UniFi CCTV & Access VLAN Implementation Plan

Overview

This plan outlines the steps for migrating UniFi Access Control and UniFi Protect video devices onto a dedicated VLAN to improve security, performance, and manageability.

⸻

1. Hardware Installation

Switch Model

• Model: Ubiquiti UniFi USW-PRO-48 (PoE version)
• Type: Managed L2/L3 Gigabit Ethernet, Rack-mount, 1U
• PoE Support:
• 40x 802.3af/at PoE+ ports
• 8x 802.3bt PoE++ ports
• Total PoE Budget: 600W

⠀

Actions

• Rack-mount the USW-PRO-48
• Move cables from the legacy switch to the new USW-PRO-48
• Assign ports to labelled functions (e.g. Access Hubs, Cameras, Uplink, NVR)

⠀ ⸻

2. VLAN Configuration

VLAN Details

• Name: UniFi CCTV VLAN
• VLAN ID: 50
• Subnet: 10.10.50.0/24
• Gateway: 10.10.50.1
• DHCP: Enabled
• DNS: Internal DNS (AD) or public (as required)

⠀

UniFi Settings

• Go to: UniFi Controller > Settings > Networks
• Create new VLAN-only or Corporate network with the above settings

⠀ ⸻

3. Port Profiles

Profile Name: CCTV/Access VLAN

• Assign VLAN ID 50
• Enable PoE as needed per port
• Apply to all ports connecting:
• UniFi Access Hubs
• UniFi G3/G4 Cameras
• NVR or Cloud Key

⠀ ⸻

4. Static IP Reservations

Assign DHCP reservations for:

• UniFi Access Hubs (e.g. 10.10.50.10–19)
• UniFi Cameras (e.g. 10.10.50.20–99)
• UniFi Protect NVR / Cloud Key (e.g. 10.10.50.2)

⠀ ⸻

5. UniFi Protect NVR Setup & Updates

Initial Setup

• Connect the NVR to a PoE-enabled port on the USW-PRO-48
• Assign port profile: CCTV/Access VLAN
• Ensure it receives IP (e.g. 10.10.50.2) from DHCP, then reserve it in UniFi Controller
• Access the NVR via browser at https://10.10.50.2
• Follow the UniFi Protect setup wizard:
• Set local admin credentials
• Register the device to your UniFi account
• Assign timezone and system name
• Enable remote access (optional)

⠀

Software Update

• Once setup completes, go to Settings > System > Updates
• Check for and apply the latest UniFi Protect firmware updates
• Reboot the NVR if prompted

⠀

Add Cameras

• Cameras on VLAN 50 should auto-discover in Protect after being connected
• Adopt each device and assign names
• Group cameras into zones if needed

⠀ ⸻

6. Firewall Rules

LAN IN

• Allow: Trusted VLANs → 10.10.50.0/24 (Ports: 80, 443, 554, 7443, etc. as needed)
• Allow: Access VLAN → NVR/Controller IP
• Drop: All other inter-VLAN access to VLAN 50

⠀

LAN OUT

• Allow: VLAN 50 → Controller/NVR
• Block: VLAN 50 → Internet (optional)

⠀ ⸻

7. Migration Plan

Cable Move Plan

• Migrate one camera/access device at a time
• Confirm PoE delivery and device adoption in UniFi Controller
• Reassign port profile as devices are reconnected

⠀

Controller Notes

• Ensure the UniFi Access and Protect apps are aware of the new IP ranges
• Restart services or re-adopt devices if needed

⠀ ⸻

8. Verification

• Ping tests to and from controller
• View camera streams and access logs
• Check UniFi DPI for outbound communication
• Confirm motion detection and recording are functioning

⠀ ⸻

9. Cleanup & Documentation

• Label switch ports
• Document all static IPs and MAC addresses
• Confirm port isolation if required
• Archive this plan in internal IT documentation

#Work/clients/bcm/Unifi-access