Why isolate security systems
Cameras, access control panels, and intrusion devices do not need to talk to the corporate file server, the guest Wi-Fi, or each other in most cases. Putting them on shared subnets invites broadcast storms, lateral movement after a breach, and bandwidth contention that drops video frames. Virtual LANs solve this. A VLAN is a logical broadcast domain carried over the same physical switches, defined by IEEE 802.1Q tagging.
Both NIST SP 800-82 (operational technology security) and CIS Controls v8 (Control 12, Network Infrastructure Management) call for segmenting devices by function and trust level. Security systems map cleanly to that model.
A typical VLAN plan
| VLAN ID | Purpose | Subnet example |
|---|---|---|
| 10 | Video surveillance (cameras, NVR) | 10.10.10.0/24 |
| 20 | Access control (panels, readers) | 10.10.20.0/24 |
| 30 | Intrusion and alarm | 10.10.30.0/24 |
| 99 | Network management | 10.10.99.0/24 |
Keep the numbering documented and consistent across sites. It saves hours during service calls.
802.1Q tagging and trunking
Access ports carry one untagged VLAN and connect to a single endpoint, like a camera. Trunk ports carry multiple tagged VLANs between switches, or between a switch and an NVR with several network interfaces. On a trunk, set only the VLANs that port actually needs. Pruning unused VLANs reduces broadcast traffic and shrinks the attack surface.
Avoid using VLAN 1 for anything. Many switches ship with VLAN 1 as the default native VLAN, and leaving devices there is a known weak spot. Set the native VLAN on trunks to an unused, otherwise empty VLAN.
Inter-VLAN routing and ACLs
VLANs do not talk to each other without a router or a Layer 3 switch. That boundary is where you enforce policy. Write access control lists so that, for example, only the access control server reaches the door panels on VLAN 20, and only the NVR pulls streams from VLAN 10. Default deny, then permit the flows you need. Document each rule with its reason.
A common mistake is routing everything and adding ACLs later. Start restrictive.
Multicast and IGMP for video
Multicast video, including some ONVIF discovery and multicast RTSP, can flood a VLAN if the switch forwards it to every port. Enable IGMP snooping on camera VLANs so the switch only sends multicast streams to ports that asked for them. On the Layer 3 boundary, configure an IGMP querier if no router is present on that segment. Without a querier, snooping tables age out and multicast either floods or stops.
DHCP scoping and addressing
Give each VLAN its own DHCP scope, or use static addressing for cameras and panels so device IPs stay stable for the NVR and the access server. Reserve a block for infrastructure (switches, the recorder) outside the dynamic range. Set the DHCP relay (ip helper) on the Layer 3 interface if the DHCP server lives on another VLAN. Keep lease times long for fixed-location devices.
Management VLAN
Switch management, including SSH, the web interface, and SNMP, belongs on its own VLAN that integrators and IT reach, not cameras or readers. Restrict who can route into VLAN 99 with an ACL. Disable Telnet and unencrypted HTTP. This keeps device credentials and configuration off the same broadcast domain as the field equipment.
Practical checklist
- Separate VLAN per system function.
- Prune trunks, move the native VLAN off VLAN 1.
- Default-deny ACLs at the routing boundary.
- IGMP snooping plus a querier on video VLANs.
- Dedicated, access-restricted management VLAN.
Segmentation is not a one-time task. Review the VLAN map and ACLs whenever you add devices or change recorders.
References
Last updated 2026-06-14.