The Truth about VLANs
What security integrators need to know
- By Steven Olen
- Aug 01, 2013
A common misperception among security
system integrators is the notion that an IP
surveillance network must be separate and
distinct from corporate or campus data, and
the voice network. However, having a separate,
distinct network for video surveillance
comes with a price. Not only do costs increase
for physical resources, such as cabling and networking
equipment, but the complexity of managing and maintaining
two different networks rises significantly. Nevertheless,
integrators assume that having separate networks is the only
way to achieve two important requirements:
- Security: Only authorized users physically connected to the
network will have access to video surveillance traffic, and unwanted
users will be kept out.
- Bandwidth Availability: A dedicated network ensures bandwidth
will always be reserved for the surveillance traffic, as needed.
Security integrators are often not aware that these same security
and bandwidth requirements can be realized on one common
network by using VLAN technology.
Whether new to networking, or just unsure about the value
of VLANs, these FAQs may help clarify some confusion, giving
confidence to take advantage of this useful technology in future
IP, surveillance, network deployments.
What is a VLAN?
To understand VLAN, it’s important to know about LAN or Local
Area Network.
LAN is a data communications system, allowing a number
of computers to communicate directly with each other within a
moderately-sized, geographic area over a physical network.
Basically, a VLAN is a “virtual” LAN, consisting of a subset
of devices communicating privately on a larger network. In more
technical terms, a VLAN is a unique, broadcast domain created
by smart and managed Ethernet switches. (Unmanaged switches
cannot be used to create VLANs, as they do not have a user interface
to facilitate this technology).
Since this is a logical segmentation, not a physical one, devices
on the same VLAN do not have to be physically located together.
What are the benefits of VLANs?
VLANs support the logical grouping of network devices, reduce
broadcast traffic and allow more control when implementing security
policies.
How do VLANs provide security?
VLANs limit the ability for any device to hear anything on other
Virtual Local Area Networks. On a corporate network, for example,
VLANs are often used for virtual workgroups because they
make it easier to place geographically-dispersed members together.
A VLAN will logically separate and isolate certain traffic from
other traffic on the network, whether it’s data, voice or other. For
this reason, VLANs are ideal for overlaying IP surveillance video
traffic on an existing data network.
Because surveillance data can be sensitive, network administrators
don’t want it accessible across the entire network, so
placing only those users who need access to that video data on
a VLAN can reduce the chances of an outsider gaining access.
What is QoS?
Quality of Service (QoS) is the ability to provide different priority
to different applications, users or data flows, or to guarantee a
certain level of performance to a data flow.
For example, a required bit rate or delay measurement may
be guaranteed, making QoS important if the network capacity is
potentially insufficient, especially for real-time, streaming, multimedia
applications, such as voice over IP and surveillance video.
Without QoS, if a corporate data network experiences a heavy
traffic event caused by mass file transfers, broadcast storms or
other such applications, the surveillance video may freeze, skip
or even drop out completely. For many who consider surveillance
video to be mission-critical, this risk is unacceptable.
VLANs allow QoS measures to be taken on devices otherwise
fighting for shared bandwidth. When using VLANs, the network
administrator can assign a different QoS to different VLANs, prioritizing
certain traffic types over others.
What is a broadcast?
A broadcast is an Ethernet message sent by one device to all other
devices on the LAN that are used in a variety of background
tasks operating in an Ethernet network, such as an ARP request.
When an Ethernet switch receives a broadcast message, it floods
to all other ports.
In a large network, uncontrolled broadcasts can impact overall
network performance because, anytime a device is listening to
a broadcast, it dedicates resources that could otherwise be used to
process higher-priority information.
Just as Ethernet switches isolate and create separate collision
domains, VLANs isolate and create separate broadcast domains,
helping to reduce network traffic since broadcasts are contained
within the VLAN. Devices on other VLANs will not hear these
broadcasts, which reduce traffic and increase network performance.
How are VLANs set up?
Configuring a VLAN is usually done through the switch’s user
interface by associating a group of ports together, forming a
VLAN membership.
Consider the following example using a 24-port, Ethernet
switch, 10 IP cameras and 10 PCs:
- Ports 1-10 are connected to 10 IP cameras for surveillance.
- Ports 11-20 are connected to 10 PCs for employee Internet access.
- Port 24 is the “uplink” port and sends the surveillance and
Internet traffic to another VLAN switch further upstream.
Using the switch’s UI, the network administrator would associate
ports 1-10 and 24 with VLAN 100. Ports 1-10 would be designated
as “untagged,” while port 24 would be designated as “tagged.”
The network administrator would create a second VLAN by
associating ports 11-20 and 24 with VLAN 200. Similarly, ports
11-20 would be designated as “untagged,” while port 24 would be
designated as “tagged.”
Is there a solution to being intimidated
by the thought of configuring a VLAN?
Yes. Embedded into select D-Link switches, an Auto Surveillance
VLAN can automate the configuration, making networking expertise
a non-requirement.
How does Auto Surveillance
VLAN technology help?
This technology automatically detects network-attached, surveillance
devices, such as IP cameras and NVRs, and creates a separate
VLAN that separates data traffic from surveillance network traffic.
QoS is also set to “high-priority,” above other network traffic,
allowing surveillance video to stream smoothly, reliably, securely
and promptly, even when the data network is experiencing heavy
traffic. This automatic, built-in feature is a welcome change from
conventional systems that typically requires each setting to be
manually configured and added to the network one-by-one.
What’s the difference between
Auto Surveillance VLAN and
Auto Voice VLAN?
D-Link’s Auto Surveillance VLAN detects surveillance devices
while Auto Voice VLAN detects voice devices attached to the network
and automatically creates a high-priority VLAN for both.
Who benefits from Auto Surveillance
VLAN technology?
Operations that need:
- a cost-effective way to consolidate video surveillance and data
network(s);
- a reliable IP surveillance system with good video quality and
manageability features; and
- the flexibility to add IP cameras to surveillance system(s), as
well as upgrade and move the cameras, without reconfiguring
the surveillance network.
Putting it All Together
There are significant benefits achieved by using VLANs in surveillance
networks. Because VLANs support a logical grouping
of network devices, they reduce broadcast traffic and allow more
control in implementing security policies. Also, surveillance traffic
is only available to those authorized, and bandwidth is always
available, when needed.
This article originally appeared in the August 2013 issue of Security Today.