When the BAS, the cameras, and access control all live on one switch — and shouldn’t.

The decision to put everything on one switch is almost never made consciously. It happens incrementally. The access control contractor runs a cable to the nearest open port. The camera installers do the same. The BAS controls engineer coordinates with the IT department to get the controllers on the LAN. Nobody is making a network architecture decision — they’re each making a convenience decision. The result, three years later, is a single switch that carries the building automation traffic, the access control traffic, the video surveillance traffic, and the general-purpose IT traffic for 200 employees, all in the same broadcast domain.

When it works, it works fine. When it doesn’t, the failure modes are surprising in kind and expensive in scope. A BAS controller broadcasting a runaway DHCP request saturates the switch and takes access control readers offline. A camera doing a firmware update generates enough multicast traffic to spike CPU utilization on access control panels. An IT security incident that touches the corporate LAN now has adjacency to the physical security systems. None of these are theoretical — they’re the failure modes that show up in incident reports from facilities that consolidated because the cable was already there.

Why OT and IT systems don’t belong on the same broadcast domain

Building automation systems (BAS), access control systems, and physical security cameras are Operational Technology (OT) — they control or monitor physical processes in the building. They share some characteristics with enterprise IT networks (IP addressing, Ethernet switching) but differ in important ways:

• Traffic patterns. OT traffic is typically low-bandwidth and periodic — a BAS controller sending sensor readings every 30 seconds, an access control panel polling readers every few hundred milliseconds. Enterprise IT traffic is bursty and high-bandwidth. When IT traffic spikes (a department-wide patch deployment, a large file sync), it competes for switch resources with the deterministic, time-sensitive OT traffic.
• Device resilience. OT controllers are often designed to prioritize stability and uptime over security patch velocity. Many BAS and access control controllers run firmware that isn’t patched regularly and that runs protocols with known vulnerabilities. Placing them in the same broadcast domain as enterprise endpoints gives a compromised IT device immediate network adjacency to unpatched OT devices.
• Failure tolerance. A switch that crashes or is power-cycled during IT troubleshooting takes down every device on it simultaneously. If the CCTV NVR and access control panels are on the same switch as the conference room AV systems, an AV technician power-cycling a switch port during a presentation can take the building’s door access offline.

VLAN segregation — what it does and what it doesn’t do

The standard recommendation for OT/IT convergence in commercial buildings is VLAN segregation: separate virtual LANs for BAS, access control, CCTV, and enterprise IT, with inter-VLAN routing controlled by a layer-3 switch or firewall that permits only the traffic that needs to cross between segments.

VLAN segregation on a shared physical switch is a meaningful improvement over no segregation. What it does:

• Reduces broadcast domain size. A BAS controller sending a broadcast is visible only to other devices in the BAS VLAN, not to every device on the switch.
• Controls inter-VLAN traffic through a routable gateway where ACLs can be applied.
• Makes the network topology legible — a network diagram that shows separate VLANs communicates the intent to segregate, even if physical infrastructure is shared.

What VLAN segregation on a shared physical switch does not do:

• It doesn’t protect against switch-level failures. A switch hardware failure, a bad firmware update, or a misconfigured spanning tree event affects all VLANs simultaneously. Physical separation provides failure isolation that VLAN separation doesn’t.
• It doesn’t prevent VLAN-hopping attacks. In networks where the default VLAN isn’t hardened, VLAN-hopping via double-tagging is a known attack technique. Buildings that install managed switches without a security-aware configuration may be exposed.
• It doesn’t address PoE power budget problems. High-power CCTV cameras (up to 25W for multi-sensor panoramic cameras) and high-power access control reader controllers competing for PoE budget on the same switch can create power allocation conflicts that are difficult to diagnose when all devices share one physical switch.

Broadcast storm risk — how a BAS flood takes access control offline

The most common real-world failure scenario in converged OT/IT buildings is a BAS controller malfunction generating excessive broadcast or multicast traffic that saturates a shared switch. Broadcast storms in IP networks occur when a device enters a runaway broadcast loop — typically due to a firmware bug, a faulty network interface, or an incorrect configuration that causes retransmits to compound.

The scenario: a VAV box controller running a BAS protocol (Modbus/IP, BACnet/IP, or Niagara AX) is improperly configured after a firmware update and begins sending unacknowledged packets in a retry loop. Each unacknowledged packet triggers another retry. The switch’s CPU, handling broadcast forwarding, spikes to near-100% utilization. The access control panels on the same switch, which communicate to the access control server over the same infrastructure, begin dropping their server connection. Doors go to fail-secure. Employees start calling facilities.

The access control system has nothing wrong with it. The cameras have nothing wrong with them. One misconfigured BAS controller on a shared switch took down three physically separate systems. Consider also the security implications: access control and CCTV on the same flat network as corporate IT means a phishing-compromised laptop has network adjacency to the door controller that manages the server room. Network segmentation isn’t just an operational concern — it’s a physical security concern.

The realistic compromise for facilities with small IT teams

Full physical separation — dedicated switches for each system type, separate uplinks, independent power — is the architecturally correct answer. It’s also not always feasible for a 50,000 sq ft office building with a one-person facilities team. The practical compromise that addresses the most significant failure modes:

The minimum viable segmentation for a new commercial buildout: dedicated physical switch for access control, dedicated physical switch for CCTV, BAS on a VLAN-segregated shared switch with storm control, and an ACL-capable L3 device at the inter-VLAN boundary. This doesn’t require a security engineer to operate; it requires a network-aware low-voltage contractor and a structured cabling plan that separates system types at the IDF level. The move to OSDP on access control adds supervised RS-485 segments to the access control network topology — worth accounting for in the switching architecture before installation.

Bottom line

The shared switch that runs everything is almost never a design decision — it’s the accumulated result of individual cable runs to convenient ports. The failure modes are real: broadcast storms that take door access offline, switch failures that simultaneously affect three independent systems, and network adjacency between unpatched OT controllers and enterprise endpoints. Physical separation is the right architecture. Dedicated access-control and CCTV switches with VLAN segregation for BAS is the practical minimum for a new installation. The cost of doing it correctly during installation is a fraction of the cost of doing it correctly after an incident.