Cisco 3560cx 12pd-s, setup isolated Vlan for my ip cameras and NVR

Hi Cisco Community. I would like to setup a separate DHCP pool for the cctv VLAN with a separate IP address range set the pool size to number of devices +1 and static bind them all, then set firewall rules to stop the home LAN from reaching the cctv VLAN except for the viewer ports. And set rules to stop the VLAN from reaching the lan and wan except for ports required for remote viewing and time sync and maintain the security of the network and not allow the cameras/nvr to talk out except for the remote viewing capability only.

I really appreciate all the help. I have no knowledge of doing this at all. If there is someone to create a config file and upload it to my switch would make things easier if possible of course.

Router is Asus Gt Ax-11000 Rog.

The switch is:  Cisco 3560cx 12pd-s. 


NVR : 192.168.X.XXX:XXXX

IP CAMERA 1 : 192.168.X.XXX:XXXX

IP CAMERA 2 : 192.168.X.XXX:XXXX

Thank you.

Depends on the setup where your Layer 3 SVI interface located

is this on router or switch (some time switch act as just Layer2)  rest everything will be done on router.

not sure what capable of your router can do the task :

Option1 Router as Gateway for all the VLAN and Switch just act as Layer2

Router to switch (create a Trunk and allow all the VLAN 

Router to Access control between the VLAN what to access and what to not access.

Option2 :

Switch act as Layer 3, so you create all the Layer 3 SVI associated with VLAN

you create a ACL to between VLAN to access or deny

check below guide example :


The acl logic applied to an SVI on a switch.
IN = traffic originating from with in vlan
OUT=  traffic originating from out  vlan



