Juniper EX Series Base Configuration for CCTV and Security Networks

Over the last 15+ years, when I get brought in to look at a CCTV or security network, it is almost a guarantee that the network devices are not configured correctly. Or just not configured at all.

Switches running factory defaults. No VLANs. No port security. Default credentials on everything. No redundancy between switches. Management interfaces sitting wide open on the same network as cameras. These are systems protecting physical assets, running on networks that nobody thought to protect.

Over the years I have built a set of configuration templates that provide initial setup, baseline hardening, and performance tuning for security network switches. This is one of them. It is focused on the Juniper EX series running Junos OS and covers VLAN segmentation, SSH access, AAA, port security, QoS, trunk hardening, and inter-switch connectivity.

This is not a one-size-fits-all configuration. Every environment is different. Review each section against your requirements and test before deploying into production.

Initial System Configuration

set system host-name SWITCH_NAME
set system root-authentication encrypted-password "##CHANGEME##"
set system login user netadmin class super-user
set system login user netadmin authentication encrypted-password "##CHANGEME##"

system host-name sets the device identity. Use a consistent naming convention across your environment. This matters for logging, monitoring, and troubleshooting. When you are looking at syslog entries from 40 switches, meaningful hostnames save time.

system root-authentication sets the root account password. In Junos, root is a privileged account used for emergency access. The password is stored as a hashed value. Never leave root without a password on a production device.

Junos stores all local passwords as hashed values in the configuration. Passwords are never stored in plain text, which is the correct behavior. Use request system set-encryption-keys to generate a proper hashed value for the encrypted-password field.

The login user section creates a named administrative account in the super-user class. Create individual named accounts rather than sharing credentials. Every person who manages the switch should have their own account. Shared credentials make audit trails meaningless.

VLAN Configuration and Segmentation

set vlans DEFAULT vlan-id 1
set vlans MANAGEMENT vlan-id 99
set vlans SYSTEMS vlan-id 100
set vlans CCTV vlan-id 101
set vlans ACCESS_CONTROL vlan-id 102
set vlans BLACKHOLE vlan-id 666

VLAN segmentation is one of the most important things you can do on a security network. By default, every port on a new switch sits in VLAN 1. Everything can talk to everything. That is not acceptable in a security environment.

VLAN 1 (DEFAULT): Keep it but do not use it. Default VLAN has well-known behaviors and is the target of certain VLAN-hopping attacks. Do not put production traffic on VLAN 1.

VLAN 99 (MANAGEMENT): Dedicated to switch management traffic. Management interfaces should be isolated from camera traffic, user traffic, and everything else. This is where your L3 interfaces for device management will live.

VLAN 100 (SYSTEMS): For servers, recording platforms, workstations, and other infrastructure that supports the security systems.

VLAN 101 (CCTV): Dedicated to cameras. Camera traffic is bandwidth-heavy and predictable. Isolating it simplifies QoS, troubleshooting, and security policy.

VLAN 102 (ACCESS_CONTROL): Dedicated to access control panels, controllers, and associated devices. These devices have different traffic patterns and security requirements than cameras.

VLAN 666 (BLACKHOLE): The dead-end VLAN. Every unused port gets assigned here. It is not routable and carries no traffic. Its purpose is to ensure that unused ports cannot be used as entry points.

The specific VLAN numbers are not magic. Use whatever numbering scheme makes sense for your environment. What matters is that services are separated, and unused ports are isolated.

Virtual Chassis (Multi-Switch Environments)

Juniper EX series supports Virtual Chassis, which combines multiple physical switches into a single logical unit. Virtual Chassis is the preferred approach for co-located switches.

set virtual-chassis member 0 role routing-engine
set virtual-chassis member 1 role routing-engine
set virtual-chassis auto-sw-update

Virtual Chassis creates a single management plane across all member switches. Configuration changes applied to the primary routing engine propagate to all members. This simplifies management significantly and reduces the number of independent devices to configure and monitor.

Junos does not use VTP for VLAN synchronization. In a Virtual Chassis configuration, VLANs are configured once and automatically synchronized across all members. In standalone multi-switch environments, VLANs must be configured consistently on each switch manually.

auto-sw-update enables automatic software version synchronization across Virtual Chassis members. When the primary member has a firmware update, other members will update automatically. In production environments, test firmware upgrades before enabling auto-update.

Virtual Chassis should be configured and validated before the switch goes into production. Adding a switch to a Virtual Chassis after cameras are live requires careful planning and a maintenance window.

Stacking vs Aggregated Ethernet (Inter-Switch Connectivity)

Before configuring inter-switch connectivity, decide whether your switches will use Virtual Chassis or standalone with aggregated Ethernet uplinks.

Virtual Chassis

Virtual Chassis combines multiple physical switches into a single logical unit managed as one device. It is the preferred approach when switches are co-located in the same rack or closet.

Benefits of Virtual Chassis:

• Single management plane across all members
• Single configuration to manage
• Redundant control plane (if a member fails, the Virtual Chassis continues)
• Cross-member aggregated Ethernet support
• Simplified spanning tree topology

The tradeoff is that a Virtual Chassis shares a single control plane. A software defect or a bad upgrade can impact all members simultaneously. Plan firmware upgrades carefully, and always have a rollback plan.

Standalone Switches with Aggregated Ethernet/LACP

When switches cannot use Virtual Chassis, inter-switch links should use aggregated Ethernet with LACP rather than single links.

A single uplink between switches is a single point of failure. If that link goes down, everything behind the downstream switch is disconnected. Aggregated Ethernet bundles multiple physical links into a single logical interface. LACP negotiates and manages the bundle dynamically.

Benefits include redundancy (if one physical link fails, traffic continues on the remaining links), increased throughput (aggregate bandwidth of all member links), and automatic failover without spanning tree reconvergence.

For security networks specifically, this matters because camera systems generate constant, predictable traffic. Losing an inter-switch link means losing visibility from every camera on that switch. Aggregated Ethernet reduces that risk significantly.

Logging and AAA Configuration

set system syslog host 10.254.99.10 any info
set system syslog host 10.254.99.10 authorization info
set system syslog host 10.254.99.10 interactive-commands info
set system syslog file messages any notice
set system syslog file authorization authorization info
set system syslog time-format millisecond
!
set system authentication-order password
set system login announcement "Unauthorized Access Prohibited"
!
set system accounting destination tacplus
set system accounting events login
set system accounting events interactive-commands

syslog host sends log output to a centralized log server. Local switch logs are finite and get overwritten. A centralized syslog server retains logs for investigation, auditing, and compliance.

syslog any info captures authentication events, configuration changes, interface state changes, and other operationally significant events.

interactive-commands logging records every command entered on the CLI. This creates a full audit trail of administrative actions. This is the Junos equivalent of archive log config, and is one of the most important logging configurations on a managed switch.

authorization info captures authentication successes and failures. You should know who logged in, when, and from where.

AAA (Authentication, Authorization, and Accounting) is the framework that controls who can access the device and what they can do. system authentication-order password uses local authentication. This is appropriate for smaller environments or as a fallback.

For environments with more than a few switches, centralize AAA using TACACS+ or RADIUS. Junos supports both. TACACS+ provides per-command authorization, which is more granular than RADIUS. Local authentication should still exist as a fallback.

set system tacplus-server 10.254.99.20 port 49
set system tacplus-server 10.254.99.20 secret ##CHANGEME##
set system authentication-order [tacplus password]

The login announcement sets the legal warning banner. In regulated environments and government deployments, this banner is required. Have legal counsel review the text. The specifics matter by jurisdiction.

Spanning Tree Configuration

set protocols rstp
set protocols rstp bridge-priority 4096
set protocols rstp interface all edge
set protocols rstp interface all no-root-port

Spanning Tree Protocol prevents network loops. Without it, a single cable plugged into the wrong ports can take down an entire VLAN.

Junos supports RSTP (Rapid Spanning Tree), MSTP, and legacy STP. RSTP is the correct choice for most security network deployments. When a link fails or recovers, RSTP recalculates the topology in seconds rather than the 30 to 50 seconds that legacy STP requires. In a security environment where camera uptime matters, faster convergence means shorter outage windows during topology changes.

bridge-priority 4096 sets a lower priority value on this switch, making it more likely to be elected as the root bridge. In a predictable topology, you want to control which switch is root. Lower priority values win. Default is 32768.

BPDU Guard should be enabled on all access ports. If a switch or bridge device is connected to a port configured as an edge port, BPDU Guard will block that port rather than allowing it to participate in spanning tree.

set protocols rstp interface ge-0/0/0 edge
set ethernet-switching-options bpdu-block interface ge-0/0/0
set ethernet-switching-options bpdu-block disable-timeout 300

The disable-timeout 300 setting automatically re-enables a blocked port after 5 minutes following a BPDU Guard event, avoiding permanent lockout from a brief BPDU event. Adjust based on your operational requirements.

LLDP

set protocols lldp interface all

LLDP (Link Layer Discovery Protocol) allows devices to advertise their identity and capabilities to directly connected neighbors. This is useful in CCTV environments because it helps identify what is connected to each port, including camera model, IP address, and capabilities.

Many IP cameras support LLDP and will advertise their information to the switch. This makes inventory and troubleshooting significantly easier. You can see what device is connected to what port without tracing cables.

LLDP operates at Layer 2 and does not cross VLAN boundaries. It is informational only and does not affect traffic forwarding.

On ports facing untrusted segments, disable LLDP to limit topology disclosure:

set protocols lldp interface ge-0/0/1 disable

SSH Configuration

set system services ssh root-login deny
set system services ssh protocol-version v2
set system services ssh max-sessions-per-connection 1
set system services ssh connection-limit 5
set system services ssh rate-limit 5
set system services ssh ciphers [ aes256-ctr aes192-ctr aes128-ctr ]
set system services ssh macs [ hmac-sha2-256 hmac-sha2-512 ]
!
set system login retry-options tries-before-disconnect 3
set system login retry-options minimum-time 30
set system login retry-options backoff-threshold 2
set system login retry-options backoff-factor 5

root-login deny prevents the root account from logging in via SSH. Root access should require physical console access. This limits the blast radius of a compromised root password.

protocol-version v2 forces SSHv2 only. SSHv1 has known vulnerabilities and should never be used.

connection-limit 5 caps concurrent SSH sessions to prevent resource exhaustion from connection flooding.

rate-limit 5 limits new SSH connections to 5 per minute, slowing down automated brute force tools.

The cipher and MAC algorithm lists restrict SSH to strong, modern cryptographic algorithms. This removes older, weaker options that may be used by default in some SSH clients and tools.

retry-options limits failed login attempts and introduces delays after repeated failures. This slows down brute force attempts without permanently locking out legitimate users.

Telnet is not configured and is disabled by default on Junos. There is no legitimate reason to use Telnet for switch management.

To restrict SSH access to specific management stations:

set firewall family inet filter PROTECT-RE term ALLOW-SSH from source-address 10.254.99.0/24
set firewall family inet filter PROTECT-RE term ALLOW-SSH from destination-port 22
set firewall family inet filter PROTECT-RE term ALLOW-SSH from protocol tcp
set firewall family inet filter PROTECT-RE term ALLOW-SSH then accept
set firewall family inet filter PROTECT-RE term DENY-ALL then discard
set interfaces lo0 unit 0 family inet filter input PROTECT-RE

Management Interface Configuration

set interfaces vme unit 0 family inet address 10.254.99.## /24
set routing-options static route 0.0.0.0/0 next-hop 10.254.99.1

Juniper EX series switches use the vme interface (Virtual Management Ethernet) for out-of-band management. On platforms with a dedicated management port, this is me0 or em0. Check your specific model documentation.

Management traffic on the vme interface is isolated from the switching fabric by default. This is the preferred management interface. Management access should not compete with camera or access control traffic.

Where in-band management is required, create an L3 interface on the management VLAN:

set interfaces vlan unit 99 family inet address 10.254.99.## /24
set vlans MANAGEMENT l3-interface vlan.99

Restrict access to the management interface using the Routing Engine protection filter shown in the SSH section. This is one of the most important hardening steps on Juniper devices, and significantly reduces the attack surface of the management plane.

Layer 3 Interfaces (Optional, Inter-VLAN Routing)

set interfaces vlan unit 100 family inet address 10.254.100.## /24
set interfaces vlan unit 101 family inet address 10.254.101.## /24
set interfaces vlan unit 102 family inet address 10.254.102.## /24
set vlans SYSTEMS l3-interface vlan.100
set vlans CCTV l3-interface vlan.101
set vlans ACCESS_CONTROL l3-interface vlan.102
set routing-options router-id 10.254.99.##

These L3 interfaces are only required if you intend to use this switch for inter-VLAN routing. Juniper EX switches support Layer 3 switching natively.

If your network design uses a dedicated router or firewall for inter-VLAN routing, you do not need these interfaces. Only the management interface is required for device management.

If you do enable inter-VLAN routing, implement firewall filters between VLANs to restrict traffic flow. Just because VLANs can route between each other does not mean they should do so without policy.

For example, cameras on VLAN 101 need to reach recording servers on VLAN 100, but they should not be able to reach management interfaces on VLAN 99, or access control systems on VLAN 102.

For QoS on camera traffic, Junos uses scheduler and forwarding class policies:

set class-of-service interfaces vlan.101 unit 0 forwarding-class expedited-forwarding
set class-of-service interfaces vlan.101 unit 0 loss-priority low

Apply classifier and scheduler policies as required for your traffic profile.

Trunk Port and Aggregated Ethernet Configuration

Inter-Switch Trunk (Aggregated Ethernet with LACP)

set chassis aggregated-devices ethernet device-count 10
!
set interfaces ae0 description "Uplink to SWITCH_NAME"
set interfaces ae0 aggregated-ether-options lacp active
set interfaces ae0 aggregated-ether-options lacp periodic fast
set interfaces ae0 unit 0 family ethernet-switching interface-mode trunk
set interfaces ae0 unit 0 family ethernet-switching vlan members [MANAGEMENT SYSTEMS CCTV ACCESS_CONTROL BLACKHOLE]
set interfaces ae0 unit 0 family ethernet-switching native-vlan-id 666
!
set interfaces xe-0/0/0 ether-options 802.3ad ae0
set interfaces xe-0/0/1 ether-options 802.3ad ae0

chassis aggregated-devices ethernet device-count 10 reserves logical aggregated Ethernet interfaces. Set this to the number of LAG interfaces you need across the switch.

lacp active configures LACP in active mode. Both sides should be configured as active. LACP negotiates the bundle and detects link or configuration mismatches.

lacp periodic fast sends LACP PDUs every second rather than every 30 seconds. Failed links are detected and removed from the bundle much faster, reducing the traffic loss window during a link failure.

native-vlan-id 666 sets the native VLAN to the blackhole VLAN. The native VLAN carries untagged traffic. By setting it to an unused VLAN, any untagged traffic hitting this trunk goes nowhere. This is a security measure against VLAN hopping attacks that exploit the default native VLAN.

vlan members explicitly limits which VLANs are permitted on the trunk. Only permit the VLANs that need to traverse this link.

Junos does not have a DTP equivalent. Trunk configuration is always explicit in Junos. There is no dynamic trunking to disable. This is the correct behavior.

Server Aggregated Ethernet (Access Mode)

set interfaces ae1 description "Recording Server"
set interfaces ae1 aggregated-ether-options lacp active
set interfaces ae1 unit 0 family ethernet-switching interface-mode access
set interfaces ae1 unit 0 family ethernet-switching vlan members SYSTEMS
!
set interfaces ge-0/0/2 ether-options 802.3ad ae1
set interfaces ge-0/0/3 ether-options 802.3ad ae1

For servers connecting to the switch, an aggregated Ethernet interface can also be configured in access mode on a single VLAN. This provides redundancy and throughput without trunking. If the server is using NIC teaming or LACP bonding, the switch-side aggregated Ethernet configuration must match. Mismatched LACP settings between the server and switch are a common cause of connectivity issues.

Access Port Configuration (Camera Ports)

set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members CCTV
set interfaces ge-0/0/0 description "Camera Port"
set protocols rstp interface ge-0/0/0 edge
set ethernet-switching-options bpdu-block interface ge-0/0/0
!
set ethernet-switching-options secure-access-port interface ge-0/0/0 mac-limit 1
set ethernet-switching-options secure-access-port interface ge-0/0/0 mac-limit action drop
set ethernet-switching-options secure-access-port interface ge-0/0/0 allowed-mac ##:##:##:##:##:##

This is where the cameras connect. Every camera port is configured with the same baseline settings.

interface-mode access sets the port to access mode on a single VLAN. Cameras do not need trunk access.

vlan members CCTV assigns the port to the CCTV VLAN.

protocols rstp edge is the Junos equivalent of PortFast. It skips the listening and learning states and brings the port up immediately. This is appropriate for ports connecting to end devices rather than other switches.

bpdu-block shuts the port down if a BPDU is received, preventing unauthorized switches from being connected to camera ports.

Port security is critical on camera ports. Cameras do not change. The same camera sits on the same port for years. Port security takes advantage of that predictability.

mac-limit 1 allows only one MAC address per port. If a camera is the only thing that should be connected, one is the right number.

mac-limit action drop drops traffic from any MAC address beyond the limit. The alternative action shutdown err-disables the port entirely, which is more disruptive but more secure. In a security environment, shutdown is the appropriate response.

allowed-mac pins a specific MAC address to the port. Once a camera’s MAC is known, lock it in. This prevents any other device from communicating through that port regardless of the mac-limit setting.

When a port enters an err-disabled state due to a violation, it requires manual intervention to bring it back up. This is intentional. You want to know why a camera port had an unauthorized device connected before re-enabling it.

Unused Port Handling

set interfaces ge-0/0/45 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/45 unit 0 family ethernet-switching vlan members BLACKHOLE
set interfaces ge-0/0/45 description UNUSED
set interfaces ge-0/0/45 disable

Any port not connected to a device should be assigned to the blackhole VLAN and disabled. Unused ports are entry points. Putting them on the blackhole VLAN and disabling them ensures they cannot be used to access any production VLAN.

The description “UNUSED” makes it immediately clear during troubleshooting or auditing which ports are intentionally disabled.

When a port is needed in the future, remove it from the blackhole VLAN, assign it to the correct VLAN, apply appropriate port security, and enable it.

HTTP and NTP Configuration

delete system services web-management
delete system services xnm-clear-text
!
set system ntp server ##.##.##.## version 4
set system ntp source-address 10.254.99.##

delete system services web-management removes the HTTPS management interface. If you manage the switch exclusively through SSH and CLI, the web interface is an unnecessary attack surface. Remove it.

delete system services xnm-clear-text removes the unencrypted Junos XML management interface. This should never be running on a production device.

If web management is required for your environment, configure it to listen only on the management interface:

set system services web-management https interface vme.0
set system services web-management https port 443

NTP (Network Time Protocol) is critical. Without accurate time, your logs, your camera timestamps, and your access control events cannot be correlated reliably. Time is evidence. If systems are out of sync, the timeline of any investigation becomes unreliable.

ntp source-address binds NTP queries to the management interface IP address. This keeps NTP traffic on the management plane rather than mixing it with production traffic, and ensures NTP responses are returned to the correct interface.

Point all switches to a reliable NTP source. If the network is isolated, use a GPS-based NTP server. If the network has controlled internet access, use a trusted public NTP source such as the National Research Council of Canada’s NTP service. Every device on the security network should use the same time source.

What This Template Does Not Cover

This is a baseline. It gets you to a reasonable starting point for a CCTV and security network. There are additional configurations that should be considered depending on the environment:

• DHCP snooping and Dynamic ARP Inspection (DAI) for additional Layer 2 security
• 802.1x for network access control beyond port security
• SNMPv3 configuration for secure monitoring
• TACACS+ or RADIUS for centralized AAA
• Firewall filters between VLANs for traffic policy enforcement
• DHCP relay configuration if using centralized DHCP
• Firmware update and lifecycle management
• Configuration backup and change management

Each of these deserves its own discussion and should be implemented based on the specific requirements of your environment.

Final Thoughts

A switch out of the box is designed to forward traffic. It is not designed to be secure. Security comes from configuration.

The controls in this template are not advanced. They are fundamentals. VLAN segmentation, port security, SSH-only access, AAA, trunk hardening, and NTP. These are the baseline that every CCTV and security network should have before a single camera goes live.

If your current network does not have these in place, it is worth a review. The systems protecting your organization deserve a network that is configured with the same level of care.