Having your security IP cameras on a VLAN is an important step to keep your cameras safe and not to have your local network slowed down. If you have layer 2 network switches such as Cisco, Netgear, HP, Dell, Dlink and others, they can be easily configured to be used on your CCTV system.
In this article, we will discuss the importance of VLANs on CCTV systems, how the technology works and how to do VLAN configuration for CCTV projects. We will start by explaining VLAN fundamentals, understanding how it is used on network switches and learning how to set up VLAN for CCTV cameras by demonstrating one example.
What is a VLAN
To understand VLAN, it’s important to know about LAN or Local Area Network. LAN is a data communications system, allowing a number of computers to communicate directly with each other within a moderately-sized, geographic area over a physical network. Basically, a VLAN is a “virtual” LAN, consisting of a subset of devices communicating privately on a larger network. In more technical terms, a VLAN is a unique, broadcast domain created by smart and managed Ethernet switches.
Regarding VLANs and CCTV systems, in simple words VLAN is a technology used to segment networks by creating virtual groups. Basically we can group the cameras on a VLAN and have that network separated from the main one, thus increasing the security access level and avoiding unauthorized access.
On a switch it is possible to create VLANs and associate them to specific switch ports. Devices such as computers and IP cameras that are connected to the same group of ports will be able to communicate together in the network.
VLAN traffic segregation
In a scenario with computers and CCTV cameras connected to the same switch it’s possible to create VLANs to separate the broadcast traffic. The diagram below shows an example of a network switch that has IP CCTV cameras and computers connected to its ports. Notice that the VLANs are created and represented by different names, IP address range, and colors.
On the IT environment network, tech administrators name VLANs by using numbers and colors. In the picture above you can see VLAN 10 and VLAN 20 using the blue and green color respectively to represent different groups.
VLAN can increase the security in the network by assigning specific switch ports to groups. Check the picture below where a computer is connected to port 1 on the Blue VLAN and communicates with PC2 on port 3. An intruder removes the IP camera from its cable on port 4 to connect his laptop and hack the network. He connects to the Green VLAN to try to hack the security camera but he can’t have access to the rest of the network.
The same principle applies to the company worker, he can’t have access to the security camera because it’s connected to a different VLAN.
How VLAN TAGs work
To be able to control the traffic, a switch uses a TAG which is just a way to mark the frames that enter or leave each port, basically it’s a way to tag them. The frames coming into switch port 1 or 3 are tagged as part of VLAN 10, and frames coming into port 2 or 4 are tagged as part of VLAN 20.
The TAG can be different depending on the switch brand, however there’s a universal TAG standard called 802.1Q that is used by most manufacturers. Take a look at the picture below. When the frames come from the IP camera to the switch they are tagged and these tags are removed before leaving the switch.
Below are the tags fields according to the universal 802.1Q standard.
SOURCE: Package Source
DESTINATION: Package Destination
TYPE & LEN: Type and size
DATA: The data contained in the package
FRAME CHECK: Frame check
See the illustration of the TAG that is associated with the frame.
Communication between switches
When connecting two switches it is necessary to use a special port called “Trunk Port” or “Tagged Port” that will allow the traffic of all the VLANs to pass. So certain frames with the 802.1Q TAGs will pass through this port.
Some manufacturers have a slightly different VLAN ports nomenclature. On Cisco switches documentation the term “Trunk Port” is used for those special ports. Other manufacturers such as Netgear, HP and Dell use the term “Tagged Port” but in any case all of them use 802.1Q TAGs.
The IP security cameras and the computers can send traffic from the first to the second switch and still keep the broadcast and security under control. The first switch can tag the frames that come from the security camera and move them through the trunk (tagged ports) to the second switch.
Types of switches for VLAN configuration
For VLAN configuration. it’s necessary to use layer 2 manageable switches. Each manufacturer has a different way to create and manage VLANs by using CLI (command line interface) or via Web Interface. However in any case the setup is pretty similar across all the devices and it’s very easy to create and configure VLANs.
Example of a VLAN configuration for CCTV systems
Let’s take a look at a CCTV camera system and 4 computers that use the VLAN 10 and 3 IP cameras and 1 NVR using the VLAN 20. On this small CCTV project, the VLAN separates the main (let’s say corporate) broadcast network traffic from the IP camera broadcast network traffic. Take a look at the diagram.
On this CCTV VLAN configuration the computer users will not be able to have access to the IP cameras or NVR. This way your security system is protected. As you can see VLAN configuration for CCTV is very important to keep your system safe from hackers and intruders.
Example: Creating a VLAN on a Cisco switch
As a quick example, let’s see a VLAN configuration on a 8 port Cisco switch. The model is Catalyst 2960 PD that will be configured using the CLI:
• VLAN 10: Ports 1 to 4 to connect the computers
• VLAN 20: Ports 5 to 8 to connect the IP cameras
USB to serial adapter
The serial cable is a special one used for Cisco Switches and the USB to serial adapter is a TrendNet TU-S9. You can find them on stores such as Amazon.
The console port at the left side of the switch will be used to connect a serial cable from a laptop. A CLI will be used to create and configure the VLANs. The picture below shows a laptop using a USB to serial adapter
A software for CLI commands
After the USB to Serial interface adapter connection is done, you need to set up the software that will be used for the CLI command. We recommend using a free one called putty.
Windows serial port configuration
The software configuration is pretty simple, you just need to check which com port the Windows is using for the USB adapter. Open the Windows Device Manager to check the COM & LPT port. See the picture below.
Putty serial port configuration must match the data on Windows, for this case they are COM5, Speed 9600, Data bits 8, Stop bits 1 and Parity None.
If the configuration is correct after click “open” you will see the CLI.
Create VLAN using the CLI
Creating VLANs using a CLI is very simple. In our example we will configure a 8-port Cisco Catalyst 2960 switch. See the steps below:
Step 1. Create the VLAN 10
Open the CLI and execute a sequence of simple commands to get into configuration mode, create the VLAN 10 and give it the name “computers”.
Step 2. Assign the ports to the VLAN 10
After creating the VLAN is time to assign the ports. Get into configuration mode (conf t) select the port range from 1 to 4 and assign them to the VLAN 10.
Step 3. Create the VLAN 20
Execute the same sequence of simple commands. Just get into configuration mode, create the VLAN 20 and give it the name “cameras”.
Step 4. Assign the ports to the VLAN 20
The VLAN is created, now just make sure the switch is in configuration mode (conf t) select the port range from 5 to 8 and assign the to the VLAN 20.
Step 5. Verify if the VLANs were correctly created
Now it’s time to check if the VLANs were created and the ports were assigned. Just exit the configuration mode and use the command below:
See the picture below with the result. It’s possible to see that the VLAN 10 and 20 were created with their correct names and the ports were assigned.
Step 6. Save the configuration
Don’t forget to save the configuration you just performed. See the command below.
Example: Creating VLANs on a Netgear switch
Most switches such as Netgear Prosafe Smart allow to configure VLANs via web interface, so the process is pretty simple and fast. Here we will show you an example of how to set up the VLAN on a Netgear switch. Back to the previous example, let’s create the VLAN 10 and VLAN 20 for computers and Security cameras respectively.
• VLAN 10: Ports 1 to 4 to connect the computers
• VLAN 20: Ports 5 to 8 to connect the IP cameras
Using the browser interface to create VLANs
Create the VLAN configuration for CCTV cameras is very simple, you just need to connect a UTP cable from the laptop to one of ports at the back of the switch, open a web browser and follow the steps below:
Step 1. Login using your credentials
Check your switch manual to find out what is the default IP address and login password or use the one you just created for your CCTV camera project.
Step 2. Open the TAB to configure VLAN
Open the Switching TAB and click on “VLAN” and note that some VLANs are already created, so don’t use the same VLAN ID for your project.
Step 3. Create the VLAN for computers
On the configuration tab just create the ID 10 and give the VLAN a name, in our case that will be “Computers”
Step 5. Set the Untagged ports
Ports that are connected to IP cameras and computers are called Untagged ports, meaning those devices are not bringing Tagged Frames to the ports, so it’s necessary to open the Membership TAB and check the ports with an “U”. In our example ports from 1 to 4 must have the “U” (short for untagged). See the picture below,
Step 6. Repeat the process for VLAN 20
Create the VLAN, name it and set the untagged ports from 5 to 8
VLAN configuration for large CCTV projects
For larger CCTV projects, it’s a question to escalate the network, create VLANs and configure the trunk ports (or tagged ports) between switches. Create the VLANs on both switches, use a UTP cable to connect them and configure those ports as trunk or tagged ports. See the diagram below.
In this example, the blue computers can’t broadcast or have access to the IP cameras or NVRs, so the surveillance network is safe from hackers or viruses.
Configuring a Cisco switch trunk
If you are using Cisco Switches on both ends of the network, just connect the cables to the port, let’s say port 10 for example, make sure the switch is using the standard 802.1Q we discussed earlier and convert the port into a trunk. The configuration is simple, just get into the port you want to use as a trunk and type the commands below:
Configuring Netgear switch tagged ports
As long as the switches are connected and the VLANs are created on both sides of the network, you just need to configure the tagged ports on them. Go to the VLAN Membership and TAG the port you want to connect to the next switch with a ” T” that stands for tagged. In our example is the port 10.
Repeat the process for the VLAN 20 by tagging the same port.
VLAN can be used to secure and improve a CCTV System, it’s just a question of switch installation and configuration. It doesn’t matter the switch’s brand, as long as you have a manageable layer 2 device you can create the VLANs If you need to use more advanced configuration such as give access to more than one computer to different VLANS than it’s necessary to use a router or layer 3 switch for Inter-vlan routing.