UniFi VLAN Design for Commercial Security Systems
Updated May 2026
The definitive UniFi VLAN design guide for commercial security systems — a practical architecture reference for facilities deploying UniFi cameras, NVRs, access control, and enterprise Wi-Fi on a shared switching infrastructure — covering segmentation design, firewall rules, and zero-trust isolation principles.
Proper UniFi VLAN design for commercial security separates cameras, access control, and business traffic before the first cable is pulled. Proper UniFi VLAN design separates every device class before any equipment is powered on. A commercial UniFi deployment that puts cameras, employee workstations, guest Wi-Fi, and access control readers on the same flat network is a security and performance liability. VLAN segmentation is not a complexity tax — it is the difference between a system that meets commercial security standards and one that creates the vulnerabilities it was deployed to prevent.
2M Technology designs every commercial UniFi deployment with a documented VLAN architecture from the start. This guide outlines the framework we use across warehouse, healthcare, hospitality, office, and industrial deployments in Texas.
1. Why VLANs Matter for Commercial Security Systems
Cameras and access control systems are network endpoints like any other — and like any network endpoint, they can be compromised. A camera on an unsegmented network has a path to workstations, servers, and internet-facing systems. In commercial deployments, this creates several real risks:
- Lateral movement: A compromised camera operating as a pivot point to reach other network resources — a documented attack vector against IoT devices on flat networks
- Data exfiltration: Cameras with direct internet access can stream footage to unauthorized external destinations
- Performance degradation: Camera traffic (continuous video streams at multi-Mbps per camera) competes with business application traffic when on the same VLAN
- Compliance exposure: Healthcare (HIPAA), payment (PCI-DSS), and government facility networks require documented segmentation of security devices from operational systems
- Access control tampering: Access readers and door hubs on an unsegmented network can be reached and manipulated by any device on the network
2. VLAN Design Principles
The following principles guide every commercial UniFi VLAN design 2M Technology produces:
- Least privilege: Each device class has access only to the resources it needs to function — nothing more
- Default deny: Inter-VLAN traffic is blocked by default; specific ports and protocols are explicitly permitted
- Explicit camera isolation: Cameras have no outbound internet access and cannot initiate connections to other VLANs — only the NVR can communicate with cameras
- Management VLAN separation: Switch management, NVR management, and controller access are on a management VLAN separate from device traffic
- Document everything: Every VLAN, firewall rule, and route decision is documented in as-built drawings — guesswork during an incident investigation is not acceptable
3. Standard VLAN Architecture for Commercial Security
The following VLAN scheme is 2M Technology’s baseline for mid-size commercial facilities. VLAN IDs can be adjusted to accommodate existing numbering conventions:
| VLAN | Name | Devices | Internet Access |
|---|---|---|---|
| VLAN 10 | Management | Switches, NVR, UniFi controller, firewall management interfaces | Restricted (IT workstations only via firewall rule) |
| VLAN 20 | Cameras | All UniFi cameras (wired) | BLOCKED — no outbound internet |
| VLAN 30 | Access Control | Access Hubs, Readers, Intercoms | BLOCKED — communicates only with Access controller |
| VLAN 40 | Corporate LAN | Employee workstations, printers, servers | Full access (via firewall policy) |
| VLAN 50 | Corporate Wi-Fi | Employee wireless devices (SSID: CorpWiFi) | Full access with authentication |
| VLAN 60 | Guest Wi-Fi | Visitor and guest wireless devices (SSID: GuestWiFi) | Internet only — blocked from all internal VLANs |
| VLAN 70 | IoT / Facility | Building automation, HVAC controllers, PACS systems not on access control VLAN | Limited — per-device rules |
Standards reference: VLAN fundamentals | UniFi switch specifications — ui.com
UniFi VLAN design firewall rules enforce the isolation that VLAN IDs alone cannot guarantee — a VLAN without a default-deny policy is not truly isolated.
Camera Network Flow — Zero-Trust Isolation Model
In a correctly configured UniFi VLAN design, cameras have exactly one permitted network path: to the NVR. All other traffic is blocked at the firewall level.
CAMERA (VLAN 20) FIREWALL RULES DESTINATION
───────────────── ───────────────── ───────────
UniFi AI Pro → ALLOW → NVR IP:7004 → NVR (VLAN 10) ✅
UniFi G5 Bullet → ALLOW → NVR IP:7004 → NVR (VLAN 10) ✅
UniFi G6 Turret → ALLOW → DNS:53 → Internal DNS ✅
→ BLOCK → 0.0.0.0/0 → Internet 🚫
→ BLOCK → VLAN 40 → Corporate LAN 🚫
→ BLOCK → VLAN 50 → Corporate Wi-Fi 🚫
→ BLOCK → VLAN 30 → Access Control 🚫
NVR (VLAN 10 / Mgmt) → ALLOW → VLAN 20 → Cameras (pull) ✅
Admin workstation → ALLOW → NVR UI:7080 → NVR dashboard ✅
KEY PRINCIPLE: Cameras initiate nothing.
The NVR reaches out to cameras to pull streams.
Cameras have no reason to initiate any outbound connection.
Standard Commercial Security VLAN Topology
The diagram below represents the recommended UniFi VLAN design for a commercial facility with cameras, access control, corporate Wi-Fi, and guest access on shared switching infrastructure.
┌─────────────────────┐
│ INTERNET (WAN) │
└──────────┬──────────┘
│
┌──────────▼──────────┐
│ UniFi Gateway / │
│ Dream Machine Pro │ ← Firewall, routing, VPN
│ (Multi-WAN ready) │
└──────────┬──────────┘
│ 10G uplink
┌──────────▼──────────┐
│ Aggregation Switch │ ← Inter-VLAN routing
│ (UniFi Enterprise) │ LACP trunk to IDFs
└─────┬────┬────┬─────┘
│ │ │
┌──────────────┘ │ └──────────────┐
│ │ │
┌────────▼───────┐ ┌────────▼───────┐ ┌────────▼───────┐
│ IDF Closet A │ │ IDF Closet B │ │ IDF Closet C │
│ Enterprise PoE │ │ Enterprise PoE │ │ Enterprise PoE │
└────┬─┬─┬─┬────┘ └────────────────┘ └────────────────┘
│ │ │ │
│ │ │ └── VLAN 10 │ MGMT │ Switch/NVR/Controller management
│ │ └──── VLAN 20 │ CAMS │ Cameras → NVR only, no internet
│ └────── VLAN 30 │ ACCESS│ Door readers → Access controller only
└──────── VLAN 40 │ CORP │ Employee devices, full internet
VLAN 50 │ CWIFI│ Corporate Wi-Fi SSID
VLAN 60 │ GUEST│ Guest Wi-Fi → internet only, isolated
NVR (UNVR Pro) lives on VLAN 10 (Management)
Cameras on VLAN 20 → allowed to reach NVR IP only
All other VLAN 20 traffic blocked by default-deny firewall rule
4. UniFi Firewall Rules
In UniFi Network, inter-VLAN routing and firewall rules are configured under Settings → Security → Traffic & Firewall Rules. The following rules implement the standard architecture above:
Camera VLAN Rules (VLAN 20)
| Rule | Action | Source | Destination |
|---|---|---|---|
| Allow cameras → NVR | ACCEPT | VLAN 20 | NVR IP, port 7004 (RTSP) |
| Allow NVR → cameras | ACCEPT | NVR IP (Mgmt VLAN) | VLAN 20, all ports |
| Block cameras → internet | DROP | VLAN 20 | WAN / internet |
| Block cameras → corporate LAN | DROP | VLAN 20 | VLAN 40, VLAN 50 |
| Allow cameras → DNS | ACCEPT | VLAN 20 | Internal DNS server, port 53 |
Access Control VLAN Rules (VLAN 30)
| Rule | Action | Source | Destination |
|---|---|---|---|
| Allow access devices → controller | ACCEPT | VLAN 30 | UniFi Access controller IP, required ports |
| Block access devices → internet | DROP | VLAN 30 | WAN |
| Block access devices → camera VLAN | DROP | VLAN 30 | VLAN 20 |
Zero-trust UniFi VLAN design goes further than basic segmentation by treating every camera as an untrusted endpoint even after the VLAN is configured.
Firewall Rule Quick Reference — Commercial Security VLAN Design
This condensed reference covers the minimum firewall rules for a standard commercial UniFi VLAN design deployment. Apply in UniFi Network → Settings → Security → Traffic & Firewall Rules.
| Source | Destination | Action | Protocol |
|---|---|---|---|
| Camera VLAN (20) | NVR IP (VLAN 10) | ALLOW | TCP 7004 (RTSP) |
| Camera VLAN (20) | Internet (WAN) | BLOCK | All |
| Camera VLAN (20) | Corporate LAN (40) | BLOCK | All |
| Access Control (30) | Access Controller IP | ALLOW | TCP 7070 |
| Access Control (30) | Internet (WAN) | BLOCK | All |
| Corporate (40) | NVR Admin UI | ALLOW | TCP 7080 (admin) |
| Guest Wi-Fi (60) | All internal VLANs | BLOCK | All |
| Guest Wi-Fi (60) | Internet (WAN) | ALLOW | TCP/UDP 80, 443 |
| All VLANs | Internal DNS server | ALLOW | UDP 53 |
Rule order matters — in UniFi Network, rules are processed top to bottom. Place ALLOW rules for specific permitted traffic above the broader BLOCK rules. Test after every rule change.
5. Camera Zero-Trust Isolation
Beyond basic VLAN segmentation, zero-trust camera isolation adds additional restrictions that prevent lateral movement between cameras:
- Port isolation / client isolation: Enable port isolation on camera VLAN switch ports — cameras cannot communicate with each other, only with the gateway/NVR. This prevents a compromised camera from probing or attacking adjacent cameras.
- Disable camera local web admin: UniFi cameras do not expose a local web admin by default — ensure this remains disabled. Cameras are managed exclusively through UniFi Protect.
- Physical port security: Configure MAC address binding on camera switch ports where feasible — prevents substitution of an unauthorized device by connecting to a camera port
- DHCP snooping: Enable DHCP snooping on the camera VLAN to prevent rogue DHCP servers from redirecting camera traffic
6. Access Control VLAN Design
UniFi Access devices (hubs, readers, intercoms) communicate with the UniFi Access controller — which in larger deployments runs on the NVR or a dedicated server. The access control VLAN requires connectivity to the controller only:
- UniFi Access Hub connects to controller on TCP port 7070 (verify current firmware documentation)
- Readers connect through the Hub — only the Hub needs controller connectivity, not individual readers
- If UniFi Protect and UniFi Access are co-hosted on the same UNVR Pro or ENVR, a single management VLAN can house both the NVR and Access controller, with both camera and access control VLANs routing to that VLAN only
- For facilities integrating third-party access control (Lenel, Software House), isolate those controllers on their own VLAN with explicit firewall rules for their API communication paths
Guest Wi-Fi is the highest-risk SSID in any UniFi VLAN design — a misconfigured guest VLAN can expose internal systems to any visitor device on the network.
7. Guest Wi-Fi Segmentation
Guest Wi-Fi is a required service in hospitality, healthcare lobbies, and retail environments. UniFi makes guest SSID segmentation straightforward:
- Create a dedicated Guest SSID in UniFi Network and assign it to VLAN 60
- Enable the UniFi Guest Portal (captive portal or simple password authentication)
- Configure firewall rules: VLAN 60 → WAN permitted; VLAN 60 → all internal VLANs (10, 20, 30, 40, 50) blocked
- Enable client isolation within VLAN 60 to prevent guest devices from communicating with each other
- Set bandwidth limits per client in UniFi to prevent a single guest device from saturating the uplink
For hotel and healthcare deployments where the guest network carries significant bandwidth, size the uplink connection to handle full guest load independently from corporate network traffic. See our hotel deployment guide and healthcare deployment guide.
Industry-specific UniFi VLAN design requirements vary significantly — healthcare, retail, and industrial sites each add compliance layers on top of the baseline architecture.
Industry-Specific VLAN Segmentation Examples
The base VLAN model extends differently for each industry. These examples show the additional segments that healthcare, warehouse, and hospitality environments require.
Healthcare — Clinical Network Segmentation
VLAN 10 MGMT → Switches, NVR
VLAN 20 CAMS → Cameras → NVR only
VLAN 30 ACCESS → Door readers
VLAN 40 CLDEV → IV pumps, nurse call
→ Clinical servers only
→ NO internet access
VLAN 50 STAFF → Nurse laptops, EHR access
VLAN 60 PATIENT→ Guest Wi-Fi → internet only
VLAN 70 VENDOR → Biomedical vendor devices
CRITICAL: VLAN 20 (cameras) must have
NO path to VLAN 50 (EHR/clinical data)
Warehouse — Logistics Network Segmentation
VLAN 10 MGMT → Switches, NVR
VLAN 20 CAMS → Cameras → NVR only
VLAN 30 ACCESS → Door readers at docks
VLAN 40 WMS → Forklifts, scanners,
WMS terminals
→ WMS server only
→ Non-DFS channels (36-48)
→ 802.11r fast roaming
VLAN 50 CORP → Employee laptops
VLAN 60 CARRIER→ 3PL / carrier tablets
→ internet only, isolated
WMS (VLAN 40) must NEVER share SSID
with corporate or guest devices.
Hotel — Hospitality Network Segmentation
VLAN 10 MGMT → Switches, NVR
VLAN 20 CAMS → Cameras → NVR only
VLAN 30 ACCESS → Staff door readers
VLAN 40 POS → POS terminals (CDE)
→ PCI-DSS isolated
→ Dedicated internet path
VLAN 50 STAFF → Employee devices
VLAN 60 GUEST → Guest Wi-Fi (captive portal)
→ internet only
→ Rate limited per client
VLAN 70 BMS → HVAC / building automation
VLAN 40 (POS/CDE) must have ZERO
routable path from VLAN 60 (guest).
8. Industry-Specific VLAN Requirements
Healthcare (HIPAA)
HIPAA’s Technical Safeguard requirements (45 CFR §164.312) mandate access controls and audit controls for ePHI. Camera systems must not have network paths to systems storing patient data. Camera VLAN must be documented as isolated from clinical systems. Access control readers at clinical areas should log all access events — ensure the access control VLAN has proper connectivity to the audit log system. Consult legal counsel for specific HIPAA technical implementation requirements.
Retail and Hospitality (PCI-DSS)
PCI-DSS requires network segmentation between the cardholder data environment (CDE) and other systems. Security cameras near POS terminals must be on an isolated VLAN with no path to CDE networks. Document the segmentation in your PCI SAQ or ROC submission. Guest Wi-Fi (VLAN 60) must be completely isolated from the POS network (typically a separate VLAN under the CDE or connected to a separate internet circuit).
Warehouses and Industrial
Add an IoT/OT VLAN (VLAN 70) for building automation, HVAC controllers, industrial sensors, and other non-camera, non-access-control connected devices. This prevents legacy industrial control systems (which are often unpatched and should not be internet-exposed) from sharing network paths with newer IoT devices or corporate workstations. See our warehouse deployment guide.
The most costly UniFi VLAN design mistakes happen at initial configuration — untested firewall rules and flat-network cameras create vulnerabilities that are difficult to discover after go-live.
UniFi VLAN Design — Default Firewall Policy Reference
| Source VLAN | Destination | Policy | Reason |
|---|---|---|---|
| VLAN 20 — Cameras | NVR management IP | ALLOW (RTSP port) | Camera video stream to NVR |
| VLAN 20 — Cameras | WAN / Internet | BLOCK | No outbound internet for cameras |
| VLAN 20 — Cameras | VLAN 40 Corporate | BLOCK | Prevent lateral movement from cameras |
| VLAN 30 — Access Control | Access controller IP | ALLOW (required ports) | Hub → Access controller communication |
| VLAN 30 — Access Control | WAN / Internet | BLOCK | No outbound internet for access readers |
| VLAN 40 — Corporate | NVR UI (TCP 7080) | ALLOW | Authorized admin access to Protect |
| VLAN 60 — Guest Wi-Fi | All internal VLANs | BLOCK | Complete guest isolation |
| VLAN 60 — Guest Wi-Fi | WAN | ALLOW | Internet access only for guests |
All firewall rules are configured in UniFi Network → Settings → Security → Traffic & Firewall Rules. Always test rules after configuration — assume nothing works until verified.
⚠ Critical Warnings — UniFi VLAN Design for Commercial Security
9. Common VLAN Design Mistakes
- Flat network for cameras: Cameras on the same VLAN as workstations is the most common commercial surveillance mistake — any network-connected device has a path to camera traffic and the NVR management interface
- Allowing cameras outbound internet access: Cameras do not need direct internet access — all UniFi cloud features route through the NVR or controller. Block outbound internet from the camera VLAN explicitly.
- No management VLAN: Leaving switch management interfaces on the default VLAN exposes administrative access to any device on the network — segment management interfaces on VLAN 10 immediately
- Using VLAN IDs without documenting subnet assignments: VLAN IDs without documented IP subnets, gateway IPs, and DHCP ranges create troubleshooting nightmares during incidents
- Not testing inter-VLAN firewall rules after configuration: Verify camera cannot ping a workstation; verify workstation can reach NVR Protect interface; verify guest Wi-Fi cannot reach internal resources — document test results
- Forgetting trunk configuration on uplink ports: IDF switch uplinks must be configured as trunk ports carrying all required VLANs — missing VLANs on trunk ports silently drop device traffic
Run through this UniFi VLAN design checklist on every commercial deployment before connecting cameras, APs, or access readers to the network.
10. VLAN Implementation Checklist
- ☐ VLAN IDs and subnet ranges documented for each zone
- ☐ Management VLAN (10) configured; all switch management IPs moved to VLAN 10
- ☐ Camera VLAN (20) created; all cameras assigned to VLAN 20 switch ports (access mode)
- ☐ Access control VLAN (30) created; hubs and readers assigned to VLAN 30 ports
- ☐ Corporate LAN (40) and Wi-Fi (50) VLANs configured with DHCP
- ☐ Guest Wi-Fi VLAN (60) created; SSID assigned; bandwidth limits set
- ☐ Inter-VLAN firewall rules applied: camera VLAN blocked from internet and corporate; access control blocked from internet
- ☐ Trunk ports on all IDF uplinks carrying correct VLAN set
- ☐ DHCP snooping enabled on camera and access control VLANs
- ☐ Post-configuration validation: test that camera cannot reach workstation; confirm NVR can reach cameras; confirm guest Wi-Fi isolated
- ☐ VLAN and firewall rules documented in as-built drawings
UniFi VLAN Design for Commercial Security — 2M Technology Services
- PoE budget planning for commercial deployments
- UNVR Pro storage sizing guide
- UniFi deployment for warehouses
- UniFi deployment for healthcare facilities
- UniFi commercial deployments in DFW
- Back to UniFi Deployment Center
Frequently Asked Questions
Do UniFi cameras need internet access to function?
No. UniFi cameras do not require direct internet access to record, stream live video, or generate AI detection events. All camera communication routes through the NVR (UniFi Protect). Internet access is only required if you enable remote viewing via the UniFi Cloud portal — and even then, only the NVR or controller needs cloud connectivity, not the cameras themselves. Block outbound internet from the camera VLAN entirely.
How many VLANs should a commercial UniFi deployment use?
A baseline commercial deployment typically uses 5–7 VLANs: management, cameras, access control, corporate LAN, corporate Wi-Fi, guest Wi-Fi, and optionally an IoT/OT VLAN for building systems. More VLANs add segmentation granularity but also administrative complexity. For most facilities up to 200 devices, 6 VLANs is a practical target that meets security requirements without over-engineering the design.
Can the NVR be on the same VLAN as the cameras?
Placing the NVR on the camera VLAN is a valid simplification for small deployments, but 2M Technology recommends placing the NVR on the management VLAN with a firewall rule permitting camera VLAN to reach the NVR. This keeps NVR management interfaces out of the camera VLAN broadcast domain and prevents camera ARP traffic from reaching management interfaces. For facilities with fewer than 20 cameras, co-locating NVR on the camera VLAN is acceptable.
Related Deployment Guides — Plan the Full System
Proper UniFi VLAN design for commercial security connects to every infrastructure layer. These guides cover the systems each VLAN segment communicates with:
IDF/MDF Architecture GuideTrunk ports and inter-VLAN routing
UNVR Pro Storage GuideNVR management VLAN placement
Healthcare Deployment GuideHIPAA clinical network segmentation
Warehouse Deployment GuideWMS, camera, and guest VLAN design
DFW Commercial UniFi Services2M Technology VLAN design — Texas
Does 2M Technology document VLAN design as part of an installation?
Yes. Every 2M Technology UniFi deployment includes as-built documentation covering VLAN assignments, subnet allocations, DHCP ranges, firewall rule sets, and switch port configurations. This documentation is delivered to the client at project close and is essential for maintenance, troubleshooting, and future expansion. Contact us for a free site assessment to discuss your facility’s segmentation requirements.
Get a VLAN Architecture Design for Your Facility
2M Technology designs documented VLAN and firewall architectures for every commercial UniFi deployment in Texas. We deliver a complete network segmentation design before installation begins — included in every free site assessment.
