The Truth about VLANs

What security integrators need to know

• By Steven Olen
• Aug 01, 2013

A common misperception among security system integrators is the notion that an IP surveillance network must be separate and distinct from corporate or campus data, and the voice network. However, having a separate, distinct network for video surveillance comes with a price. Not only do costs increase for physical resources, such as cabling and networking equipment, but the complexity of managing and maintaining two different networks rises significantly. Nevertheless, integrators assume that having separate networks is the only way to achieve two important requirements:

1. Security: Only authorized users physically connected to the network will have access to video surveillance traffic, and unwanted users will be kept out.
2. Bandwidth Availability: A dedicated network ensures bandwidth will always be reserved for the surveillance traffic, as needed. Security integrators are often not aware that these same security and bandwidth requirements can be realized on one common network by using VLAN technology.

Whether new to networking, or just unsure about the value of VLANs, these FAQs may help clarify some confusion, giving confidence to take advantage of this useful technology in future IP, surveillance, network deployments.

What is a VLAN?

To understand VLAN, it’s important to know about LAN or Local Area Network.

LAN is a data communications system, allowing a number of computers to communicate directly with each other within a moderately-sized, geographic area over a physical network.

Basically, a VLAN is a “virtual” LAN, consisting of a subset of devices communicating privately on a larger network. In more technical terms, a VLAN is a unique, broadcast domain created by smart and managed Ethernet switches. (Unmanaged switches cannot be used to create VLANs, as they do not have a user interface to facilitate this technology).

Since this is a logical segmentation, not a physical one, devices on the same VLAN do not have to be physically located together.

What are the benefits of VLANs?

VLANs support the logical grouping of network devices, reduce broadcast traffic and allow more control when implementing security policies.

How do VLANs provide security?

VLANs limit the ability for any device to hear anything on other Virtual Local Area Networks. On a corporate network, for example, VLANs are often used for virtual workgroups because they make it easier to place geographically-dispersed members together.

A VLAN will logically separate and isolate certain traffic from other traffic on the network, whether it’s data, voice or other. For this reason, VLANs are ideal for overlaying IP surveillance video traffic on an existing data network.

Because surveillance data can be sensitive, network administrators don’t want it accessible across the entire network, so placing only those users who need access to that video data on a VLAN can reduce the chances of an outsider gaining access.

What is QoS?

Quality of Service (QoS) is the ability to provide different priority to different applications, users or data flows, or to guarantee a certain level of performance to a data flow.

For example, a required bit rate or delay measurement may be guaranteed, making QoS important if the network capacity is potentially insufficient, especially for real-time, streaming, multimedia applications, such as voice over IP and surveillance video.

Without QoS, if a corporate data network experiences a heavy traffic event caused by mass file transfers, broadcast storms or other such applications, the surveillance video may freeze, skip or even drop out completely. For many who consider surveillance video to be mission-critical, this risk is unacceptable.

VLANs allow QoS measures to be taken on devices otherwise fighting for shared bandwidth. When using VLANs, the network administrator can assign a different QoS to different VLANs, prioritizing certain traffic types over others.

What is a broadcast?

A broadcast is an Ethernet message sent by one device to all other devices on the LAN that are used in a variety of background tasks operating in an Ethernet network, such as an ARP request. When an Ethernet switch receives a broadcast message, it floods to all other ports.

In a large network, uncontrolled broadcasts can impact overall network performance because, anytime a device is listening to a broadcast, it dedicates resources that could otherwise be used to process higher-priority information.

Just as Ethernet switches isolate and create separate collision domains, VLANs isolate and create separate broadcast domains, helping to reduce network traffic since broadcasts are contained within the VLAN. Devices on other VLANs will not hear these broadcasts, which reduce traffic and increase network performance.

How are VLANs set up?

Configuring a VLAN is usually done through the switch’s user interface by associating a group of ports together, forming a VLAN membership.

Consider the following example using a 24-port, Ethernet switch, 10 IP cameras and 10 PCs:

• Ports 1-10 are connected to 10 IP cameras for surveillance.
• Ports 11-20 are connected to 10 PCs for employee Internet access.
• Port 24 is the “uplink” port and sends the surveillance and

Internet traffic to another VLAN switch further upstream. Using the switch’s UI, the network administrator would associate ports 1-10 and 24 with VLAN 100. Ports 1-10 would be designated as “untagged,” while port 24 would be designated as “tagged.”

The network administrator would create a second VLAN by associating ports 11-20 and 24 with VLAN 200. Similarly, ports 11-20 would be designated as “untagged,” while port 24 would be designated as “tagged.”

Is there a solution to being intimidated by the thought of configuring a VLAN?

Yes. Embedded into select D-Link switches, an Auto Surveillance VLAN can automate the configuration, making networking expertise a non-requirement.

How does Auto Surveillance VLAN technology help?

This technology automatically detects network-attached, surveillance devices, such as IP cameras and NVRs, and creates a separate VLAN that separates data traffic from surveillance network traffic.

QoS is also set to “high-priority,” above other network traffic, allowing surveillance video to stream smoothly, reliably, securely and promptly, even when the data network is experiencing heavy traffic. This automatic, built-in feature is a welcome change from conventional systems that typically requires each setting to be manually configured and added to the network one-by-one.

What’s the difference between Auto Surveillance VLAN and Auto Voice VLAN?

D-Link’s Auto Surveillance VLAN detects surveillance devices while Auto Voice VLAN detects voice devices attached to the network and automatically creates a high-priority VLAN for both. Who benefits from Auto Surveillance VLAN technology?

Operations that need:

• a cost-effective way to consolidate video surveillance and data network(s);
• a reliable IP surveillance system with good video quality and manageability features; and
• the flexibility to add IP cameras to surveillance system(s), as well as upgrade and move the cameras, without reconfiguring the surveillance network.

Putting it All Together

There are significant benefits achieved by using VLANs in surveillance networks. Because VLANs support a logical grouping of network devices, they reduce broadcast traffic and allow more control in implementing security policies. Also, surveillance traffic is only available to those authorized, and bandwidth is always available, when needed.

This article originally appeared in the August 2013 issue of Security Today.