Modern access control in apartment buildings is not a mechanical problem — it is a network problem. A fob reader at the car park entrance, a keypad at the gym, a mobile credential app for the lobby door: all of these are now IP-connected devices that communicate with a cloud management platform in real time. That connectivity is the entire point of deploying a contemporary access control system. Strata managers get a web portal, access logs on demand, and the ability to deactivate a lost fob without sending anyone to the building.
It is also, however, the source of most access control failures that strata managers deal with in practice. The system is down. The management portal is unreachable. A resident's fob has stopped working and nobody can explain why. In the overwhelming majority of cases, these are not access control hardware problems. They are network problems — and they are almost entirely preventable with the right infrastructure underneath the system.
This article covers what IP access control systems need from the building network, how those requirements are commonly mishandled during installation, and what strata managers and owners corporation committees should be asking before a system goes in — or when an existing system is causing repeated problems.
How Modern Access Control Systems Work
The Components and How They Connect
A contemporary IP access control system is made up of four core components, all of which interact via the building network:
Door controller. This is the intelligence of the system. The controller sits inside the building — often in a comms cabinet — and makes the access decision: credential received, is it valid, open the lock or deny entry. The controller holds its own credential database locally (so access still works during brief internet interruptions) but syncs continuously with the cloud management platform.
Credential reader. The device a resident or visitor interacts with: a fob reader, a PIN keypad, a Bluetooth/NFC reader for mobile credentials, or increasingly a combination of these. The reader sends the credential data to the controller over a wired connection (typically Wiegand or RS-485 for legacy hardware, or OSDP for modern deployments).
Electric strike or magnetic lock. The controller sends a signal to the lock hardware — release the strike, drop the mag-lock — when the credential is approved. This hardware is powered from the controller or via the PoE switch.
Cloud management platform. The software layer — accessed via a browser or app — where the strata manager adds or removes residents, sets access schedules, reviews the audit log, and receives alerts. The controller communicates with the cloud platform over the building's internet connection. This is the component that strata managers interact with every day, and the one that goes unreachable when the network underneath it is not configured correctly.
Why the Network Matters More Than the Hardware
The cloud management model shifts the reliability dependency. In a traditional mechanical or standalone electronic system, a failure was local: the lock broke, the reader malfunctioned, the credential card was demagnetised. In an IP access control system, the reader can be functioning perfectly and the lock can operate without fault, but if the controller cannot communicate with the cloud platform, the strata manager's portal shows nothing, credential updates do not push, and mobile apps stop validating. The network is the system.
Network Requirements for Access Control in Strata Buildings
Dedicated VLAN for Access Control Devices
Access control devices must sit on their own VLAN — a logically separate network segment — isolated from resident internet, building Wi-Fi, and all other building systems.
There are two reasons for this. The first is security. If a resident's device is on the same network segment as the access controller, they can potentially reach the controller's admin interface. Many access controllers ship with default credentials or expose a web management port that is never intended for resident access. VLAN isolation removes this exposure entirely.
The second reason is fault containment. If a resident floods the network with broadcast traffic, or a device on the resident segment introduces a fault, it does not cascade to the access control segment. The access control system remains stable regardless of what happens on the rest of the building network.
Wired Ethernet — Not Wi-Fi
Fob readers, door controllers, and related hardware should connect via ethernet, not Wi-Fi. This is a firm recommendation, not a preference.
Wi-Fi introduces latency variability that is acceptable for streaming video or browsing but problematic for a security-critical system where the credential read-to-decision time matters. More significantly, Wi-Fi adds a failure point. If the access point drops, reboots during a firmware update, or becomes congested, the access control device loses connectivity. A wired connection to a managed switch does not have these failure modes.
For access controllers and readers installed near a comms cabinet, ethernet is straightforward. For readers installed at doors distant from the cabinet — lobby, car park, rooftop — the cabling run needs to be planned at fitout, not retrofitted later.
Managed PoE Switch
Access control hardware — controllers, readers, electromagnetic locks in some configurations — is typically powered over ethernet. The switch infrastructure must support PoE (802.3af or 802.3at depending on device draw).
Beyond power, the switch must be a managed switch. An unmanaged consumer switch cannot be configured with VLANs, cannot be monitored for port status, and cannot be accessed remotely for fault diagnosis. When a controller goes offline at 11pm on a Saturday, the ability to remotely check port status, confirm link speed, and power-cycle the port is the difference between a one-minute resolution and a service call the following Monday.
Managed switches also support QoS configuration, which is relevant in buildings where the same physical switch infrastructure carries access control and CCTV traffic — priority tagging ensures access control traffic is not starved by CCTV stream volume.
Internet Connectivity for the Access Control VLAN
The access control VLAN needs outbound internet access. The controller communicates with the cloud management platform continuously: syncing credential databases, pushing audit log entries, receiving configuration changes from the portal, and validating mobile credentials in real time.
This outbound connectivity must be routed through the firewall with appropriate rules. It does not require a separate internet connection — the building's primary internet connection handles it — but the firewall must be configured to permit traffic from the access control VLAN to reach the internet, and the access control VLAN must be able to resolve DNS.
In buildings where the access control VLAN is isolated at the firewall level but outbound internet access is not explicitly permitted, the result is a controller that appears online locally but cannot reach its cloud platform. The strata manager's portal shows the system as offline. Credential updates do not push. This is one of the most common access control failures, and it is entirely a firewall configuration issue.
Firewall Rules for Cloud Platform Access
Each access control vendor publishes a set of FQDNs (fully qualified domain names) or IP ranges that the controller must be able to reach. The firewall must permit outbound connections from the access control VLAN to these specific endpoints.
Firewall rules for access control should:
- Permit outbound HTTPS (TCP 443) from the access control VLAN to the vendor's cloud endpoints
- Permit DNS resolution from the access control VLAN (either direct or via a forwarding resolver)
- Block inbound connections to the access control VLAN from all other network segments (including resident internet)
- Block lateral movement between the access control VLAN and any other building system VLAN (CCTV, BMS, resident services) unless explicitly required
The specific endpoints vary by vendor — Gallagher, Genetec, Verkada, Inner Range, and others all use different cloud infrastructure. The security installer should provide the VLAN and firewall requirements at the design stage, before cabling commences.
Static or Stable IP Considerations
Fully cloud-managed access control systems — where the controller initiates all communication outbound to the cloud — do not require the building's internet connection to have a static IP address. The controller phones home; it does not need to be reachable inbound.
Legacy or hybrid on-premises access control servers — where the management software runs on a server inside the building — do require a stable, reachable IP if remote management is needed. In these configurations, a static IP from the ISP (or a stable dynamic DNS configuration) is a genuine infrastructure requirement, not optional.
For new installations in Australian strata buildings, Pickle recommends fully cloud-managed systems wherever the vendor supports it, specifically because it removes the static IP dependency and simplifies the network design.
Why Access Control Ends Up on the Wrong Network
The most common cause of network-related access control failures is not a misconfigured firewall or an inadequate switch — it is a controller that was never put on the right network in the first place.
In many buildings, the access control system was installed by a security contractor whose brief was the hardware: readers, controllers, cabling to doors, locks. The network was already there — managed by a separate party, or simply whatever switches were in the comms cabinet. The security contractor connected the controller to the nearest available ethernet port, which happened to be on the resident internet switch, or the CCTV switch, or an unmanaged consumer-grade switch the building manager had brought in years earlier. The system functioned at installation. The security contractor signed off and left.
Problems emerged later. Residents discovered they could reach the controller's web interface from their own devices. Firmware updates pulled by the controller during peak evening hours conflicted with CCTV stream bandwidth on the same switch, causing both systems to degrade. The controller became unreachable after an unrelated network change because nobody documented that it was on that particular VLAN. A switch reboot for unrelated maintenance took the access control system offline because nobody knew the controller was connected to it.
Proper network segmentation prevents all of this. It requires the network design — VLAN allocation, switch configuration, firewall rules — to be completed before the security installer arrives on site, not after. In practice, this means the managed network provider needs to be part of the access control project scoping conversation, not brought in as an afterthought when the system is already installed and already failing.
For more on network segmentation principles in apartment buildings, see Secure Network Design for Apartment Buildings.
Mobile Credentials and What They Need
Mobile credential systems — where a resident uses their smartphone as a key, typically via Bluetooth or NFC — have become standard in newer strata developments and are increasingly retrofitted into existing buildings.
The credential delivery model in these systems is cloud-to-phone, not building-network-dependent. When a strata manager issues a credential to a resident's smartphone via the management portal, the platform sends the credential to the resident's phone over the internet through the mobile credential app. The building network is not involved in that transaction.
However, the access controller still needs reliable cloud connectivity to validate the credential at the door. The exact validation model varies by vendor: some systems validate the credential locally against a cached database (offline-capable), others require a real-time cloud check at the moment of presentation. For real-time validation systems, if the building's internet connection is down or the access control VLAN cannot reach the cloud platform at the moment a resident presents their phone, the door does not open.
This is frequently misunderstood during sales conversations. Mobile credentials do not reduce the building's network dependency — in real-time validation systems, they increase it. A lost fob affects one resident. A building internet outage in a real-time validation system affects every resident using mobile credentials simultaneously.
Understanding which validation model a vendor uses — cached local versus real-time cloud — is a meaningful technical question to ask during procurement. It has direct implications for the business continuity requirements of the building's internet connection.
Access Logs and Their Practical Value for Strata Managers
Every credential read — every fob tap, every PIN entry, every phone presented at a reader — generates a timestamped audit log entry in the cloud management platform: which credential, which door, which time, and whether access was granted or denied.
For strata managers, this is practically and legally valuable across several recurring scenarios:
Disputed contractor access. A tradesperson claims they attended on a Tuesday morning; the owner says no one came. The access log records every entry and exit through the controlled doors. If the credential was presented, the log shows it.
Unauthorised entry investigations. A shared facility was used outside permitted hours. The log identifies which credential was used and when.
Key fob deactivation after a resident vacates. When a tenant moves out, the strata manager deactivates the credential in the portal. The log provides a clean record of when access was terminated.
Post-incident review. In the event of a security incident, the access log provides a timestamped sequence of building movements that may be relevant to police or insurers.
The reliability of these logs depends entirely on the network infrastructure underneath the system. If the access controller loses cloud connectivity periodically — because the VLAN is misconfigured, the firewall rules are incorrect, or the building internet connection is unreliable — log entries are incomplete. The controller buffers entries locally during outages and uploads them when connectivity is restored, but extended or repeated outages create gaps. In an incident investigation, a gap in the access log is a significant problem.
Reliable access logs require reliable connectivity. That starts with the managed network layer.
What Pickle Manages
Pickle provides and manages the network infrastructure that access control systems run on in strata and apartment buildings across Australia. This includes:
- Managed PoE switches — correctly specified for the PoE budget required by access control hardware, configured with appropriate VLANs, and remotely monitored
- VLAN configuration — access control isolated from resident internet, building Wi-Fi, CCTV, and building management systems
- Firewall rules — outbound access from the access control VLAN to vendor cloud endpoints, with all other access blocked at the firewall
- Building internet connection — the connection the controller communicates through, managed and monitored with appropriate SLAs for a building with security-critical systems
When an access control system is reported as down, the first diagnostic questions are always network-layer: is the controller reachable on the switch? Can it resolve DNS? Can it reach its cloud endpoints? Is the firewall passing the required traffic?
With Pickle's managed network, those questions are answered immediately — from the management platform, without anyone needing to attend the building. In a building where the network is managed by an unrelated party, or not managed at all, answering those same questions can take days of coordination between the strata manager, the security installer, and an ISP, while residents cannot enter their car park.
Strata managers who want to understand how Pickle approaches building network design — covering access control, CCTV, intercom, and resident services on a single managed infrastructure — can start at the Strata Management Communications page.
For the intersection of access control and CCTV network requirements, see CCTV Network Design in Strata Buildings.
For a broader look at cybersecurity considerations in connected buildings, see Cyber Security in Smart Buildings.
For IP video intercom — which shares much of the same network infrastructure as access control — see IP Video Intercom Systems for Strata Buildings.
Frequently Asked Questions
Q: Can access control work during an internet outage?
A: Most modern IP access controllers maintain a local credential database and continue to grant or deny access based on that cached data during an internet outage. The door still opens for valid credentials. What stops working is the cloud management portal — the strata manager cannot add or remove credentials, view live logs, or receive alerts until connectivity is restored. Mobile credential systems with real-time cloud validation also stop functioning during outages. The duration of acceptable outage depends on the vendor's local caching behaviour — this should be confirmed during procurement, particularly for buildings with high credential turnover.
Q: Who is responsible for the network underneath the access control system?
A: In most strata buildings, this responsibility is unclear and frequently contested when something fails. The security installer is responsible for the access control hardware and software. The internet service provider is responsible for the internet connection. The building's managed network provider — if one exists — is responsible for the switches, VLANs, and firewall in between. When these are separate parties with no shared visibility, diagnosing a connectivity failure requires coordinating all three simultaneously. Pickle consolidates managed switches, VLAN configuration, firewall management, and the building internet connection under a single managed service, which means a single point of accountability when the access control system loses connectivity.
Q: Can the strata manager deactivate a lost fob immediately?
A: Yes — this is one of the most practical advantages of cloud-managed access control. The strata manager logs into the portal from any browser, locates the credential, and deactivates it. The controller syncs within seconds. From that point, the fob produces no response at any reader in the building. There is no need to attend the building, no need to contact a security installer, and no waiting for a service call. The controller must be online and connected to the cloud platform for the deactivation to push — which is why reliable network connectivity is not optional.
Q: Do we need a separate network for access control and CCTV?
A: Separate VLANs, yes — a separate physical network, no. Access control and CCTV should each sit on their own VLAN, isolated from each other and from resident services. Both VLANs can run on the same physical switch infrastructure, provided the switch is managed and the VLANs are correctly configured. The separation matters because CCTV generates high, continuous bandwidth from camera streams, and sharing a switch segment with access control without proper traffic management can cause the access controller to experience packet loss. QoS tagging on a managed switch addresses this. An unmanaged switch cannot provide this separation.
Q: What is the risk of putting access control on the same network as resident Wi-Fi?
A: The risks are meaningful. Residents on the same network segment as the access controller can potentially reach the controller's management interface — many access controllers expose a web admin port on the local network. A technically capable resident could modify access schedules, extract the credential database, or disrupt the controller. Beyond the deliberate threat, resident devices generate unpredictable network traffic that can interfere with time-sensitive access control communication. There is also a liability consideration: if an access control failure or security incident occurs and it is discovered the controller was on the resident network without VLAN isolation, the owners corporation is exposed. VLAN isolation is not an enhancement — it is a baseline requirement.
To talk through the network requirements for an access control upgrade or new installation in your building, contact the Pickle team. Call 1300 688 588 or email [email protected].