The segmentation conversation is one I have had hundreds of times. Usually after something has already gone wrong. A workstation on the same network as the cameras gets compromised and someone starts wondering why the VMS server is behaving strangely. Or an access control system stops responding and the root cause turns out to be bandwidth saturation from a camera on the same flat network. Or someone connects an unauthorized device to a switch and it ends up with full access to everything because there was nothing stopping it.
Segmentation is not a complicated concept. It is one of the most consistently skipped steps in physical security deployments, usually because it adds time and the client cannot see what they are getting. This post covers what VLANs actually do, how to build a practical segmentation scheme for a security deployment, and how to have the conversation with a client who does not understand why it matters.
What a VLAN Actually Does
A VLAN – Virtual Local Area Network – creates logically separate network segments on the same physical infrastructure. Devices in different VLANs cannot communicate with each other unless traffic is explicitly routed between them by a Layer 3 device (a firewall or a Layer 3 switch).
Without VLANs, every device on the same switch can reach every other device. A camera can reach a workstation. A door controller can reach a server. An unknown device plugged into an unused port has access to the entire network. That is a flat network, and it is the default state of every unmanaged or improperly configured switch.
With VLANs, you decide which devices can reach which other devices. Cameras live in the camera VLAN. Access control panels live in the access control VLAN. Servers live in the systems VLAN. Each segment is isolated. A compromise on one segment does not automatically spread to the others.
Every device can reach every other device. The unknown device has full access.
Segments are isolated. An unknown device on VLAN 101 cannot reach access control or workstations.
The toggle above shows the difference. On the flat network, the animated lines represent traffic that can flow between any pair of devices – and does, whether you want it to or not. On the segmented network, each function lives in its own box. Traffic stays where it belongs. An unknown device that gets physically connected to a camera port can only reach other cameras – not servers, not workstations, not access control panels.
Why Default VLAN 1 Is a Problem
Every managed switch ships with all ports in VLAN 1. That is the default. If you deploy a switch and do not configure VLANs, every device connected to every port is on the same flat network. This is the state of a large percentage of physical security deployments.
VLAN 1 has a specific additional problem beyond just being flat: it is the target of several well-documented Layer 2 attack techniques, including VLAN hopping via Double Tagging. The short version is that if you put traffic on VLAN 1 and an attacker can connect a device to a trunk port or an improperly configured access port, they may be able to send traffic across to VLANs you thought were isolated.
The defensive practice is straightforward: do not put production traffic on VLAN 1. Keep it around (you cannot easily remove it) but do not assign any device to it. Every real device goes on a defined VLAN. Unused ports go in a blackhole VLAN with no routing and no services.
A Practical VLAN Scheme for Security Deployments
| VLAN | Name | Purpose | Devices |
|---|---|---|---|
| 1 | DEFAULT | Unused – native VLAN kept for compatibility | No devices |
| 99 | MANAGEMENT | Switch management interfaces, out-of-band access | Switches, UPS network cards, IPMI interfaces |
| 100 | SYSTEMS | Security system servers and workstations | VMS servers, workstations, NVR systems |
| 101 | CCTV | IP camera traffic | Cameras, perimeter detection devices |
| 102 | ACCESS CTRL | Access control system traffic | Door controllers, panels, intercoms |
| 666 | BLACKHOLE | Unused ports – not routed, no services | No devices assigned, all unused ports |
These VLAN numbers are not magic. The specific numbers do not matter as much as the consistency. What matters is that every device type has its own segment, unused ports have a dead-end VLAN, and the management plane is completely isolated from production traffic.
If your deployment includes VoIP, add a dedicated VOIP VLAN. If there are business workstations on the same infrastructure, add a USERS VLAN. Each function with different security requirements or different traffic characteristics gets its own segment.
If business systems share the network: Any deployment where corporate workstations, printers, or general-purpose user devices share the same physical network as security systems requires segmentation between those user devices and the security infrastructure. A compromised workstation on a flat network has direct access to cameras, access control panels, and VMS servers. If the client understands this and still does not want segmentation, document it in writing.
The Routing Question
Segmented VLANs cannot talk to each other unless you explicitly route between them. This is a feature, not a problem. But it does require planning, because some communication between VLANs is necessary. Cameras on VLAN 101 need to reach the VMS server on VLAN 100 to send their video streams. The workstations on VLAN 100 need to reach the access control server, also on VLAN 100 in this scheme, to administer the system.
Inter-VLAN routing happens at a Layer 3 device – either a managed switch with Layer 3 capabilities or a firewall. The firewall is the better choice for physical security environments because it lets you define explicit rules: cameras can reach servers on specific ports, servers can reach cameras on specific ports, and nothing else is permitted unless you say so.
A common setup: all VLANs route through the firewall. The firewall has a policy that allows cameras to talk to VMS servers on the ports VMS requires (usually TCP 554 for RTSP, TCP 443 for HTTPS management, and whatever your platform uses). Everything else – cameras trying to reach workstations, cameras trying to reach the internet, anything trying to reach the management VLAN from cameras – is denied.
If you do not have a firewall in the design, a Layer 3 switch with ACLs between VLANs achieves similar isolation. It is slightly less granular than a firewall ruleset but considerably better than no segmentation at all.
Trunk Ports and Access Ports
Two port types on a managed switch handle VLANs differently.
Access ports carry traffic for a single VLAN. Cameras plug into access ports. Door controllers plug into access ports. The device on the other end does not need to know anything about VLANs – the switch handles the VLAN tagging. A camera plugged into a port configured as a VLAN 101 access port is simply on VLAN 101. It does not know about any other VLAN.
Trunk ports carry traffic for multiple VLANs using 802.1Q tagging. Trunk ports connect switches to each other and connect switches to firewalls. The uplink from your access layer switch to your core switch or firewall is a trunk. Every VLAN that needs to pass between those two devices is allowed on that trunk.
A trunk port that allows all VLANs by default is a security gap. Define which VLANs are permitted on each trunk and allow only what is needed. If the camera switch only needs VLANs 99, 100, and 101, the trunk to that switch should only carry 99, 100, and 101.
The Client Conversation
Most clients do not ask for VLAN segmentation. They ask for cameras and access control. Your job is to explain why the network design affects the security outcome they are paying for.
The version that works in practice: “We’re going to put the cameras and the access control panels on separate network segments. That means if something goes wrong with the camera network – a device gets compromised, someone plugs in something they shouldn’t – it can’t reach your access control system or the workstations the operators use. The systems stay isolated from each other.” Most clients understand that immediately. They are spending money on physical security. The idea that the network those systems run on is secure by default is an assumption they have not tested.
Document the segmentation design as part of the project deliverables. Which VLAN each device is assigned to, which VLANs are permitted on each trunk, and what routing policy exists between VLANs should all be in your as-built documentation. When something breaks eighteen months later, that documentation is how you figure out why.
What Comes Next
VLAN segmentation is part of the design. The implementation – switch configuration, port assignments, trunk setup, routing policy – is a separate topic, covered in the post on building a network for CCTV and access control. The IP addressing post covers the addressing scheme that makes the VLAN design readable and maintainable. If you have not read that one, it is worth going through before you sit down to design the segmentation.
Questions about a specific deployment or platform, reach out directly.