A VLAN is a way of slicing a single physical network switch into multiple, isolated "virtual" networks. Even though the CCTV cameras and the staff laptops share the same cabling, they cannot "see" or talk to each other unless we explicitly allow it.

1. Security: The "Air-Gap" Effect

In a standard unmanaged network, if a guest connects a laptop to a wall jack, they can potentially see every device on the network—including your Access Control controllers and CCTV recorders.

• The Risk: Most IoT devices (cameras/intercoms) have lightweight security. If one is compromised, a hacker could move "laterally" to your server or accounting PCs.
• Our Solution: By putting security hardware on its own VLAN, we create a digital wall. Even if a guest gets onto your Wi-Fi, your security backbone remains invisible to them.

2. Performance: Preventing "Traffic Jams"

High-resolution 4K cameras generate a constant, massive stream of data.

• The Problem: On a flat network, "broadcast traffic" from cameras can flood the entire system, causing lag on staff computers and buffering during Zoom calls.
• Our Solution: VLANs keep that heavy camera traffic contained. Your staff gets full bandwidth for work, and your cameras get a clear, dedicated lane to the NVR (Network Video Recorder).

3. Compliance: Meeting NDAA and Insurance Standards

Many modern insurance policies and the NDAA (National Defense Authorization Act) require that security infrastructure be logically separated from public-facing networks. VLAN isolation is the industry-standard way to meet these requirements without the massive cost of running two separate sets of physical cabling.

The Kent-ITS Standard: We typically deploy MikroTik or UniFi hardware to manage these VLANs. This allows us to prioritize security traffic (Quality of Service) so that even during peak internet usage, your door entry and alarm signals never drop.

1

Network Audit

Mapping the traffic

We identify all "Guest," "Staff," and "Security" devices to determine how many isolated lanes are required.

2

VLAN Tagging

Logical separation

We assign a unique ID (e.g., VLAN 10 for CCTV, VLAN 20 for Access Control) to the specific ports on your managed switches.

3

Firewall Rule Injection

The 'Gatekeeper'

We program the router to block all traffic between these IDs, only allowing the NVR to talk to the cameras and authorized admin PCs to talk to the software.

4

Bandwidth Reservation

QoS setup

We ensure the Security VLAN is guaranteed enough "pipe" so that video streams never stutter, regardless of how much Netflix is being streamed on the Guest Wi-Fi.

On a standard "flat" network, the answer is technically yes. If a camera is compromised or has a firmware vulnerability, a bad actor can use that camera as a "beachhead" to scan your network for other devices, such as NAS drives, PCs, or servers. This is known as Lateral Movement.

To prevent this, we implement VLAN Segmentation (Virtual Local Area Networks).

• Isolation: We place all CCTV hardware on its own dedicated "island" (VLAN). Even though they share the same physical cabling, the cameras are digitally locked away from your private data.
• Preventing Snooping: By default, we configure firewall rules that allow your NVR to record the cameras, but prevent the cameras from ever "talking" to your PCs or the wider internet unless specifically authorized.
• Traffic Management: This also ensures that high-bandwidth video traffic doesn't "flood" your main network, keeping your VoIP calls and Netflix streams stutter-free.

The Kent-ITS Standard: We don't just "plug and play." We use MikroTik and Managed PoE switches to ensure your security system is a closed loop, invisible to the rest of your digital life.