A Primer: Network Segmentation For Video Surveillance

Darren Giacomini BCDVideo

By Darren Giacomini

The process of designing a surveillance system can be a complicated task, full of traps and pitfalls that can leave an integrator frustrated with both performance and overall functionality of the surveillance system. While engineers typically design the VMS platform in a simplified network infrastructure, real-life deployments are anything but simple.

Based on the scale, expected growth, and level of availability systems integrators are facing decisions surrounding network segmentation. Creating Virtual Local Area Networks, or VLANs is not a new concept to the industry. For years integrators have been trying to decide when to segment surveillance networks, thus walking a fine line between increased complexity and improved system performance. In this article, we will dispel the myths and discuss a systematic approach to network segmentation.

The effects of network segmentation on IP Camera Performance

In the early days of networking, IP packets flooded throughout the network, and individual network nodes were responsible for determining if the traffic matched its own physical address and should be gathered in and processed.

Aside from the obvious security concerns, there were performance issues to consider as well. As the number of devices on a network increased, there was an exponential increase in the amount of network traffic processed by those devices, leading to a decline in functionality and performance.

Remember, even if the traffic was not intended for your own physical address, it would still be handled.

Let’s put it in a different context.
Let’s imagine a typical meeting room where if we put ten people in that meeting room and allowed all ten people to engage in conversations simultaneously -while communication might be possible- it would be less than efficient.

Now take that same scenario and put one-hundred people in that meeting room, conduct those same conversations, and even basic communication would be impossible.

The same concepts apply to surveillance networking. If an integrator deploys ten network switches, all assigned to the default Virtual-LAN (VLAN), then proceeds to connect 200 IP-cameras to that network, it is the equivalent of putting two-hundred people in a single meeting room.

Localized broadcast, unknown, and multicast (BUM) traffic generated by the devices will be sent to all network switch ports, in turn being handled by all devices within the VLAN, making communication less than efficient.

The increase in traffic can lead to an elevation of processing at the network sub-system elevating the CPU of the IP-Camera. As the CPU elevates, the camera can become less responsive, leading to latent PTZ control, degraded video, or complete loss of communication with the camera.

I often hear integrators complaining about the performance or stability of the VMS platform they are using. They will complain about cameras becoming unresponsive, dropping offline, and experiencing degraded video quality. In almost every case, the blame falls toward the VMS vendor or the IP-camera manufacturer, when nothing could be further from the truth.

After months of frustration and open technical support tickets, there is little to no resolution of the issue. The fact is, there are too many people in the meeting room to conduct efficient communications.

A quick segmentation of the network reduces the traffic within the broadcast domain and lowers the stress on the network sub-system. In turn, the CPU elevation at the IP-cameras will dissipate, and performance will stabilize.

In the end, it had nothing to do with either the VMS platform, or the IP-camera, but the underlying logical network infrastructure.

Myth: Network segmentation will result in performance loss

For years the physical security industry has been propagating the myth that introducing segmentation and routing to physical security network will result in performance loss.

There was a time when routing decisions were conducted by software-based routers, and those routers could be very problematic for real-time video and audio. Fortunately, those days are long gone.

With the introduction of Layer 3 Switching capabilities within the switch chipset (ASIC), the routing decisions can be made in hardware without performance loss and maintain line-rate speed. The benefits of defining or administratively scoping the broadcast domain, far outweigh the overhead of ASIC based routing.

Fact: Scopes of the Broadcast Domains Define Failure Boundaries in the Network
I was consulting for a casino, and in the midst of analyzing their network, I discovered that over 4,000 devices were assigned to the default VLAN. While the network was set up for high availability, it was reliant on spanning-tree , and the entire network was a single broadcast domain. While I was reviewing my final report with the director of surveillance, I stressed that having that many devices in a single broadcast domain was not optimal, in fact, it was flat-out suicidal to the network.

Any broadcast storm (flooding of traffic or loop in the network) would result in a complete loss of functionality. Every VLAN you define on a network can be viewed as a containment point for broadcast, unknown, and multicast (BUM) traffic.

In simplest terms, a VLAN can be viewed as a bulkhead on a ship. If there is a breach to the hull of a ship, the bulkheads are put in place to compartmentalize or limit the area that can intake water.

By compartmentalizing the areas of the ship with bulkheads, breaches to the hull are proven to be far less fatal, and the ship stays afloat. Imagine a ship with no bulkheads, a small breach to the hull near the bow would lead to a perpetual intake of water throughout the entire ship until it can no longer stay afloat.

When you implement a single VLAN on your network, you are building a ship with no bulkheads, no safety, no traffic containment. When things go wrong on the network, a loop is induced, excessive broadcast traffic is generated, or network flooding occurs, and it can become catastrophic.

Too often in the physical security world, simplicity is achieved at the cost of functionality. It is tempting to take the switch and cameras out of the box and just plug them in.

But are you really saving money? If you have to roll trucks to the site over the next year trying to resolve video issues that are network related, you might just end up losing money.

While deciding how to segment the network might require some thought and planning, the benefits in both performance and traffic containment are well worth the efforts. As the size and complexity of the surveillance network increase, it is imperative to build an underlying network infrastructure that can support both the growth and anticipated performance.

About The Author
Darren Giacomini is the Director of Networking at BCDVideo and has over 16 years of networking experience.

Source: bcdvideo.com