odern apartment buildings are not just places people sleep — they are dense, interconnected environments running CCTV surveillance, IP intercoms, access control, HVAC automation, lift systems, and broadband services for dozens or hundreds of residents simultaneously. Every one of those systems touches the network. And in most buildings, that network is a single flat segment where every device can talk to every other device without restriction.
That is no longer acceptable. As buildings become smarter and more connected, a poorly designed network becomes a liability — for building managers, strata committees, residents, and the developers who built the property.
This article explains how to design a secure apartment building network using VLAN segmentation: what it means, how it works, and what a practical implementation looks like from switch room to resident apartment.
Why a Flat Network Fails in Multi-Dwelling Buildings
A flat network is one where all devices share the same broadcast domain. Traffic from any device can, in principle, reach any other device on the same network.
In a residential building, this creates several serious problems.
A compromised IP camera — running outdated firmware with a known vulnerability — sits on the same network as the building management system controlling HVAC and lift access. An attacker who gains access to that camera now has a direct path to building infrastructure. There is no logical barrier.
A technically capable resident connected to the building Wi-Fi can scan the local network and discover management workstations, NVR video storage servers, or access control panels. Even without malicious intent, resident devices can generate broadcast traffic that degrades performance across shared building systems.
IoT devices — intercoms, sensors, smart meters — are notoriously difficult to patch and are among the most commonly exploited entry points in networked environments. On a flat network, one exploited IoT device is a foothold into everything.
Flat networks also make troubleshooting harder, auditing nearly impossible, and compliance with any building cybersecurity framework unachievable.
The solution is segmentation. And in shared-infrastructure buildings, the most practical form of segmentation is VLANs.
The VLAN Solution: Logical Segmentation on Shared Physical Infrastructure
A VLAN — Virtual Local Area Network — allows you to divide a single physical network into multiple isolated logical networks. The same physical switches, patch panels, and cabling carry all traffic, but that traffic is tagged and separated so that devices in one VLAN cannot communicate with devices in another VLAN unless you explicitly allow it.
Think of it as separate lanes on the same road. Traffic in each lane travels on the same asphalt, but drivers cannot cross into another lane without going through a controlled interchange.
For apartment buildings, this matters because running separate physical cabling for every system — CCTV on one cable run, access control on another, residents on a third — is prohibitively expensive and physically impractical in most buildings. VLANs give you logical separation across shared infrastructure, which is both cost-effective and scalable.
The switching and routing hardware manages VLAN membership, and a firewall sits between VLANs to enforce inter-segment policy.
For more on how this fits into a complete building technology strategy, see Pickle's apartment building technology solutions.
Recommended VLAN Structure for Apartment Buildings
The exact number of VLANs in a building depends on its systems and scale, but the following six-VLAN structure is a sound baseline for most mid-to-large residential developments.
VLAN 10 — Management
This VLAN carries traffic for building manager workstations, administrative laptops, the building management portal, and any devices used by on-site staff. Tightly controlled inbound access. No resident devices should ever reach this segment.
VLAN 20 — CCTV and Surveillance
IP cameras, NVR and DVR units, and video storage servers sit here. This VLAN should be isolated from residents and from the internet by default. Outbound access for remote monitoring should go through a VPN, not a direct internet-facing port. Cameras with known vulnerabilities cannot be allowed to sit adjacent to management or resident systems.
VLAN 30 — Access Control
Door controllers, card readers, biometric panels, and lift access hardware belong in a dedicated VLAN. Access control systems often run proprietary software with long patch cycles. Keeping them isolated limits the blast radius if a device is compromised.
VLAN 40 — Intercom
IP intercom units, the concierge desk terminal, and visitor phone points form their own segment. Intercoms often need to connect to resident devices or trigger door release events — these interactions should be explicitly defined at the firewall, not left open.
VLAN 50 — Resident Broadband and Wi-Fi
NBN-delivered broadband services and resident Wi-Fi sit in this VLAN. Where individual apartments have dedicated services, each service is isolated. Where a shared Wi-Fi network is provided, client isolation at the access point level ensures one resident cannot reach another's devices. This VLAN has no access to any building system VLANs.
VLAN 60 — Building Management System (BMS)
HVAC controllers, lighting automation, energy monitoring platforms, and lift systems communicate on this VLAN. BMS devices often use legacy protocols and are challenging to patch — isolating them from all other traffic is a fundamental control. Vendor remote access to BMS equipment must go through the managed VPN described below.
Firewall Policy Between VLANs
VLANs create the segments. A firewall enforces the rules between them.
The correct default posture is deny all inter-VLAN traffic, then permit only what is explicitly required and documented. Every permitted rule should have a business justification. Every rule should be logged.
Some examples of legitimate inter-VLAN communication in a typical apartment building:
- VLAN 40 (Intercom) to VLAN 10 (Management): alerts, event notifications to the concierge or building manager terminal.
- VLAN 20 (CCTV) to a defined internet egress point: for remote monitoring via VPN only.
- VLAN 60 (BMS) to VLAN 10 (Management): status monitoring and alerts.
Some examples of traffic that should never be permitted:
- VLAN 20 (CCTV) to VLAN 50 (Resident Wi-Fi): no pathway at all.
- VLAN 30 (Access Control) to VLAN 50 (Resident Wi-Fi): no pathway.
- VLAN 50 (Resident Wi-Fi) to any building system VLAN: no pathway.
A business-grade firewall — not a consumer router — is required to enforce this policy reliably. Stateful inspection, application-layer filtering, and centralised logging are minimum requirements. Pickle's network device management service covers the ongoing configuration and monitoring of this infrastructure.
Secure Remote Access for Building Systems
Building managers, facilities contractors, and technology vendors all need remote access to building systems from time to time. How that access is delivered matters as much as what they can access.
Port forwarding — exposing a building system directly to the internet on a specific port — is not acceptable. It bypasses firewall policy, is frequently targeted by automated scanners, and provides no audit trail.
All remote access should go through a managed VPN with multi-factor authentication enforced. Access should be:
- Scoped to the minimum required VLAN and system
- Time-limited where possible (vendor access windows, not permanent credentials)
- Logged with user identity, timestamp, duration, and actions taken
- Revocable immediately when a vendor's engagement ends
This is particularly important for BMS and access control systems, which are high-value targets and frequently maintained by third-party specialists who have no business accessing anything beyond their specific system.
Wi-Fi Design for Residents
Resident Wi-Fi in apartment buildings has specific requirements that differ from standard commercial Wi-Fi deployment.
Client isolation must be enabled on access points serving VLAN 50. This ensures that even when two residents are on the same SSID, their devices cannot communicate directly — one resident's laptop cannot reach another's NAS device, smart TV, or printer. Client isolation is a wireless feature that must be explicitly enabled and verified, not assumed.
Where individual apartments receive dedicated NBN services via a managed Wi-Fi CPE, each apartment should be on a separate VLAN or sub-segment to prevent any cross-apartment traffic at the network layer.
A separate SSID for building management devices should never share broadcast domain with resident devices. Management devices on VLAN 10 should connect to a management SSID that maps to the management VLAN exclusively.
Wi-Fi access point placement, channel planning, and coverage design should account for the building's physical structure — concrete and steel attenuate signal significantly. This is covered in more depth in Pickle's guide on managed Wi-Fi for apartment buildings and strata.
Planning Network Design Into New Developments
The least expensive time to design a building network is before construction starts.
Once a building is framed and finished, retrofitting proper conduit runs, switch room placement, and fibre backbone infrastructure is costly and disruptive. Network design should be part of the services and technology specification, alongside electrical, hydraulic, and fire safety drawings.
Key decisions to make at planning stage:
- Switch room location and size: Adequate space for rack-mounted switches, patch panels, UPS, and cable management. Ventilated and access-controlled.
- Conduit routing: Dedicated conduit for data cabling, sized for future growth.
- Fibre vs copper backbone: For buildings above three or four storeys, a fibre backbone between floors and a copper horizontal to each device is the standard approach.
- POE+ capacity: IP cameras, intercoms, access control panels, and Wi-Fi access points all require Power over Ethernet. Switch capacity must be specified with actual device loads, not guessed.
- VLAN structure documentation: The VLAN plan, IP addressing scheme, and firewall policy should be documented before equipment is purchased and form part of the building's handover documentation.
Developers who engage a specialist early avoid the costly cycle of remediation that strata committees inherit when they take over a building with an undersized, unsegmented network. Pickle works with developers and strata managers on this planning process — see the strata management communications solutions page for an overview.
Frequently Asked Questions
Q: What is a VLAN and why does an apartment building need one?
A: A VLAN is a Virtual Local Area Network — a method of logically dividing a physical network into isolated segments. Apartment buildings need VLANs because they run multiple systems (CCTV, intercoms, access control, BMS, resident broadband) that should not be able to communicate freely with each other. Without VLANs, a vulnerability in any one system can expose every other system on the network.
Q: How many VLANs does a typical apartment building need?
A: Most mid-to-large residential buildings benefit from at least six VLANs: management, CCTV, access control, intercom, resident broadband, and BMS. Larger or more complex buildings may need additional segments — for example, separate VLANs for EV charging infrastructure, visitor Wi-Fi, or retail tenancies.
Q: Can the same physical switches and cabling support multiple VLANs?
A: Yes. VLAN segmentation is logical, not physical. A single managed switch can carry traffic for multiple VLANs simultaneously, with each VLAN's traffic tagged and isolated from the others. This is one of the primary advantages of VLANs for apartment buildings — you get strong segmentation without running separate physical infrastructure for every system.
Q: Who manages the network in a strata building?
A: Responsibility varies by building. In most cases, the owners corporation or strata committee is responsible for shared infrastructure, including the building network. Day-to-day management is typically handled by a managed IT provider — either directly engaged by the strata committee or appointed through the strata manager. It is important to have a clear agreement covering who is responsible for configuration, monitoring, patching, and incident response.
Q: What is client isolation and why does it matter for resident Wi-Fi?
A: Client isolation is a wireless access point feature that prevents devices connected to the same Wi-Fi network from communicating directly with each other. In an apartment building, this means one resident's device cannot reach another resident's device, even on the same SSID. Without client isolation, a resident with basic networking knowledge could scan the Wi-Fi network and access other residents' devices — a significant privacy and security risk.
Ready to Design a Secure Network for Your Building?
Pickle designs, deploys, and manages network infrastructure for apartment buildings and strata complexes across Australia. From VLAN architecture and firewall policy through to managed Wi-Fi, ongoing monitoring, and vendor access management — we handle the full network lifecycle so your building systems are secure, segmented, and properly maintained.
Call us on 1300 688 588 or email [email protected] to discuss your building's network requirements.