naming convention across your environment. This matters for logging, monitoring, and troubleshooting. When you are looking at syslog entries from 40 switches, meaningful hostnames save time.
user admin password sets the administrative account password. AOS Release 8 stores passwords as hashed values. Passwords are not stored in plain text in the running configuration.
Unlike Cisco IOS, AOS does not have a separate enable password. Access levels are assigned per user account through the read-write all permission set, which grants full administrative access.
session timeout cli 5 disconnects idle CLI sessions after 5 minutes. Unattended authenticated sessions are a security risk on any network device.
Set a minimum password length and lockout policy:
user password-size min 12
user lockout-threshold 5
user lockout-duration 30
user lockout-window 10
Every device should have unique credentials assigned before going into production. The placeholders in this template are exactly that.
VLAN Configuration and Segmentation
vlan 1 admin-state enable name DEFAULT
vlan 99 admin-state enable name MANAGEMENT
vlan 100 admin-state enable name SYSTEMS
vlan 101 admin-state enable name CCTV
vlan 102 admin-state enable name ACCESS_CONTROL
vlan 666 admin-state enable name BLACKHOLE
VLAN segmentation is one of the most important things you can do on a security network. By default, every port on a new switch sits in VLAN 1. Everything can talk to everything. That is not acceptable in a security environment.
VLAN 1 (DEFAULT): Keep it but do not use it. Default VLAN has well-known behaviors and is the target of certain VLAN-hopping attacks. Do not put production traffic on VLAN 1.
VLAN 99 (MANAGEMENT): Dedicated to switch management traffic. Management interfaces should be isolated from camera traffic, user traffic, and everything else. This is where your IP interfaces for device management will live.
VLAN 100 (SYSTEMS): For servers, recording platforms, workstations, and other infrastructure that supports the security systems.
VLAN 101 (CCTV): Dedicated to cameras. Camera traffic is bandwidth-heavy and predictable. Isolating it simplifies QoS, troubleshooting, and security policy.
VLAN 102 (ACCESS_CONTROL): Dedicated to access control panels, controllers, and associated devices. These devices have different traffic patterns and security requirements than cameras.
VLAN 666 (BLACKHOLE): The dead-end VLAN. Every unused port gets assigned here. It is not routable and carries no traffic. Its purpose is to ensure that unused ports cannot be used as entry points.
The specific VLAN numbers are not magic. Use whatever numbering scheme makes sense for your environment. What matters is that services are separated, and unused ports are isolated.
Virtual Chassis (Multi-Switch Environments)
ALE OmniSwitch supports Virtual Chassis (VC), which combines multiple physical switches into a single logical unit. Virtual Chassis is the preferred approach for co-located switches.
virtual-chassis chassis-id 1 priority 200
virtual-chassis chassis-id 2 priority 100
virtual-chassis admin-state enable
Virtual Chassis creates a single management plane across all member switches. Configuration changes applied to the primary chassis propagate to all members. This simplifies management significantly and reduces the number of independent devices to configure and monitor.
AOS does not use VTP for VLAN synchronization. In a Virtual Chassis configuration, VLANs are configured once and automatically synchronized across all members. In standalone multi-switch environments, VLANs must be configured consistently on each switch manually.
priority 200 on the primary chassis makes it more likely to be elected as the master. Higher priority values win in ALE’s election model, which is the inverse of Cisco’s and Juniper’s STP priority convention.
Virtual Chassis should be configured and validated before the switch goes into production. Adding a switch to a Virtual Chassis after cameras are live requires a maintenance window.
Stacking vs Link Aggregation (Inter-Switch Connectivity)
Before configuring inter-switch connectivity, decide whether your switches will use Virtual Chassis or standalone with link aggregation uplinks.
Virtual Chassis
Virtual Chassis combines multiple physical switches into a single logical unit managed as one device. It is the preferred approach when switches are co-located in the same rack or closet.
Benefits of Virtual Chassis:
- Single management plane across all members
- Single configuration to manage
- Redundant control plane
- Cross-chassis link aggregation support
- Simplified spanning tree topology
The tradeoff is that a Virtual Chassis shares a single control plane. A software defect or a bad upgrade can impact all members simultaneously. Plan firmware upgrades carefully, and always have a rollback plan.
Standalone Switches with LACP/Link Aggregation
When switches cannot use Virtual Chassis, inter-switch links should use LACP link aggregation rather than single links.
A single uplink between switches is a single point of failure. If that link goes down, everything behind the downstream switch is disconnected. Link aggregation bundles multiple physical links into a single logical interface. LACP negotiates and manages the bundle dynamically.
Benefits include redundancy (if one physical link fails, traffic continues on the remaining links), increased throughput (aggregate bandwidth of all member links), and automatic failover without spanning tree reconvergence.
For security networks specifically, this matters because camera systems generate constant, predictable traffic. Losing an inter-switch link means losing visibility from every camera on that switch. Link aggregation reduces that risk significantly.
Logging and AAA Configuration
swlog output socket 10.254.99.10 level info
swlog output socket 10.254.99.10 facility local7
swlog appid all output socket
swlog appid port-security output socket
swlog appid authentication output socket
swlog appid session output socket
swlog appid configuration output socket
!
aaa authentication default local
aaa authentication console local
aaa accounting session default start-stop "local"
!
session banner /flash/banner.txt
swlog output socket sends syslog to a centralized log server. Local switch logs are finite and get overwritten. A centralized syslog server retains logs for investigation, auditing, and compliance.
swlog appid captures specific event categories. Port security, authentication, session, and configuration events are the four categories most important for security network auditing.
AAA (Authentication, Authorization, and Accounting) is the framework that controls who can access the device and what they can do. aaa authentication default local uses local accounts for authentication. This is appropriate for smaller environments or as a fallback.
For environments with more than a few switches, centralize AAA using RADIUS or TACACS+. This provides centralized credential management, role-based access, and detailed accounting. Local authentication should still exist as a fallback.
aaa radius-server "PRIMARY" host 10.254.99.20 key ##CHANGEME##
aaa server-group "MGMT-RADIUS" server "PRIMARY"
aaa authentication default "MGMT-RADIUS" local
aaa accounting session records session start and stop events. This creates an audit trail of who accessed the device, and for how long.
The session banner displays a legal warning before authentication. Create the banner file on flash storage:
vi /flash/banner.txt
Enter your organization’s legal warning. In regulated environments and government deployments, this banner is required. Have legal counsel review the text. The specifics matter by jurisdiction.
Spanning Tree Configuration
spantree mode rstp
spantree priority 4096
Spanning Tree Protocol prevents network loops. Without it, a single cable plugged into the wrong ports can take down an entire VLAN.
AOS supports RSTP (Rapid Spanning Tree), MSTP, and legacy STP. RSTP is the correct choice for most security network deployments. When a link fails or recovers, RSTP recalculates the topology in seconds rather than the 30 to 50 seconds that legacy STP requires. In a security environment where camera uptime matters, faster convergence means shorter outage windows during topology changes.
spantree priority 4096 sets a lower priority value on this switch, making it more likely to be elected as the root bridge. In a predictable topology, you want to control which switch is root. Lower priority values win. Default is 32768.
BPDU Guard should be enabled on all access ports. If a switch or bridge device is connected to a port configured as an access port, BPDU Guard will block that port rather than allowing it to participate in spanning tree.
bridge port-security port 1/1/1 bpduguard enable
bridge port-security port 1/1/1 bpduguard recovery-time 300
The recovery-time 300 setting automatically re-enables a blocked port after 5 minutes following a BPDU Guard event. Adjust based on your operational requirements.
LLDP
lldp admin-status all tx-and-rx
LLDP (Link Layer Discovery Protocol) allows devices to advertise their identity and capabilities to directly connected neighbors. This is useful in CCTV environments because it helps identify what is connected to each port, including camera model, IP address, and capabilities.
Many IP cameras support LLDP and will advertise their information to the switch. This makes inventory and troubleshooting significantly easier. You can see what device is connected to what port without tracing cables.
LLDP operates at Layer 2 and does not cross VLAN boundaries. It is informational only and does not affect traffic forwarding.
On ports facing untrusted segments, disable LLDP to limit topology disclosure:
no lldp admin-status 1/1/1 tx-and-rx
SSH Configuration
no session telnet
ssh server enable
ssh server version 2
no ssh server version 1
ssh server login-max-attempts 3
!
ip access-list MGMT-SSH
permit ip 10.254.99.0/24 any
deny ip any any
interface mgmt
ip access-group MGMT-SSH in
no session telnet disables Telnet. Telnet transmits credentials in plain text. There is no legitimate reason to use Telnet for switch management.
ssh server version 2 enforces SSHv2 only. SSHv1 has known vulnerabilities and should never be used.
no ssh server version 1 explicitly removes SSHv1 support. Both commands should be applied together.
ssh server login-max-attempts 3 limits failed login attempts to 3 before disconnecting the session. This slows down brute force attempts.
The access list restricts SSH access to the management network only. Only authorized management stations and monitoring systems should be able to reach the management interface. Any host outside the management subnet is denied.
AOS does not have dynamic trunk negotiation equivalent to Cisco’s DTP, so there is no corresponding protocol to disable. Trunk configuration is always explicit in AOS.
Management Interface Configuration
ip interface "mgmt" vlan 99 address 10.254.99.## mask 255.255.255.0
ip default-gateway 10.254.99.1
This creates the in-band management IP interface on the management VLAN. On ALE OmniSwitch platforms with a dedicated management port, use that port for out-of-band management and configure the management IP separately.
Management traffic should live on its own VLAN, separate from camera traffic, access control traffic, and user traffic. This ensures that management access to the switch is not competing with production traffic and is not exposed to devices that do not need to reach it.
The access list from the SSH section should be applied to this management interface to restrict which hosts can reach it.
Layer 3 IP Interfaces (Optional, Inter-VLAN Routing)
ip interface "systems" vlan 100 address 10.254.100.## mask 255.255.255.0
ip interface "cctv" vlan 101 address 10.254.101.## mask 255.255.255.0
ip interface "access-control" vlan 102 address 10.254.102.## mask 255.255.255.0
These IP interfaces are only required if you intend to use this switch as a Layer 3 device for routing traffic between VLANs. OmniSwitch supports inter-VLAN routing natively.
If your network design uses a dedicated router or firewall for inter-VLAN routing, you do not need these interfaces on the switch. Only the management interface is required for device management.
If you do enable inter-VLAN routing, implement ACLs between VLANs to restrict traffic flow. Just because VLANs can route between each other does not mean they should do so without policy.
For example, cameras on VLAN 101 need to reach recording servers on VLAN 100, but they should not be able to reach management interfaces on VLAN 99, or access control systems on VLAN 102.
For QoS on camera traffic, AOS uses policy maps and traffic classification:
policy condition CCTV-TRAFFIC source ip 10.254.101.0/24
policy action CCTV-PRIORITY priority 6
policy rule CCTV-QOS condition CCTV-TRAFFIC action CCTV-PRIORITY
qos apply
Apply the QoS policy and commit it with qos apply. AOS QoS policy changes are staged and require explicit application.
Trunk Port and Link Aggregation Configuration
Inter-Switch Trunk (Link Aggregation with LACP)
lacp linkagg ## size 2 admin-state enable
lacp linkagg ## actor admin-key ##
lacp linkagg ## actor system-priority 100
!
lacp agg 1/1/51 actor admin-key ##
lacp agg 1/1/52 actor admin-key ##
!
vlan 99-102 802.1q ## "Uplink to SWITCH_NAME"
vlan 666 802.1q ##
lacp linkagg creates a link aggregation group with LACP. The size parameter specifies the maximum number of physical ports in the group.
actor admin-key assigns a key value to the aggregation. Ports with matching admin-keys are eligible to join the same aggregation group. This is how AOS binds physical ports to a logical aggregation without per-port channel-group commands.
vlan 99-102 802.1q ## assigns the VLANs as tagged members of the aggregation interface. AOS uses this syntax to trunk VLANs over an aggregation link. The ## is the aggregation group number.
vlan 666 802.1q ## adds the blackhole VLAN to the trunk as a tagged member. In AOS, the default VLAN for a port is the untagged VLAN. Setting an appropriate default VLAN for the aggregation prevents untagged traffic from reaching VLAN 1.
To set the untagged (native) VLAN on the trunk to the blackhole VLAN:
vlan 666 port default ##
This ensures any untagged traffic hitting the trunk goes to the blackhole VLAN rather than VLAN 1.
Server Link Aggregation (Access Mode)
lacp linkagg ## size 2 admin-state enable
lacp agg 1/1/10 actor admin-key ##
lacp agg 1/1/11 actor admin-key ##
vlan 100 port default ##
For servers connecting to the switch, a link aggregation can also be configured in access mode on a single VLAN. This provides redundancy and throughput without trunking.
vlan 100 port default ## sets the aggregation to forward untagged traffic to the SYSTEMS VLAN. The server NIC teaming configuration must match the LACP settings on the switch side. Mismatched settings are a common cause of connectivity issues.
Access Port Configuration (Camera Ports)
vlan 101 port default 1/1/1
!
port-security port 1/1/1 admin-state enable
port-security port 1/1/1 max-filtering 1
port-security port 1/1/1 violation shutdown
port-security port 1/1/1 learn-as-static
!
spantree port 1/1/1 admin-edge-port enable
bridge port-security port 1/1/1 bpduguard enable
vlan 101 port default 1/1/1 assigns the port to the CCTV VLAN as the default (untagged) VLAN. Cameras do not need trunk access.
spantree port admin-edge-port enable is the AOS equivalent of PortFast. It skips the listening and learning states and brings the port up immediately. This is appropriate for ports connecting to end devices rather than other switches.
bpduguard enable shuts the port down if a BPDU is received, preventing unauthorized switches from being connected to camera ports.
Port security is critical on camera ports. Cameras do not change. The same camera sits on the same port for years. Port security takes advantage of that predictability.
port-security max-filtering 1 allows only one MAC address per port. If a camera is the only thing that should be connected, one is the right number.
port-security violation shutdown err-disables the port if a different MAC address is detected. If someone disconnects a camera and plugs in a laptop or another device, the port goes down immediately. This is the correct response in a security environment.
port-security learn-as-static converts the learned MAC address to a static entry in the configuration. This is the AOS equivalent of sticky MAC. Once the camera’s MAC is learned, it is retained across reboots.
When a port enters a disabled state due to a violation, it requires manual intervention to bring it back up. This is intentional. You want to know why a camera port had an unauthorized device connected to it before re-enabling it.
Unused Port Handling
vlan 666 port default 1/1/45
interfaces 1/1/45 admin-state disable
interfaces 1/1/45 alias UNUSED
Any port not connected to a device should be assigned to the blackhole VLAN and administratively disabled. Unused ports are entry points. Putting them on the blackhole VLAN and disabling them ensures they cannot be used to access any production VLAN.
The alias “UNUSED” makes it immediately clear during troubleshooting or auditing which ports are intentionally disabled.
When a port is needed in the future, remove it from the blackhole VLAN, assign it to the correct VLAN, apply appropriate port security, and enable it.
HTTP and NTP Configuration
no http server
no https server
!
ntp server ##.##.##.##
ntp server ##.##.##.## prefer
system timezone EST
no http server and no https server disable the web management interface. If you manage the switch exclusively through SSH and CLI, the web interface is an unnecessary attack surface. Disable it.
If web management is required for your environment, use HTTPS only and restrict access to management network addresses using an ACL applied to the management interface.
NTP (Network Time Protocol) is critical. Without accurate time, your logs, your camera timestamps, and your access control events cannot be correlated reliably. Time is evidence. If systems are out of sync, the timeline of any investigation becomes unreliable.
ntp server prefer designates the preferred NTP source. If multiple NTP servers are configured, the preferred server is used first. Point all switches to a reliable NTP source. If the network is isolated, use a GPS-based NTP server. If the network has controlled internet access, use a trusted public NTP source such as the National Research Council of Canada’s NTP service.
Every device on the security network should use the same time source.
What This Template Does Not Cover
This is a baseline. It gets you to a reasonable starting point for a CCTV and security network. There are additional configurations that should be considered depending on the environment:
- DHCP snooping and Dynamic ARP Inspection (DAI) for additional Layer 2 security
- 802.1x for network access control beyond port security
- SNMPv3 configuration for secure monitoring
- TACACS+ or RADIUS for centralized AAA
- ACLs between VLANs for traffic policy enforcement
- DHCP relay configuration if using centralized DHCP
- Firmware update and lifecycle management
- Configuration backup and change management
Each of these deserves its own discussion and should be implemented based on the specific requirements of your environment.
Final Thoughts
A switch out of the box is designed to forward traffic. It is not designed to be secure. Security comes from configuration.
The controls in this template are not advanced. They are fundamentals. VLAN segmentation, port security, SSH-only access, AAA, trunk hardening, and NTP. These are the baseline that every CCTV and security network should have before a single camera goes live.
If your current network does not have these in place, it is worth a review. The systems protecting your organization deserve a network that is configured with the same level of care.