A VLAN is a way of slicing a single physical network switch into multiple, isolated "virtual" networks. Even though the CCTV cameras and the staff laptops share the same cabling, they cannot "see" or talk to each other unless we explicitly allow it.

1. Security: The "Air-Gap" Effect

In a standard unmanaged network, if a guest connects a laptop to a wall jack, they can potentially see every device on the network—including your Access Control controllers and CCTV recorders.

• The Risk: Most IoT devices (cameras/intercoms) have lightweight security. If one is compromised, a hacker could move "laterally" to your server or accounting PCs.
• Our Solution: By putting security hardware on its own VLAN, we create a digital wall. Even if a guest gets onto your Wi-Fi, your security backbone remains invisible to them.

2. Performance: Preventing "Traffic Jams"

High-resolution 4K cameras generate a constant, massive stream of data.

• The Problem: On a flat network, "broadcast traffic" from cameras can flood the entire system, causing lag on staff computers and buffering during Zoom calls.
• Our Solution: VLANs keep that heavy camera traffic contained. Your staff gets full bandwidth for work, and your cameras get a clear, dedicated lane to the NVR (Network Video Recorder).

3. Compliance: Meeting NDAA and Insurance Standards

Many modern insurance policies and the NDAA (National Defense Authorization Act) require that security infrastructure be logically separated from public-facing networks. VLAN isolation is the industry-standard way to meet these requirements without the massive cost of running two separate sets of physical cabling.

The Kent-ITS Standard: We typically deploy MikroTik or UniFi hardware to manage these VLANs. This allows us to prioritize security traffic (Quality of Service) so that even during peak internet usage, your door entry and alarm signals never drop.

1

Network Audit

Mapping the traffic

We identify all "Guest," "Staff," and "Security" devices to determine how many isolated lanes are required.

2

VLAN Tagging

Logical separation

We assign a unique ID (e.g., VLAN 10 for CCTV, VLAN 20 for Access Control) to the specific ports on your managed switches.

3

Firewall Rule Injection

The 'Gatekeeper'

We program the router to block all traffic between these IDs, only allowing the NVR to talk to the cameras and authorized admin PCs to talk to the software.

4

Bandwidth Reservation

QoS setup

We ensure the Security VLAN is guaranteed enough "pipe" so that video streams never stutter, regardless of how much Netflix is being streamed on the Guest Wi-Fi.

Standard ISP routers are "all-in-one" devices designed for basic connectivity, not high-performance or security. When you have multiple users, smart home devices, and security cameras all fighting for bandwidth, these consumer-grade boxes often crash or "hang."

We replace or bypass these with a Managed Infrastructure (using professional gear from Zyxel, UniFi, or TP-Link). This gives you:

• Dedicated L2 Managed PoE Switches: We use these to power your cameras and WiFi points directly over the data cable. This centralizes power and allows us to "reboot" a stuck camera remotely without visiting your site.
• Hardware Offloading: Professional Access Points handle dozens of devices simultaneously without slowing down your main PC.
• VLAN Support: Unlike ISP routers, our gear supports proper "Network Isolation" to keep your private data away from guest users or IoT devices.

The Kent-ITS Standard: We select the hardware stack based on your specific environment. Whether it’s the robust simplicity of Zyxel or the seamless ecosystem of UniFi, we ensure your backbone is business-grade.

On a standard "flat" network, the answer is technically yes. If a camera is compromised or has a firmware vulnerability, a bad actor can use that camera as a "beachhead" to scan your network for other devices, such as NAS drives, PCs, or servers. This is known as Lateral Movement.

To prevent this, we implement VLAN Segmentation (Virtual Local Area Networks).

• Isolation: We place all CCTV hardware on its own dedicated "island" (VLAN). Even though they share the same physical cabling, the cameras are digitally locked away from your private data.
• Preventing Snooping: By default, we configure firewall rules that allow your NVR to record the cameras, but prevent the cameras from ever "talking" to your PCs or the wider internet unless specifically authorized.
• Traffic Management: This also ensures that high-bandwidth video traffic doesn't "flood" your main network, keeping your VoIP calls and Netflix streams stutter-free.

The Kent-ITS Standard: We don't just "plug and play." We use MikroTik and Managed PoE switches to ensure your security system is a closed loop, invisible to the rest of your digital life.

In all our security installs, we provide Power Backup (UPS) to ensure the system stays online during a cut. For our enterprise Paxton systems, we use dedicated Net2 PSUs with battery backup. Depending on fire regulations and your specific needs, we configure locks as Fail Safe (open on power loss) or Fail Secure (stay locked). All our systems include a fire alarm integration to automatically drop power to locks during an emergency, ensuring a safe exit path."