Over the last 15+ years, when I get brought in to look at a CCTV or security network, it is almost a guarantee that the network devices are not configured correctly. Or just not configured at all.
Switches running factory defaults. No VLANs. No port security. Default credentials on everything. No redundancy between switches. Management interfaces sitting wide open on the same network as cameras. These are systems protecting physical assets, running on networks that nobody thought to protect.
Over the years I have built a set of configuration templates that provide initial setup, baseline hardening, and performance tuning for security network switches. This is one of them. It is focused on the HPE Aruba CX series running AOS-CX and covers VLAN segmentation, SSH access, AAA, port security, QoS, trunk hardening, and inter-switch connectivity.
This is not a one-size-fits-all configuration. Every environment is different. Review each section against your requirements and test before deploying into production.
Change every placeholder before deploying. The double-hash placeholder (##) appears throughout this template where site-specific values belong. Deploying a configuration with placeholder values intact is a misconfiguration waiting to cause problems.
Initial System Configuration
configure terminal
hostname SWITCH_NAME
user netadmin group administrators password ciphertext ##CHANGEME##
hostname sets the device identity. Use a consistent naming convention across your environment. This matters for logging, monitoring, and troubleshooting. When you are looking at syslog entries from 40 switches, meaningful hostnames save time.
AOS-CX stores all local passwords using SHA-256 hashing by default. There is no equivalent to Cisco’s service password-encryption because passwords are never stored in plain text in AOS-CX. This is the correct approach. Credentials defined with password ciphertext are stored as hashed values in the configuration file.
Unlike Cisco IOS, AOS-CX uses a role-based model with predefined groups. The administrators group provides full administrative access. Create individual named accounts rather than sharing credentials. Every person who manages the switch should have their own account.
VLAN Configuration and Segmentation
vlan 1
name DEFAULT
vlan 99
name MANAGEMENT
vlan 100
name SYSTEMS
vlan 101
name CCTV
vlan 102
name ACCESS_CONTROL
vlan 666
name BLACKHOLE
VLAN segmentation is one of the most important things you can do on a security network. By default, every port on a new switch sits in VLAN 1. Everything can talk to everything. That is not acceptable in a security environment.
VLAN 1 (DEFAULT): Keep it but do not use it. Default VLAN has well-known behaviors and is the target of certain VLAN-hopping attacks. Do not put production traffic on VLAN 1.
VLAN 99 (MANAGEMENT): Dedicated to switch management traffic. Management interfaces should be isolated from camera traffic, user traffic, and everything else. This is where your SVIs for device management will live.
VLAN 100 (SYSTEMS): For servers, recording platforms, workstations, and other infrastructure that supports the security systems.
VLAN 101 (CCTV): Dedicated to cameras. Camera traffic is bandwidth-heavy and predictable. Isolating it simplifies QoS, troubleshooting, and security policy.
VLAN 102 (ACCESS_CONTROL): Dedicated to access control panels, controllers, and associated devices. These devices have different traffic patterns and security requirements than cameras.
VLAN 666 (BLACKHOLE): The dead-end VLAN. Every unused port gets assigned here. It is not routable and carries no traffic. Its purpose is to ensure that unused ports cannot be used as entry points. It can also be configured with monitoring to detect unauthorized devices attempting to connect.
The specific VLAN numbers are not magic. Use whatever numbering scheme makes sense for your environment. What matters is that services are separated, and unused ports are isolated.
VSF (Multi-Switch Environments)
If your environment has multiple switches, Aruba’s Virtual Switching Framework (VSF) is the equivalent of Cisco’s stacking. VSF combines multiple physical CX switches into a single logical unit.
vsf member 1
type JL658A
link 1 lag 256
vsf member 2
type JL658A
link 1 lag 256
VSF creates a single management plane across all member switches. Configuration changes applied to the VSF stack apply to all members. This simplifies management significantly and reduces the number of independent devices to configure and monitor.
AOS-CX does not use VTP for VLAN synchronization the way Cisco IOS does. In a VSF stack, VLANs are configured once and automatically synchronized across all members. In standalone multi-switch environments, VLANs must be configured consistently on each switch.
If VSF is not in use and you are managing standalone switches, document your VLAN configuration carefully and apply it consistently. A VLAN that exists on one switch but not on a connected trunk partner will cause connectivity failures that can be difficult to trace.
VSF should be configured and validated before the switch goes into production. Adding a switch to a VSF stack after cameras are live requires planning.
Stacking vs LAG (Inter-Switch Connectivity)
Before configuring inter-switch connectivity, decide whether your switches will use VSF or standalone with LAG uplinks.
VSF Stacking
VSF combines multiple physical switches into a single logical unit managed as one device. It is the preferred approach when switches are co-located in the same rack or closet, and the cabling infrastructure supports it.
Benefits of VSF:
- Single management plane across all members
- Single configuration to manage
- Redundant control plane
- Cross-stack LAG support
- Simplified spanning tree topology
The tradeoff is that a VSF stack shares a single control plane. A software defect or a bad upgrade can impact all members simultaneously. Plan firmware upgrades carefully, and always have a rollback plan.
Standalone Switches with LACP/LAG
When switches cannot use VSF (different locations, different models, or design preference), inter-switch links should use LACP LAG rather than single links.
A single uplink between switches is a single point of failure. If that link goes down, everything behind the downstream switch is disconnected. LAG bundles multiple physical links into a single logical interface. LACP negotiates and manages the bundle dynamically.
Benefits include redundancy (if one physical link fails, traffic continues on the remaining links), increased throughput (aggregate bandwidth of all member links), and automatic failover without spanning tree reconvergence.
For security networks specifically, this matters because camera systems generate constant, predictable traffic. Losing an inter-switch link means losing visibility from every camera on that switch. LAG reduces that risk significantly.
Always use LACP (mode active) rather than static LAG. LACP detects link failures and misconfigurations that static bundles cannot.
Logging and AAA Configuration
logging facility local7
logging severity informational
logging host 10.254.99.10
login authentication default local
aaa authentication login default local
banner motd "Unauthorized Access Prohibited"
event-handler CONFIG_LOG
trigger post-provision
action cli show running-config
logging host sends syslog to a centralized log server. Local switch logs are finite and get overwritten. A centralized syslog server retains logs for investigation, auditing, and compliance.
logging severity informational captures authentication events, configuration changes, interface state changes, and other operationally significant events without flooding the log with debug noise.
AAA (Authentication, Authorization, and Accounting) is the framework that controls who can access the device and what they can do. aaa authentication login default local sets the default authentication method to local accounts. This is appropriate for smaller environments or as a fallback.
For environments with more than a few switches, centralize AAA using RADIUS or TACACS+ tied into Active Directory. This provides centralized credential management, role-based access, and detailed accounting. Local authentication should still exist as a fallback in case the AAA server is unreachable.
The banner motd sets a legal warning that displays before authentication. In regulated environments and government deployments, this banner is required. Have legal counsel review the text. The specifics matter by jurisdiction.
AOS-CX logs configuration changes through the event subsystem. The configuration log captures what changed and when, which is essential for troubleshooting and for answering the question “who changed what and when” after something breaks.
Spanning Tree Configuration
spanning-tree mode rapid-pvst
spanning-tree priority 4096
Spanning Tree Protocol prevents network loops. Without it, a single cable plugged into the wrong ports can take down an entire VLAN.
AOS-CX supports MSTP, RPVST+, and RSTP. For environments with multiple VLANs on shared infrastructure, Rapid Per-VLAN Spanning Tree (rapid-pvst) provides per-VLAN topology control with fast convergence. When a link fails or recovers, rapid-pvst recalculates the topology in seconds rather than the 30 to 50 seconds that legacy STP requires. In a security environment where camera uptime matters, faster convergence means shorter outage windows during topology changes.
spanning-tree priority 4096 sets a lower priority value on this switch, making it more likely to be elected as the root bridge. In a predictable topology, you want to control which switch is root. Lower priority values win. Default is 32768.
BPDU Guard should be enabled on all access ports. If a switch or bridge device is connected to a port configured as an access port, BPDU Guard will err-disable that port rather than allowing it to participate in spanning tree. This prevents accidental loops from unauthorized switches.
interface 1/1/1
spanning-tree bpdu-guard
spanning-tree port-type admin-edge
LLDP
lldp run
LLDP (Link Layer Discovery Protocol) allows devices to advertise their identity and capabilities to directly connected neighbors. This is useful in CCTV environments because it helps identify what is connected to each port, including camera model, IP address, and capabilities.
Many IP cameras support LLDP and will advertise their information to the switch. This makes inventory and troubleshooting significantly easier. You can see what device is connected to what port without tracing cables.
LLDP operates at Layer 2 and does not cross VLAN boundaries. It is informational only and does not affect traffic forwarding.
On AOS-CX, LLDP can be selectively disabled per interface on ports facing untrusted segments while remaining enabled on management and uplink ports. On access ports connecting to public or untrusted networks, consider disabling LLDP transmission to limit topology disclosure:
interface 1/1/1
no lldp transmit
no lldp receive
SSH Configuration
ssh server vrf mgmt
no ssh server vrf default
!
line vty
session-timeout 5
login authentication default
AOS-CX enables SSH by default but defaults to accepting connections on all VRFs. Restricting SSH to the management VRF isolates remote management to the dedicated management interface.
no ssh server vrf default removes SSH access from the default routing VRF, preventing SSH connections from reaching the switch through production VLANs. Management access should only be possible through the management plane, not through camera or access control VLANs.
session-timeout 5 disconnects idle VTY sessions after 5 minutes. An authenticated, idle management session is an open window.
AOS-CX enforces SSHv2 by default. There is no need to explicitly disable SSHv1 as it is not supported. Telnet is disabled by default and should never be enabled on a production switch.
To restrict SSH access to specific management workstations, apply an access control list to the management interface:
ip access-list MGMT-ACCESS
10 permit tcp 10.254.99.0/24 any eq 22
20 deny tcp any any eq 22 log
exit
interface mgmt
ip access-group MGMT-ACCESS in
Management Interface Configuration
interface mgmt
ip address 10.254.99.## /24
default-gateway 10.254.99.1
description Management Network
no shutdown
AOS-CX switches have a dedicated out-of-band management port (interface mgmt) that is separate from the data plane. This is the preferred management interface. Traffic on this interface uses the management VRF and does not mix with production traffic.
Management traffic should live on its own VLAN and interface, separate from camera traffic, access control traffic, and user traffic. This ensures that management access to the switch is not competing with production traffic and is not exposed to devices that do not need to reach it.
Where out-of-band management is not possible, use an in-band management SVI on VLAN 99 and restrict access with ACLs as shown in the SSH section above.
Layer 3 SVIs (Optional, Inter-VLAN Routing)
interface vlan 100
ip address 10.254.100.## /24
description System Network
no shutdown
interface vlan 101
ip address 10.254.101.## /24
description CCTV Network
no shutdown
interface vlan 102
ip address 10.254.102.## /24
description Access Control Network
no shutdown
These SVIs are only required if you intend to use this switch as a Layer 3 device for routing traffic between VLANs. Aruba CX switches support inter-VLAN routing natively on platforms with the IP routing license.
If your network design uses a dedicated router or firewall for inter-VLAN routing, you do not need these SVIs on the switch. Only the management interface is required for device management.
If you do enable inter-VLAN routing on the switch, implement access control lists between VLANs to restrict traffic flow. Just because VLANs can route between each other does not mean they should do so without policy.
For example, cameras on VLAN 101 need to reach recording servers on VLAN 100, but they should not be able to reach management interfaces, or access control systems on VLAN 102.
AOS-CX does not have a direct equivalent of Cisco’s auto qos video ip-camera command. QoS for camera traffic is configured through policy maps applied at the interface level:
qos trust dscp
qos dscp-map 46 name VOICE_VIDEO local-priority 7
Apply QoS policy at the interface level for camera-facing ports where latency and jitter sensitivity require prioritization.
Trunk Port and LAG Configuration
Inter-Switch Trunk (LAG with LACP)
interface lag ##
description Uplink to SWITCH_NAME
no shutdown
no routing
vlan trunk native 666
vlan trunk allowed 99-102,666
lacp mode active
lacp timeout short
!
interface 1/1/51
no shutdown
no routing
lag ##
!
interface 1/1/52
no shutdown
no routing
lag ##
This configures a LAG using LACP between two switches using 10-gigabit or 25-gigabit uplinks.
vlan trunk native 666 sets the native VLAN to the blackhole VLAN. The native VLAN carries untagged traffic. By setting it to an unused VLAN, any untagged traffic hitting this trunk goes nowhere. This is a security measure against VLAN hopping attacks that exploit the default native VLAN (VLAN 1).
vlan trunk allowed 99-102,666 explicitly limits which VLANs are permitted on the trunk. Never leave the allowed VLAN list open. Only permit the VLANs that need to traverse this link.
lacp mode active configures both sides to actively negotiate the LAG. Both switches should be set to active. LACP will negotiate the bundle and detect any link or configuration mismatches.
lacp timeout short reduces the LACP keepalive interval from 30 seconds to 1 second. Failed links are detected and removed from the bundle much faster, reducing the traffic loss window during a link failure.
AOS-CX does not have a DTP equivalent. Dynamic trunk negotiation is not a feature of AOS-CX, so there is no need to explicitly disable it. Trunk mode is configured intentionally. This is the correct behavior.
Server LAG (Access Mode)
interface lag ##
description Recording Server
no shutdown
no routing
vlan access 100
lacp mode active
For servers connecting to the switch, a LAG can also be configured in access mode on a single VLAN. This provides redundancy and throughput without trunking. If the server is using NIC teaming or LACP bonding, the switch-side LAG configuration must match. Mismatched LACP settings between the server and switch are a common cause of connectivity issues.
Access Port Configuration (Camera Ports)
interface 1/1/1
description Camera Port
no shutdown
no routing
vlan access 101
spanning-tree port-type admin-edge
spanning-tree bpdu-guard
port-security
port-security maximum 1
port-security violation shutdown
port-security mac-address sticky
This is where the cameras connect. Every camera port is configured with the same baseline settings.
vlan access 101 assigns the port to the CCTV VLAN. Cameras do not need trunk access.
spanning-tree port-type admin-edge is the AOS-CX equivalent of Cisco’s PortFast. It skips the listening and learning states and brings the port up immediately. This is appropriate for ports connecting to end devices rather than other switches.
spanning-tree bpdu-guard shuts the port down if a BPDU is received, preventing unauthorized switches from being connected to camera ports.
Port security is critical on camera ports. Cameras do not change. The same camera sits on the same port for years. Port security takes advantage of that predictability.
port-security mac-address sticky learns the MAC address of the connected camera and locks it to that port. Once the MAC is learned, it is retained in the configuration.
port-security maximum 1 allows only one MAC address per port. If a camera is the only thing that should be connected, one is the right number.
port-security violation shutdown err-disables the port if a different MAC address is detected. If someone disconnects a camera and plugs in a laptop or another device, the port goes down immediately. This is the correct response in a security environment.
When a port enters err-disabled state due to a violation, it requires manual intervention to bring it back up. This is intentional. You want to know why a camera port had an unauthorized device connected to it before re-enabling it.
Unused Port Handling
interface 1/1/45
description UNUSED
no routing
vlan access 666
shutdown
Any port not connected to a device should be assigned to the blackhole VLAN and shut down. Unused ports are entry points. Putting them on the blackhole VLAN and shutting them down ensures they cannot be used to access any production VLAN.
The description “UNUSED” makes it immediately clear during troubleshooting or auditing which ports are intentionally disabled.
When a port is needed in the future, remove it from the blackhole VLAN, assign it to the correct VLAN, apply appropriate port security, and bring it up.
HTTP and NTP Configuration
no ip http server
ip https-server vrf mgmt
!
ntp server ##.##.##.## version 4
ntp vrf mgmt
no ip http server disables the unencrypted HTTP management interface. If you use the web interface for management, HTTPS only. If you manage the switch exclusively through SSH, disable the HTTPS server as well to reduce the attack surface.
AOS-CX’s web management interface is limited compared to CLI and is not required in most environments. Disabling it removes an unnecessary service.
NTP (Network Time Protocol) is critical. Without accurate time, your logs, your camera timestamps, and your access control events cannot be correlated reliably. Time is evidence. If systems are out of sync, the timeline of any investigation becomes unreliable.
ntp vrf mgmt restricts NTP to the management VRF, keeping time synchronization traffic on the management plane rather than mixing it with production traffic.
Point all switches to a reliable NTP source. If the network is isolated, use a GPS-based NTP server. If the network has controlled internet access, use a trusted public NTP source such as the National Research Council of Canada’s NTP service. Every device on the security network should use the same time source.
What This Template Does Not Cover
This is a baseline. It gets you to a reasonable starting point for a CCTV and security network. There are additional configurations that should be considered depending on the environment:
- DHCP snooping and Dynamic ARP Inspection (DAI) for additional Layer 2 security
- 802.1x for network access control beyond port security
- SNMPv3 configuration for secure monitoring
- TACACS+ or RADIUS for centralized AAA
- ACLs between VLANs for traffic policy enforcement
- DHCP relay configuration if using centralized DHCP
- Firmware update and lifecycle management
- Configuration backup and change management
Each of these deserves its own discussion and should be implemented based on the specific requirements of your environment.
Final Thoughts
A switch out of the box is designed to forward traffic. It is not designed to be secure. Security comes from configuration.
The controls in this template are not advanced. They are fundamentals. VLAN segmentation, port security, SSH-only access, AAA, trunk hardening, and NTP. These are the baseline that every CCTV and security network should have before a single camera goes live.
If your current network does not have these in place, it is worth a review. The systems protecting your organization deserve a network that is configured with the same level of care.