Network Segmentation for Apartment Buildings: A VLAN Deep Dive

Building Technology

Network Segmentation for Apartment Buildings: A VLAN Deep Dive

Most apartment buildings today have a shared network infrastructure — a single fibre riser, managed switches on each floor, and wireless access points in common areas or individual tenancies. That physical infrastructure is shared. What is not shared — or should not be — is the logical network each resident, system, and device operates on.

Without deliberate network segmentation, a resident on the building's WiFi can potentially enumerate other residents' devices, reach the CCTV system, interact with access control hardware, or probe the building management system. That is not a theoretical risk. It is a straightforward consequence of putting every device on the same flat network.

This article explains how VLAN segmentation solves that problem, how it is structured for apartment buildings, and what building managers, strata committees, and IT managers should be asking their technology provider.

Why Network Segmentation Matters in Apartment Buildings

A flat network — one where all connected devices share the same broadcast domain — was acceptable when a building might have a handful of devices. Today, a mid-sized apartment building might have:

  • 150 resident devices per floor (phones, laptops, smart TVs, IoT gadgets)
  • 40 or more IP-connected CCTV cameras
  • Access control readers and controllers at every entry point
  • A building management system (BMS) controlling HVAC, lighting, and energy monitoring
  • Managed WiFi access points with their own management interfaces
  • A guest or visitor WiFi network accessible from the lobby

Placing all of these on a single network means any device that connects — including a guest's phone or a compromised resident laptop — has line-of-sight access to every other device. A sophisticated resident or an attacker who compromises one device can:

  • Scan the network and discover CCTV cameras
  • Attempt to access the NVR (network video recorder) managing camera footage
  • Probe the access control system for doors, lifts, and carparks
  • Interact with BMS controllers governing building services
  • See other residents' networked devices including NAS drives, smart home hubs, and printers

This is a security and privacy failure. It also creates real liability exposure for building owners and strata committees who have obligations under the Privacy Act 1988 (Cth) once CCTV footage and resident data are involved.

Network segmentation — specifically VLAN segmentation — creates isolated logical networks that cannot communicate with each other without explicit, firewall-enforced permission. It is the foundational control that makes a multi-dwelling network safe to operate.

For a broader view of how this fits into building-wide security design, see our guide to VLAN network design for apartment buildings.

What Is a VLAN?

A VLAN (Virtual Local Area Network) is a logical partition within a physical network. It is created in software and firmware on a managed network switch, not in hardware. Devices on VLAN 10 cannot communicate directly with devices on VLAN 20, even though they may be plugged into the same physical switch.

Each Ethernet frame on a VLAN-capable network carries a tag — a 12-bit identifier defined by the IEEE 802.1Q standard — that tells the switch which logical network the frame belongs to. The switch uses that tag to enforce separation. Frames tagged for VLAN 10 are never forwarded to ports or uplinks belonging to VLAN 20.

This has two practical consequences that matter for building networks:

  1. No extra hardware is required. A single managed switch can carry dozens of VLANs simultaneously. The separation is enforced in firmware.
  2. The separation is binding at Layer 2. Devices on different VLANs cannot communicate directly, even if they are physically adjacent. There is no path between them unless a Layer 3 device (a router or firewall) explicitly creates one.

VLANs do not encrypt traffic. They enforce logical separation. For sensitive systems, encryption at the application layer (TLS, SSH) remains important. But for the purposes of preventing a resident from reaching the CCTV system, VLAN separation is the correct and standard control.

The Standard VLAN Architecture for an Apartment Building

A well-designed apartment building network assigns every category of device to its own VLAN, each with a defined purpose and controlled access policy. The following structure represents current best practice.

Resident Internet VLANs (One Per Apartment)

Each apartment receives its own dedicated VLAN. Apartment 201 is on VLAN 201. Apartment 202 is on VLAN 202. No resident can see any other resident's devices because they are on entirely separate logical networks.

Each apartment VLAN routes to the internet through the building's firewall or aggregation router, but cannot communicate laterally with any other apartment VLAN.

This is the architecture that provides genuine resident network isolation. See the section below on per-apartment versus shared VLANs for why a shared resident VLAN is not an equivalent substitute.

CCTV VLAN

All IP cameras in the building are placed on a dedicated CCTV VLAN. This VLAN has no internet access. The only device permitted to communicate with the cameras is the NVR, which also resides on this VLAN or is given a specific firewall rule permitting access from a management segment.

Resident networks cannot reach the CCTV VLAN. Building staff with legitimate access do so through a specific firewall rule scoped to their management device. For more on securing camera infrastructure, read our article on CCTV network isolation.

Access Control VLAN

Access control hardware — door controllers, lift controllers, card readers, and intercom systems — is placed on its own VLAN. This network is isolated from resident traffic. Access control servers or cloud management portals communicate with the hardware through specific firewall rules.

Misconfigured access control networks are a meaningful physical security risk. If a resident can reach the access control network, they can potentially interact with door controllers. Isolation removes that risk. See our guide to access control network requirements for design detail specific to building entry systems.

Building Management System (BMS) VLAN

The BMS controls HVAC, lighting scenes, energy monitoring, and building automation. These systems are typically on proprietary protocols (BACnet, Modbus) but increasingly run over IP. They belong on their own isolated VLAN. BMS hardware is often difficult or impossible to patch, making isolation the primary protection against exploitation.

Management VLAN

Network equipment — switches, routers, wireless access point management interfaces — is placed on a dedicated management VLAN. This VLAN is accessible only to authorised IT personnel, typically through a jump host or VPN. No resident or visitor traffic should ever reach switch management interfaces.

Leaving switch management interfaces on the resident or guest VLAN is a common misconfiguration in buildings with legacy or poorly designed networks. It allows anyone on the network to attempt to log in to the network hardware directly.

Guest and Visitor WiFi VLAN

Lobby, common area, and visitor WiFi is assigned to a guest VLAN that provides internet access only. It cannot reach any resident VLAN, the CCTV VLAN, the access control VLAN, or the BMS VLAN. DNS, DHCP, and internet routing are provided, and nothing else.

Client isolation is also applied within this VLAN so that visitor devices cannot communicate with each other. This prevents one compromised guest device from attacking another.

VLAN Assignment Reference Table

VLAN IDNetwork NameDevicesInternet AccessCross-VLAN Access
10ManagementSwitches, routers, AP management interfacesNoAuthorised IT only, via jump host
20CCTVIP cameras, NVRNoManagement VLAN only (NVR access)
30Access ControlDoor controllers, lift controllers, readersConditional (cloud platforms only)Management VLAN only
40BMSHVAC, lighting, energy monitoring controllersNoManagement VLAN only
100Guest WiFiVisitor and common area WiFi clientsYesNone — client-isolated
201–3xxResident (per apartment)All devices in individual apartmentsYesNone — fully isolated from other apartments and building systems

VLAN IDs shown are illustrative. Actual IDs are assigned per building design. A building with 200 apartments would use VLANs 201–400 for resident segments, or a similar scheme suited to the numbering plan.

Per-Apartment VLAN vs. Shared Resident VLAN

This distinction is the one most frequently misunderstood in building network proposals, and it is where many "managed building networks" fall short.

Shared resident VLAN: All residents are placed on a single VLAN — for example, VLAN 100 — with a single subnet (e.g., 192.168.100.0/24). All resident devices can see each other at Layer 2. A resident can discover every other resident's printer, NAS, IoT hub, and smart TV. Firewall rules can restrict some traffic between residents, but Layer 2 broadcast traffic (including mDNS, which Apple and Android devices use for device discovery) is still shared. This is not genuine isolation.

Per-apartment VLAN: Each apartment has its own VLAN and subnet. Apartment 201 is 192.168.201.0/24 on VLAN 201. Apartment 202 is 192.168.202.0/24 on VLAN 202. There is no Layer 2 adjacency between them. Device discovery across apartments is impossible. This is genuine isolation.

For any residential building where residents have a reasonable expectation of privacy — which is every building — per-apartment VLANs are the correct design. Shared resident VLANs are acceptable only in very small buildings (under 10 units) with a mature firewall ruleset and documented risk acceptance. Even then, the privacy case for per-apartment isolation is strong.

VXLAN for Large Buildings: When Standard VLAN Is Not Enough

The IEEE 802.1Q VLAN standard supports 4,094 unique VLAN IDs (12-bit identifier, with a small number reserved). For most apartment buildings in Australia, this is more than sufficient. A 300-apartment building with one VLAN per apartment uses 300 IDs from a pool of 4,094.

VXLAN (Virtual Extensible LAN) extends the available segment count to approximately 16 million by using a 24-bit identifier. It encapsulates Layer 2 frames in UDP packets, allowing the overlay network to traverse Layer 3 infrastructure — useful in data centres and large-scale multi-site deployments.

For residential apartment buildings, the practical threshold where VXLAN becomes relevant is above 4,094 logical segments. This does not occur in residential buildings. A 1,000-unit residential tower with per-apartment VLANs plus a dozen building system VLANs uses roughly 1,012 IDs — well within the standard VLAN limit.

VXLAN also adds meaningful complexity: the network team must understand both the physical underlay and the virtual overlay, troubleshooting becomes harder, and compatible hardware costs more. Specifying VXLAN for a residential building because it sounds more capable is the wrong call. Use standard 802.1Q VLANs. Reserve VXLAN for large commercial campuses or mixed-use developments where segment counts genuinely challenge the 4,094 limit.

For smart building environments where the intersection of building systems and network design becomes more complex, our article on smart building cybersecurity covers the broader threat landscape.

Firewalls and Inter-VLAN Routing

VLANs prevent direct communication between segments. But some controlled communication between segments is operationally necessary. Examples:

  • Building management needs to view CCTV cameras (management VLAN to CCTV VLAN)
  • Access control management software needs to reach door controllers (management VLAN to access control VLAN)
  • Some BMS platforms require internet connectivity for cloud reporting (BMS VLAN to internet, via firewall)

This inter-VLAN communication is handled by a Layer 3 firewall. The firewall sits between VLANs and enforces permit rules that define exactly which source IP or subnet can reach which destination IP, on which port, using which protocol. Every other combination is denied by default.

A correctly configured inter-VLAN firewall policy for an apartment building should be deny-by-default with explicit permits only. The ruleset should be documented. Every rule should have a stated purpose and owner.

Common errors in inter-VLAN firewall design include:

  • Any-to-any permit rules between segments ("residents can reach BMS for convenience")
  • Undocumented permit rules left by installers that allow unintended access
  • No firewall at all between VLANs — only routing, which provides no access control

When evaluating a building network design, ask specifically whether inter-VLAN traffic is controlled by a stateful firewall with deny-by-default policy, or merely by router ACLs, or not at all.

WiFi VLAN Assignment: How Managed Access Points Handle This

Managed enterprise WiFi access points support SSID-to-VLAN mapping. Each SSID broadcast by an access point can be tagged to a specific VLAN. This is how per-apartment WiFi segmentation is delivered over a shared wireless infrastructure.

Example: An access point on Level 2 broadcasts the following SSIDs:

  • "ApartmentWiFi-201" mapped to VLAN 201
  • "ApartmentWiFi-202" mapped to VLAN 202
  • "ApartmentWiFi-203" mapped to VLAN 203
  • "GuestWiFi-Level2" mapped to VLAN 100 (guest VLAN)

When a resident connects to "ApartmentWiFi-201", all of their WiFi traffic is tagged VLAN 201 at the access point and forwarded to the building switch infrastructure accordingly. The resident is on their apartment's isolated network from the moment their device associates with the SSID.

This architecture requires enterprise-grade managed WiFi — Cisco Meraki, Aruba, Ubiquiti UniFi at minimum. It cannot be replicated with consumer-grade routers or unmanaged access points. The access points must support 802.1Q trunking and SSID-to-VLAN binding. The switches they connect to must carry the relevant VLANs on trunk ports.

For a detailed comparison of what enterprise managed WiFi delivers versus traditional approaches in this context, see our article on managed WiFi VLAN support.

What Building Managers and Strata Committees Should Ask Their Technology Provider

Not every building network integrator builds VLAN-segmented designs by default. Some install flat networks because they are faster to deploy and cheaper to quote. Before signing off on a network design or accepting a handover from a developer's technology contractor, ask the following questions and expect specific, documented answers.

1. Is each apartment's network isolated from every other apartment?

The answer should be "yes, each apartment has its own VLAN." If the answer is "yes, we use firewall rules" or "yes, we use a managed network," probe further. Firewall rules on a shared VLAN are not equivalent to VLAN isolation.

2. What VLANs exist in this building and what devices are on each one?

A competent integrator can produce a VLAN register — a document listing every VLAN ID, its name, the device types assigned to it, and its routing policy. If a provider cannot produce this document, the design is not documented and the risk of misconfiguration is high.

3. Can building systems — CCTV, access control, BMS — be reached from any resident network?

The answer should be "no — these are on isolated VLANs with no resident access." If the provider hesitates, asks for clarification, or says "not normally," treat that as a red flag. The answer should be unambiguous.

4. Is there a firewall between VLANs, and what is the default policy?

The answer should name a specific firewall platform and confirm a deny-by-default policy with documented permit rules. "We use the router's ACLs" is a weaker answer. "We have no inter-VLAN routing except where VLANs are bridged" may mean the design is more complex — understand it before accepting.

5. Is there a network design document I can have?

You should receive an as-built network diagram, a VLAN register, and a firewall policy document at handover. These documents are your insurance. If a provider refuses to supply them or says they are proprietary, negotiate this as a condition of engagement before work begins.

Frequently Asked Questions

Q: Our building already has a network. Can we add VLAN segmentation retrospectively?

A: Yes, in most cases. Whether the existing switches support 802.1Q VLANs determines how much of the hardware needs to be replaced. Managed switches from major vendors — Cisco, Aruba, Netgear ProSafe, Ubiquiti — support VLANs. Unmanaged switches and cheap consumer-grade hardware do not. A network audit will identify what can be reconfigured and what needs to be replaced. Reconfiguring a flat network to a VLAN-segmented design on existing managed hardware is a firmware and configuration exercise, not a cabling project.

Q: Does VLAN segmentation affect internet speeds for residents?

A: No. Each apartment VLAN routes to the same internet uplink. The segmentation operates at Layer 2 and has negligible overhead. Residents will not notice any difference in speed or latency. Throughput is governed by the uplink capacity and the router/firewall handling inter-VLAN routing, not by the VLAN tagging itself.

Q: If each apartment has its own VLAN, can residents still use smart home devices like Google Home, Apple HomeKit, or Chromecast?

A: Yes. Smart home devices operate within the apartment's own VLAN, where they have full Layer 2 access to other devices on the same subnet. A resident's Chromecast and their phone are both on VLAN 201 (for example), so they communicate normally. The isolation only prevents devices in VLAN 201 from reaching devices in VLAN 202 or the CCTV VLAN. Within the apartment's own segment, device discovery and local communication work exactly as they would on a home network.

Q: What happens when a new resident moves in? Do they get a new VLAN?

A: No. The VLAN is tied to the apartment (the physical tenancy), not the individual resident. When a new resident moves into apartment 201, they use the existing VLAN 201 configuration. The managed WiFi SSID credentials for their apartment can be changed at handover, but the VLAN itself — and its isolation from other apartments — remains constant. This is one of the operational advantages of per-apartment VLAN design: tenant turnover requires no network reconfiguration.

Q: Is VLAN segmentation required by any Australian standard or regulation?

A: There is no single mandatory standard that prescribes VLAN segmentation for residential buildings in Australia. However, obligations flow from several directions. The Privacy Act 1988 (Cth) and the Australian Privacy Principles impose obligations on any entity holding personal information — CCTV footage of identifiable residents is personal information. The Essential Eight cybersecurity controls (ACSC) recommend network segmentation as a mitigation strategy. Insurance underwriters for strata buildings increasingly ask about network security controls. Beyond compliance, building owners and strata committees owe a duty of care. If a flat network enables one resident to access another's personal devices, or enables a breach of the building's CCTV system, the liability is real regardless of whether a specific standard was formally mandated.

How Pickle Designs Segmented Networks for Apartment Buildings

Pickle designs and implements VLAN-segmented network architectures for apartment buildings, mixed-use developments, and commercial properties across Australia. Every engagement includes a documented VLAN register, network diagram, and inter-VLAN firewall policy — delivered at project handover and maintained as part of ongoing managed support.

If you are reviewing a current building network, planning a new development, or taking over management of an existing building and need to understand what is actually running, Pickle can complete a network assessment and produce a plain-English findings report with prioritised remediation recommendations.

To discuss your building's network, contact the Pickle team: