From my brief research it appears that it isn't but I just wanted to ask.

I'd like to put my cameras on their own VLAN but need to be able to have them communicate with the NAS with the surveillance software on it that will reside on my main VLAN.

I am running a Cisco SG250-26P at the moment.  If it does happen to be possible any links to some tutorials would be helpful.  I am a software guy but like tinkering.

Pretty sure you need L3 to route between them.  Wether that be in the form of a virtual interface on the device itself, or a "router on a stick" type of setup.

Looking at the manual it appears it does not support Layer 3 so the answer is No, you cannot.

The Cisco SG300-10  does

Thanks for the confirmation.  I thought that was the case but wanted to check.

I really don't NEED to do it but I just wanted to.  I can get around it by just putting passwords on the NAS shares so that if someone pulls down a camera and plugs the cable into a laptop they at least can't get to anything sensitive without logging in.

Now I need to buy a L3 switch to play with

Silly question but since my router (WRT1900AC) supports VLAN's could I use it to somehow accomplish what I am trying to do?

Kind of like this is what I was talking about?  If I wanted 2 VLAN's I would lose 2 ports on the switch correct?

You need a router that can handle multiple LANs and router between them. VLAN support is helpful as well.

I do this with SonicWall all the time.  Very easy.

On SonicWall:

Define a subinterface (X0:10 for instance) and assign 10.10.10.0/24 and assign VLAN 10.  Set subinterface IP to 10.10.10.1 which will be your default gateway for anything in VLAN 10.

Define a zone called CAMERAS for that interface.

Define DHCP server for that subinterface if your camera system needs it.

Define address object for your DVR server.  10.10.10.2 for example.

Define service ports as required.  For example HTTP 8080 for the web interface of the DVR.

Assign firewall and NAT rules for WAN>CAMERAS for inbound web/mobile app ports.  If you want more security you can set another address object for your office IPs and only allow inbound traffic for that firewall rule from that IP block.  For more secure mobile device access you can use the SonicWall mobile VPN app and set up VPN access.

Assign firewall rules for CAMERAS > LAN and LAN > CAMERAS as required for the specific ports only.  For instance, one rule for DENY ANY ANY ALL but for LAN>CAMERAS allow 8080 from ALL to the DVR.

On switches:

Define new VLAN 10 and call it CAMERAS.

Set the PVID as 10 on the ports the DVR and cameras are connected to - this applies VLAN 10 to any untagged inbound traffic.  Set tagged 10 for those ports so the switch knows you want VLAN 10 to egress there also.

On the port you connect to the router interface (SonicWall X0 by default) set it to trunk mode (if applicable) and tag the data VLAN (VLAN 1 if you leave it as default) and VLAN 10 for the cameras.


Other routers will be very close.

Cisco SMB SG series switches are very good units. I use LOTS of them.  2xx are L2, 3xx and 5xx are L3 lite.  Also look at the Ubiquiti line of switches.  The ES-24-LITE and ES-48-LITE (non-PoE) as well as the PoE models are ALL L3 lite and the newest firmwares have a GREAT GUI interface for working with VLANs.  Pricewise they kill anything else on the market with comparable features.  Do not order ES-48-LITE from Amazon though.  There are people selling defective ones there that are DOA with memory errors.

A VLAN is just separating switch ports into virtual seperate switches. Each  VLAN should have its own IP network (or there is really no point in having a VLAN, unless you want to keep the networks completely separate). So you don't need to have an L3 switch, but if you want the two VLANS to communicate with each other then you need a device connected to both VLANS to route between them. A Windows of Linux box can do that routing. So it just depends on how well you understand IP networking.

connect the vlans with a patch cord...(front side switching)

have to work out the IP addressing or use static arp.