This template is designed as a starting point for configuring Cisco Catalyst 9000 series switches in CCTV, access control, and physical security network environments. It covers baseline hardening, VLAN segmentation, SSH access, AAA, port security, QoS, and inter-switch connectivity.
This is not a one-size-fits-all configuration. Every environment is different. Review each section against your requirements and test before deploying into production.
Change every placeholder before deploying. The double-hash placeholder (##) appears throughout this template where site-specific values belong. Deploying a configuration with placeholder values intact is a misconfiguration waiting to cause problems.
Initial System Configuration
configure terminal
service password-encryption
hostname SWITCH-SITE-##
enable algorithm-type scrypt secret ##CHANGEME##
username netadmin privilege 15 algorithm-type scrypt secret ##CHANGEME##
ip domain name site.domain.local
clock timezone EST -5 0
clock summer-time EDT recurring
service password-encryption enables basic Type 7 encryption for passwords stored in the running configuration. This prevents passwords from appearing in plain text when the config is viewed. Type 7 is not cryptographically strong and can be reversed trivially with freely available tools – it is a deterrent for casual observation, not a security control. The important passwords (enable secret, username passwords) use algorithm-type scrypt, which is a strong hash.
hostname sets the device identity. Use a consistent naming convention. When you are looking at syslog entries from 40 switches, meaningful hostnames make the difference between a 10-minute and a 60-minute troubleshooting session. Include the site identifier and switch function in the name.
enable algorithm-type scrypt secret configures the enable password using scrypt hashing. This replaces the older MD5-based Type 5 hashing that was the previous best practice. Scrypt is significantly more resistant to offline brute-force cracking. Always use algorithm-type scrypt for any locally defined credentials on the Catalyst 9000 platform.
ip domain name is required for RSA key generation, which SSH requires. Set it to something meaningful for the environment.
VLAN Configuration
vlan 1
name DEFAULT
!
vlan 99
name MANAGEMENT
!
vlan 100
name SYSTEMS
!
vlan 101
name CCTV
!
vlan 102
name ACCESS_CONTROL
!
vlan 666
name BLACKHOLE
!
no vlan 1002
no vlan 1003
no vlan 1004
no vlan 1005
VLAN segmentation is one of the most important things you can do on a security network. By default, every port on a new switch sits in VLAN 1. Everything can talk to everything. That is not acceptable in a security environment.
VLAN 1 (DEFAULT): Keep it but do not use it. VLAN 1 has specific behaviors around tagged and untagged traffic handling and is the target of VLAN hopping attacks. Do not put production traffic on VLAN 1.
VLAN 99 (MANAGEMENT): Switch management traffic only. The management SVI and any management access to the switch lives here. Isolated from production traffic.
VLAN 100 (SYSTEMS): Servers, recording platforms, workstations, and other infrastructure that supports the security systems.
VLAN 101 (CCTV): IP cameras only. Camera traffic is bandwidth-heavy and predictable. Isolating it simplifies QoS, troubleshooting, and security policy.
VLAN 102 (ACCESS CONTROL): Access control panels, door controllers, intercoms. Different traffic patterns and security requirements than cameras.
VLAN 666 (BLACKHOLE): Every unused port gets assigned here. Not routable. No services. An unauthorized device connecting to an unused port gets no network access and generates a log event.
VLANs 1002-1005: These legacy FDDI and Token Ring VLANs exist by default. Remove them to clean up the VLAN database.
Management Interface
interface vlan 99
description Management-SVI
ip address 10.42.67.253 255.255.255.0
no shutdown
!
ip default-gateway 10.42.67.254
The management SVI provides IP connectivity to the switch for management purposes. Using the site brand address 10.42.67.0/24 for the management VLAN of a single-site deployment. The SVI gets .253, SVIs are assigned descending from .253 to keep them visually distinct from the default gateway at .254.
The default gateway points to 10.42.67.254, which is the firewall or Layer 3 switch providing routing for this environment. Always use .254 for the gateway. When you see a management address, .253 tells you it is a switch SVI and .254 tells you it is the gateway – no lookup needed.
ip access-list standard MGMT-ACCESS
permit 10.42.67.11 0.0.0.0 ! VMS server
permit 10.42.67.12 0.0.0.0 ! Secondary server / management workstation
permit 10.42.67.0 0.0.0.63 ! Authorized management range
deny any log
!
line vty 0 15
access-class MGMT-ACCESS in
transport input ssh
exec-timeout 10 0
login local
The management access-list restricts SSH access to the switch to specific authorized addresses. The VMS and server addresses follow the .11 and .12 convention for servers in this subnet. Devices in the general management range use the lower part of the address space (.0-.63). Adjust these to match your actual addressing scheme.
exec-timeout 10 0 disconnects idle VTY sessions after 10 minutes. An authenticated, idle management session is an open window.
SSH Configuration
crypto key generate rsa modulus 4096
!
ip ssh version 2
ip ssh authentication-retries 3
ip ssh time-out 60
!
ip ssh server algorithm kex diffie-hellman-group14-sha256 diffie-hellman-group16-sha512
ip ssh server algorithm mac hmac-sha2-256 hmac-sha2-512
ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr
SSH version 2 only. Version 1 has known vulnerabilities and must not be used. The 4096-bit RSA key length provides adequate security for the key exchange. The algorithm settings restrict SSH to modern key exchange, MAC, and encryption algorithms, preventing negotiation down to legacy algorithms that have known weaknesses.
Telnet should not be enabled on any production network device. If it is enabled by default on your platform, disable it explicitly:
line vty 0 15
transport input ssh
no transport input telnet
AAA Configuration with RADIUS
aaa new-model
!
radius server RADIUS-01
address ipv4 10.42.67.11 auth-port 1812 acct-port 1813
key ##CHANGEME##
!
aaa group server radius RADIUS-GROUP
server name RADIUS-01
!
aaa authentication login default group RADIUS-GROUP local
aaa authentication enable default group RADIUS-GROUP enable
aaa authorization exec default group RADIUS-GROUP local
aaa accounting exec default start-stop group RADIUS-GROUP
AAA with RADIUS centralizes authentication through your network management system or a dedicated RADIUS server. The RADIUS server address points to 10.42.67.11, the primary management server. The fallback local keyword ensures that local credentials work if the RADIUS server is unreachable, so a RADIUS outage does not lock you out of your own devices.
Accounting with start-stop logging records every management session: who logged in, when, and when they logged off. This is the audit trail for switch management access.
Access Port Configuration
Camera Ports (VLAN 101)
interface range GigabitEthernet1/0/1 - 12
description CCTV-CAM-##
switchport mode access
switchport access vlan 101
switchport nonegotiate
spanning-tree portfast
spanning-tree bpduguard enable
ip dhcp snooping limit rate 15
storm-control broadcast level 20.00
storm-control multicast level 20.00
storm-control action shutdown
no cdp enable
no lldp transmit
no lldp receive
no shutdown
switchport nonegotiate disables DTP (Dynamic Trunking Protocol) on the port. DTP is a Cisco-proprietary protocol that negotiates trunk formation. On access ports facing cameras, there is no reason to allow trunk negotiation. Disabling DTP prevents VLAN hopping attacks that exploit DTP.
spanning-tree portfast skips the listening and learning states of Spanning Tree and brings the port up immediately. Appropriate for access ports connecting to end devices. Reduces the time cameras take to come online after a reboot or link restoration.
spanning-tree bpduguard enable err-disables the port if a BPDU (Bridge Protocol Data Unit) is received. Cameras do not send BPDUs. If a BPDU is received, it means someone connected a switch or a device running a bridging protocol to a camera port. The port shuts down immediately. This prevents unauthorized switches from being introduced to the camera network.
ip dhcp snooping limit rate 15 rate-limits DHCP packets on camera ports. This prevents DHCP starvation attacks where a device floods the network with DHCP requests to exhaust the DHCP pool.
no cdp enable / no lldp disables Cisco Discovery Protocol and LLDP on camera ports. These protocols advertise information about the network infrastructure – device models, software versions, addressing – to anything connected to the port. Cameras do not need this information. Disabling it prevents cameras (or anything else connected to these ports) from discovering the network topology.
Port Security on Camera Ports
interface range GigabitEthernet1/0/1 - 12
switchport port-security maximum 2
switchport port-security violation restrict
switchport port-security aging time 1
switchport port-security
Port security limits the number of MAC addresses allowed on a port. Cameras have one or two MACs (some cameras with two network interfaces). Setting maximum to 2 accommodates those cameras while preventing a camera port from being used as a connection point for a hub or unmanaged switch that then allows multiple devices onto the camera VLAN.
Violation action is set to restrict rather than shutdown. A restrict action drops packets from unauthorized MACs and generates a log event but does not err-disable the port. This is appropriate for camera ports where a brief address irregularity (camera reboot that changes the MAC, a camera replacement) should not take the port offline. If your security policy requires more aggressive enforcement, use shutdown.
Access Control Ports (VLAN 102)
interface range GigabitEthernet1/0/13 - 20
description ACCESS-CTRL-##
switchport mode access
switchport access vlan 102
switchport nonegotiate
spanning-tree portfast
spanning-tree bpduguard enable
storm-control broadcast level 10.00
no cdp enable
no lldp transmit
no lldp receive
no shutdown
Unused Ports (VLAN 666)
interface range GigabitEthernet1/0/23 - 48
description UNUSED-BLACKHOLE
switchport mode access
switchport access vlan 666
shutdown
Unused ports get assigned to VLAN 666 and administratively shut down. A port in VLAN 666 that is administratively down provides no network access. If a port is needed later, it gets configured explicitly before being brought up.
Trunk Port and Uplink Configuration
interface range TenGigabitEthernet1/1/1 - 2
description UPLINK-TO-CORE-SWITCH-##
switchport mode trunk
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,101,102
channel-group 1 mode active
no shutdown
!
interface port-channel 1
description LAG-UPLINK-TO-CORE
switchport mode trunk
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,101,102
switchport trunk native vlan 666 assigns the blackhole VLAN as the native (untagged) VLAN on trunk ports. Any untagged traffic arriving on the trunk lands in the blackhole VLAN rather than VLAN 1. This is one of the primary mitigations for native VLAN-based VLAN hopping attacks.
switchport trunk allowed vlan 99,100,101,102 explicitly defines which VLANs can traverse this trunk. All other VLANs are pruned. If a VLAN is not in this list, traffic from that VLAN cannot cross the trunk. This enforces the principle of least privilege at the VLAN level.
LACP port-channel: Two uplinks bundled with LACP provide redundancy and bandwidth aggregation. If one physical link fails, the port-channel continues to function on the remaining link. LACP mode active initiates the bundle negotiation from this end.
DHCP Snooping
ip dhcp snooping
ip dhcp snooping vlan 100,101,102
no ip dhcp snooping information option
!
interface port-channel 1
ip dhcp snooping trust
DHCP snooping prevents unauthorized DHCP servers from issuing addresses on the network. When enabled, only ports marked as trusted can respond to DHCP requests. The uplink port-channel is trusted because the legitimate DHCP server lives upstream. Camera ports and access control ports are untrusted by default, so a device connected to a camera port cannot act as a rogue DHCP server.
no ip dhcp snooping information option disables DHCP Option 82 insertion. Option 82 adds relay agent information to DHCP packets, which can cause issues with DHCP servers that are not configured to accept it. Disable it unless your DHCP infrastructure specifically requires it.
Dynamic ARP Inspection
ip arp inspection vlan 100,101,102
!
interface port-channel 1
ip arp inspection trust
Dynamic ARP Inspection (DAI) validates ARP packets against the DHCP snooping binding table. This prevents ARP spoofing, where a device sends gratuitous ARP replies to poison the ARP caches of other devices and intercept traffic. DAI drops ARP packets that do not match the binding table. The uplink is trusted because upstream devices are authoritative.
Note: DAI works in conjunction with DHCP snooping. Devices with statically configured IP addresses need a static entry in the DHCP snooping binding table for DAI to validate their ARP packets:
ip dhcp snooping binding 001a.2b3c.4d5e vlan 101 10.42.67.100 interface GigabitEthernet1/0/1 expiry 86400
QoS for Camera Traffic
mls qos
!
class-map match-any CAMERA-TRAFFIC
match access-group name CAMERA-ACL
!
ip access-list extended CAMERA-ACL
permit ip 10.42.67.0 0.0.0.255 any
!
policy-map CAMERA-QOS
class CAMERA-TRAFFIC
set dscp af31
class class-default
set dscp default
!
interface range GigabitEthernet1/0/1 - 12
service-policy input CAMERA-QOS
QoS marks camera traffic with DSCP AF31, which places it in the Assured Forwarding queue. In congested conditions, camera traffic is given priority over unmarked (best-effort) traffic. This is particularly relevant on uplinks that carry mixed traffic types.
This is a basic QoS policy. Complex environments with strict QoS requirements may need more sophisticated queuing policies. If your VMS vendor has specific DSCP recommendations for their platform, use those values.
System Logging
service timestamps log datetime msec localtime show-timezone
service timestamps debug datetime msec
!
logging on
logging buffered 512000 informational
logging trap informational
logging source-interface vlan 99
logging host 10.42.67.11
Syslog forwarding to the management server at 10.42.67.11. Logs originate from the management SVI (VLAN 99) so they are identifiable by source IP. The buffer size of 512KB keeps local logs available for recent troubleshooting even if the syslog server is temporarily unavailable.
The logging level of informational captures connection events, configuration changes, BPDU guard and port security violations, and other relevant operational events without generating excessive noise from debug-level messages.
SNMP Configuration
snmp-server community ##READ-ONLY-STRING## RO MGMT-ACCESS
snmp-server location Site-##-IDF-##
snmp-server contact [email protected]
snmp-server host 10.42.67.11 version 2c ##READ-ONLY-STRING##
no snmp-server community public
no snmp-server community private
SNMP v2c with a strong community string, read-only, restricted to the management access-list defined earlier. Remove the default public and private community strings. These are the SNMP equivalent of default passwords – they are publicly known, and any device with SNMP enabled using them is accessible to anyone who knows to look.
SNMPv3 is preferred for new deployments because it supports authentication and encryption. If your monitoring platform supports SNMPv3, use it:
snmp-server group MGMT-GROUP v3 priv
snmp-server user MGMT-USER MGMT-GROUP v3 auth sha ##AUTHPW## priv aes 128 ##PRIVPW##