Tying Video And Access Control Together

I need some clarification on VLANs when surveillance and access control need to communicate, such as when a camera needs to call up to a door breach. What is the best practice for connecting the two networks together? Are they normally separate networks routed together? Or, are they normally on the same network?

On that same note, if we have two VLANs on the same network, can we still "route" them together so they can see only information that they need to see while the rest remains hidden? For example, instead of having surveillance and ACAM on the same network with full visibility, could we separate them on VLANs and then still allow them to see the pieces of the other VLAN that they may need, so the surveillance system is aware when the door is breached and the camera can be called up (but other aspects of the ACAM remain hidden such as access levels, users, etc)?

I hope my question is clear enough. I am a bit confused and that is translating into my question.

if we have two VLANs on the same network, can we still "route" them together so they can see only information that they need to see while the rest remains hidden?

In most cases, yes, as long as the 'head end' application like the VMS or Access Management software is configured to see both VLANs.

The easiest image to illustrate this: think of a VLAN as a water hose. The application server is a water bucket. You can have multiple hoses flowing into the bucket.

Usually, security software is protected by usernames and passwords. In this way, 'the application layer' takes over as protecting the integrity of data security at the server.

In my experience, it is common for video surveillance and access to use totally different networks or VLANs, but for inputs/outputs tying them together to be configured in the VMS server.

This is not a very difficult thing to configure if the network configuration has been made properly up front. Working with the local IT Admin is generally an important step to take in a case like this!

Does that help?

Kristina, conceptually what a VLAN does is let you take a switch and divide it up into multiple 'virtual' switches, each one acting independently of each other and each one in its own layer 2 broadcast domain. For example, you could take a 24 port switch and divide it into three 8 port VLANs, (A,B,C) each with their own IP subnetwork, like so:

  • Access Ctl LAN - Ports 1-8 - 192.168.1.x
  • Business LAN - Ports 9-16 - 192.168.2.x
  • Camera LAN - Ports 17-24 - 192.168.3.x

In this default configuration nothing would talk to anything, just like 3 seperate 8 port switches would not talk to each other. If you want them to see traffic from each other you need to route them at the IP (layer 3) level somehow. You could buy standard routers to do this, though this is inelegant and expensive in this case. A better way is to use a layer 3 switch which can host the VLANs and route between them all in one.

Instead of a L3 switch, if you would like the traffic of A,B and C to remain isolated from each other but allow the VMS to see all networks and route information between them at the application level, then you could use a VLAN capable layer 2 switch and install three NICs in the VMS server each connected to a different VLAN/IP subnet. Note though that the VMS software is configured with the same IP's regardless of whether using a layer 3 switch or multiple NICs.

This is a very simple VLAN example, VLANs can span multiple switches and be dynamically assigned by MAC address or protocol type, etc. Hopefully this gives you enough info to ask some more questions...

Also, just came across this most excellent VLAN article, as well as this hands on VLAN video at the start of this article. Both produced by a man whose middle name is Network... IPVM's own Ethan 'Net' Ace... ;)