VLANs for Video Surveillance Tutorial

By: John Scanlan, Published on Sep 26, 2016

Many people confidently say to 'use VLANs' as an answer to IP video networking problems and as a way to signal expertise.

But how should VLANs be used? What benefits do they really deliver or not?

In the note, we examine:

  • Segmentation of applications across VLANs
  • Untagged vs tagged VLANs
  • Static vs dynamic VLANs
  • VLANs for uplinks
  • Bandwidth and VLANs
  • QoS and VLANs
  • Common applications of VLANs

**** ****** *********** *** to '*** *****' ** an ****** ** ** video ********** ******** *** as * *** ** signal *********.

*** *** ****** ***** be ****? **** ******** do **** ****** ******* or ***?

** *** ****, ** examine:

  • ************ ** ************ ****** VLANs
  • ******** ** ****** *****
  • ****** ** ******* *****
  • ***** *** *******
  • ********* *** *****
  • *** *** *****
  • ****** ************ ** *****

[***************]

********

***** (******* ***** **** Network)********* ******* * ****** physical ****** ** ******** into ******** ******** ******* networks, ****** ******* ** one **** "*********" ** and ****** ** *********** with ******* ** ******* unless **** *** ****** together.

*** ******* ** ******* shows ***** ** * typical ****** / ********* network. ** **** ********, surveillance ******* ** ********* from ******* ****** *** VOIP ******* *** ***** separate *****. *** **** devices **** *** *********** with **** ***** ** the ************ ***** *** the ****** *** *** NVR, ** **** *** in *** **** ****.

Untagged **. ****** *****

***** *** *** *********** types ** *****, ****** and ********:

******** *****

** *******, *** ***** of * ****** *** added ** * ******* untagged **** (********* **** ID *), ******* **** all ***** *** "***" all ******. ****** ******** ports ** ******* **** ID ** ******** ********** this *******.

*** ******* ******** ***** is ******* *************, ** no ******** ****** ************* (cameras, *******, ***.) **** be *********, ** ******* is ****** ******* ** the **** ** *** switch. *******, ***** (********* uplinks) *** **** ** assigned ** * ****** untagged ****. ** ** a ******** ****** **** see ******** *****, **** as ****** **** ********/********, surveillance, *** ****, ***** must ****** *** ******* (below) ** ***** *** two **** ******** ********, both ** ***** *** complexity.

****** *****

***** *** **** ** tagged **** ******** **** IDs ***** ***.** *******. Traffic ******** *** ******* the **** ** ****** with * ******** ** which ** ********* ** the ********* ******.

*** ******* ** ****** VLANs ** **** ***** may ** ******** ** more **** *** ****, unlike ********. *******, *** devices ********* ** ***** ports **** **** ******* 802.1Q, ***** ** *** supported ** **** ** cameras ** ***** ******** devices, *** ******** ********** Windows ********** ** ** installed/configured ** ***. ******* of ****, ****** ***** are ********* **** **** for ******.

Static *****

**** ***** ************ ******** use ****** ***** ********** per ****. *** *******, ports *-** ** * switch *** ** **** of *** ******* ***, while **-** *** **** of *** ****** ****.

**** ***** ****** ***** are **** ******, *** simplest ** *** **, but **** ** ******** reconfigured ** ******* *** moved ** *****, ****** dynamic *****. ** *** video ***** ** ******* a ******** ** *********** port ***** *****:

Dynamic *****

******* ***** ****** * port ***** ** *** MAC *******, ***********, ** type ** ******. **** provides ******* ***********, ***** devices *** ** ******* into *** ****, *** rearranged ** ******.

*******, ******* ***** ** dynamic ***** **** ****-*********, as *** ******** ** macros **** *** ****** identifiers ** ***** **** be *******, ****** **** less ******** ****, ********** in ************ ** *******, servers, *** ***** ********* typically ******* ********* ** the **** ****, *** are *** *****.

*** ***** **** *******

***** *** * *** variations ** ******* *****. Below ** ******* ** image **** * ******* switch **** ***** *** based **** *************. *** switch **** ******** *** MAC ******* ** *** device ********** ** ** and **** *** ** to *** *********** **** based ** *** ********** policy.

Managed Switch MAC-Based VLAN Settings

***** ******* **** *******

******* ***** *** **** set *** *** ***** means, ******* ** ***** is ****** ** ************:

  • ******/"***** *****": **** ****** uses ********* **** ** CDP/LLDP ** ************* ***** the ****** **** ********* and ****** ** ** a ****. **** ** commonly **** ** ***** over ** *** ******* network ********, *** *** vast ******** ** ** cameras ** *** ******* the ******** *********, ****** it *********** ******* ** surveillance.
  • ****** *********/****: *******, ******* which ******* ****** *********/**** may ** ******** ** a ******** ***** ** coordination **** *** ****** controller. *** ******* ******* these *********, *** ** may ** ****** ** assigning ******** ***** (******, security ********, ******, ***.) rights ** **** ************ devices, ********** ** ***** machine **** *** ** from.

VLANs *** *******

***** *** *** **** to ****** ***** ** switch ****** *****.

  • ********* **** *** ****:** ******** **** ******** uplink ***** *** *** VLANs, ******** ****** ***** may ** ******** ** a ****** ****. **** is *** ******** ****** to ***, ****** *** number ** ***** **** be ***** **** *** number ** ****** *****.
  • ****** ***** ****:******, ******* *** ** sent **** * ****** uplink **** ** *****, referred ** ** * trunk ****. ******* ******* trunk ***** ** ****** as ******** ***** ***** 802.1q (*** *****). **** method ** ******** **** complex, *** ********* ********* as ** ****** *** link *********** *** ******** and/or ****** ****** **********.

VLAN ********

********* ******** ** ****** networks ** *** **** benefit ** ***** *****. By ********** ******* **** multiple ******* ****, ************ may ******** ******* ** the **** ****** ** general **** ** ***** traffic. *** ********* ********, the ******** *** ********* to **** ***** ** clients ** *** ****** LAN *** *** ***** the ************ ****.

********* *****

** ************, ***** *** not **** ** **** bandwidth, * ******* ****. It ** *********** **** that ***** ****** *** amount ** ******* ** the ***, ***** ********** are *** **** ** the ****** ******** *******, but **** ** *** originating ****. *******, **** generally **** ******* *********** on **** ***** ********, with ******** ** *******. In * **-****** ***, they **** **** ****** to ** ******. ** your ************ ******* ******** your ** *******, ***** traffic ** ***** ******** will ** ********.

VLANs *** ***

*** ** *** ******* VLANs *** ***** **** as *********** ** ********** bandwidth ** ******* **** are ***** **** ** conjunction **** ******* ** service. *** *** ** set ** **** ** most ******* ********. * surveillance ****, *** *******, may ******* ****** ******** as * ***** **** general **** ** ***** VLANs.

Equipment ************

************ ***** ******** ******* switches ** ****, ** unmanaged ******** ***** ** configuration **********. *** **** majority ** ******* ******** (both *****-******* *** ***** switches) ********* ***** *** VLAN-capable. ***** *** *** our****** *************** *** ************ systems*** **** ***********.

VLAN ********* *** ************

*** ***** *** ******* varies, ********* ** *** application:

  • ***** *******:** *** ****** ***** systems, **** ** ***** retail, ***** *** ********* not **** ** ***-**** unmanaged ******** ******* **** support *** **** ***** deployed. ****, ******* ** normally ********* ** *** same ******** ** ******* office *****, ** ******** VLANs ***** ******* ******* be *** **, ****** cost.
  • ********* *******:**** ******* * *** with ***** ********, ***** the **** ** ******* and ***** ** ***-***** offices, ***** *** ******** implemented. ** ** *** uncommon *** ***** ********** to *** *** **** for ****, *** *** VOIP *******, *** *** for ********, ** ****** segment ***** ********. ******* between *** ******* ****** VLAN *** ******** **** is ******** ********, ** give ****** ******* ****** to *****.
  • ********* ******* ******* *****:**** ***** * *********, separate ****** *******, ***** are ***** *** ****** or *******. ** ****** from *** ******* *** is ******, *** *** separate ******** ******** *** connected *** ******.
  • ********* ******* **** *****:** ***** *******, ******** VLANs *** ** ****, even **** ***** * dedicated ******** *******. ******* and ******* *** ****** on ******** *****, ** prevent *** ********* ********* by ***** ** ********** stations ******** ****** *** cameras' *** **********. **** access ******* ** ******** on *** *******, ** well, **** ************* ********* using * ******** ****, as ****** ******* *** create ********* ******* ***** may ****** ****** ** the ************ ******.

***********

***** *** ***** ** VLANs ** ************* ******** by ****, **** ** have **** ********** ** shared ****, ********** ************ access ** *****. *******, VLANs *** *** * panacea ** ******* ********, and ****** ** ******** only **** *********. ******** a ***** ********* ******* demands **** ************* *** coordination, *** ****** *****.

**** **** *********

**** ***** ******** *******

Comments (11)

Great info!

It would be interesting if you could cover Avaya's Fabric Connect networking technology that can help speed network implementation which have a large number of network cameras. (P.S. my current company is also an Avaya Platinum partner)

Thanks, John. One question about:

One of the reasons VLANs are often seen as restricting or allocating bandwidth is because they are often used in conjunction with quality of service. QoS may be set by VLAN in most managed switches. A surveillance VLAN, for example, may receive higher priority as a whole than general data or voice VLANs.

If the surveillance VLAN consists of a static group of ports on a non-blocking switch, how would having a higher priority improve its performance over the voice VLAN, also with its own discrete non-blocking ports?

Great question and also the most common argument for not implementing QoS.

Congestion, (#2). If you do check out this link please keep in mind (not mentioned in the linked article) that we will have other devices connected to the switch, devices that possibly consume much more bandwidth /resources than IP cameras. There may also be access or distribution switches connected to distribution or core switches, and the network congestion will be exacerbated by the aggregate traffic from the devices connected to those feeder switches. At some point our network will experience data burst / congestion / etc & we want to decide how traffic is handled.

How would this work for PCI compliance?

I've installed POS equipment and networking equipment for several of the largest retailers and they all used VLANs to separate their POS equipment. All of them had specific ports that the POS equipment needed to be connected to.

Thanks John

What about VLAN Hopping? Would that not be a security concern for those larger retailers?

Yes, and while I was not hardening the equipment for these retailers I can only guess that they implement security best practices to help mitigate double tagging & switch spoofing.

Great article and surely will help move the needle forward for the industry. The more our industry understands network security, the better.

how do we route two VLANs together to allow certain individuals on other
VLANs access to the surveillance network

It depends on the switches and routers in the network. Layer 3 switches can route between VLANs, or if using layer 2 switches, the router will route all interVLAN traffic. Depending on the brand and capabilities of the equipment, you can grant access between VLANs via firewall rules or ACLs. 

Login to read this IPVM report.

Related Reports

NetApp Video Surveillance Profile on Mar 09, 2020
NetApp is increasing its efforts in video surveillance and told IPVM...
Converged vs Dedicated Networks For Surveillance Tutorial on Feb 12, 2020
Use the existing network or deploy a new one? This is a critical choice in...
VSaaS 101 on Mar 25, 2020
Video Surveillance as a Service (VSaaS) is the common industry term for cloud...
Hanwha Wisenet X Plus PTRZ Tested on Feb 14, 2020
Hanwha has released their PTRZ camera, the Wisenet X Plus XNV-6081Z, claiming...
Avigilon ACC Cloud Tested on Jul 08, 2020
Avigilon merged Blue and ACC, adding VSaaS features to its on-premise VMS,...
Avigilon Open Analytics Tested on Apr 16, 2020
After years of effectively closed analytics, Avigilon decided in late 2018 to...
VMS 101 on Mar 03, 2020
This guide teaches the fundamentals about video management...
Remote Network Access for Video Surveillance Guide on Jul 27, 2020
Remotely accessing surveillance systems is key in 2020, with more and more...
Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...
BICSI For IP Video Surveillance Guide on Feb 11, 2020
Spend enough time around networks and eventually someone will mention BICSI,...
"Fever Camera" Online Show June 2020 - On-Demand Recordings on Jun 03, 2020
IPVM has successfully completed the world's first "Fever Camera" show....
Video Surveillance Architecture 101 on Feb 18, 2020
Video surveillance can be designed and deployed in a number of ways. This 101...
NetApp Presents Hybrid Cloud Video Archive on May 11, 2020
NetApp presented its hybrid S3 cloud video archive at the April 2020 IPVM New...
Dahua Smart Motion Detection Camera Tested on Mar 03, 2020
Dahua has introduced Smart Motion Detection, AI-based VMD, claiming to use an...
Video Surveillance Business 101 on Mar 30, 2020
This report explains the fundamental elements of the video surveillance...

Recent Reports

Google Invests in ADT, ADT Stock Soars on Aug 03, 2020
Google has announced a $450 million investment in the Florida-based security...
US Startup Fever Inspect Examined on Aug 03, 2020
Undoubtedly late to fever cameras, this US company, Fever Inspect, led by a...
Motorola Solutions Acquires Pelco on Aug 03, 2020
Motorola Solutions has acquired Pelco, pledging to bring blue back and make...
False: Verkada: "If You Want To Remote View Your Cameras You Need To Punch Holes In Your Firewall" on Jul 31, 2020
Verkada falsely declared to “3,000+ customers”, “300 school districts”, and...
US GSA Explains NDAA 889 Part B Blacklisting on Jul 31, 2020
With the 'Blacklist Clause' going into effect August 13 that bans the US...
Access Control Online Show July 2020 - On-Demand Recording of 45+ Manufacturers Presentations on Jul 30, 2020
The show featured 48 Access Control presentations, all now recorded and...
Face Detection Shootout - Dahua, Hanwha, Hikvision, Uniview, Vivotek on Jul 30, 2020
Face detection analytics are available from a number of manufactures...
Sunell is The First China Manufacturer to Market NDAA Compliance on Jul 30, 2020
Most China manufacturers are going to be impacted by the NDAA 'Blacklist...
Ink Labs Relabels China YCX Fever Camera And Steals Dahua's Marketing on Jul 30, 2020
A US company marketed a 'thermal temperature scanner' as its own, selling...
Genetec and Dahua-Backed Intelbras Split Examined on Jul 29, 2020
China is the cause of the breakup between Canada's and Brazil's largest video...
This YouTuber is Now Selling ThermoHealth Temperature Screening on Jul 29, 2020
An enterprising 20-year old is mass marketing medical devices on Facebook and...
Hikvision Returns To Growth Driven By Overseas Fever Cameras on Jul 29, 2020
While Hikvision's revenue fell in Q1 2020, it rebounded in Q2 attributed to...
Brazil's Biggest Domestic Surveillance Company Intelbras Profile on Jul 29, 2020
While Intelbras is not widely known outside of Latin America, Intelbras is a...
The Kiosk Market Pivots To Temperature Screening (Interviewed) on Jul 28, 2020
Video surveillance is not the only market that has pivoted to medical device...
Integrator Acquisitions 'A Good Market' During COVID-19, Says Greybeards on Jul 28, 2020
Industry broker Ron Davis of the "Greybeards" says that the integrator and...