Cameras which support vlan tagging ?

[Putto]

Hi,

Just wondering why hardly any camera vendors support vlan tagging. Does any body know brands that do ? I am curious as to why the camera vendors don't implement this.

Any comments feedback would be greatly appreciated. Thanks

 

[DarkYendor]

In network design, you don’t tag on end devices, you tag on edge switches.

Even if you tag on the camera, you still need to tag on the switch, so there’s not much benefit.

 

[alastairstevenson]

Ideally on network design the end device must authenticate itself before being allowed to communicate, otherwise just any old device could be plugged in to do what it likes.

 

[The_E]

Ideally on network design the end device must authenticate itself before being allowed to communicate, otherwise just any old device could be plugged in to do what it likes.

Like DarkYendor said, it's typically network design and not the end devices that matter most. What method of authentication would one use on a Security Camera / IoT device or similar? If you had concerns that a bad actor could walk up and plug in something harmful, I'd suggest locking down your network using a layered approach.

 

[alastairstevenson]

What method of authentication would one use on a Security Camera / IoT device or similar?

802.1x authentication using a Radius server is very common, and well supported.

If you had concerns that a bad actor could walk up and plug in something harmful, I'd suggest locking down your network using a layered approach.

Exactly, hence the need for strong authentication of the end device.

 

[catcamstar]

@Putto I would prefer to employ my security settings on the internal side of the network than "trusting" the device enforces its own vlan. Imagine your cam (or any other IOT device) changes to vlan 1 (eg your network management vlan), and does crazy stuff. Same applies when an old/untrusted device (cfr post @alastairstevenson) hops into that slot. You enforce one specific vlan on your managed switch, whatever is put behind it, falls into that vlan. And you label that vlan "untrusted".

 

[The_E]

802.1x authentication using a Radius server is very common, and well supported.

Agreed, sure... but 802.1X is a bit complex for this type of device and end user. I'm all for making our camera networks more secure, but that comes from a solid network behind them.

Lets have the manufacturers bring forth regular, secure firmware updates and eliminate buggy, insecure plug-ins first. I'm not as worried about someone disassembling my security camera to physically jack-in to the network. They could hack the WiFi faster, easier and more covertly.

 

[DarkYendor]

802.1x authentication using a Radius server is very common, and well supported.

If you have a device capable of 802.1x authentication, that should also be the device doing the VLAN tagging. No reason to extend a VLAN trunk out to the end device.

 

[Putto]

Thanks for your input everyone! Appreciate the reply's sorry for the delayed response! I found mobotix supports this now with their latest firmware

 

[reflection]

Cool. It's always nice to have the option of vlan tags on end devices. My desktop dual boots (ESXi and Win10) and is connected as a trunk to my switch. It would suck to have to change from access to trunk port on my switch everything I change my boot.