I’m considering getting a dedicated unmanaged switch to separate 8 IP cameras, two POE switches and one NVR from my main network. The idea is to isolate the network traffic going between cameras and NVR. The uplink from the dedicated switch would in turn be connected to the 16-port unmanaged switch which is the is the main backbone of my home network. The thought is that the only traffic going onto the main network would occur only when I remotely connect to the NVR to view recorded video. Will this work to keep the camera bandwidth off of the main network?
Dedicate unmanaged switch to isolate IP Cameras
- Thread starter ctbrown
- Start date
Gryz
Golden Member
- Aug 28, 2010
- 1,551
- 204
- 106
Yes.
Best would be to not connect the 2 networks via a switch, but via a router. E.g. if you already have a router connected to your outgoing Internet connection, and that router has 2 ports, you could maybe connect both ethernet-networks (the main one, and the camera one) connect to that router. Give them 2 different subnets. You might even be able to configure some ACLs (if the router supports that). (ACL is access control list). Anyway, a router would give you more control over what traffic goes where.
Best would be to not connect the 2 networks via a switch, but via a router. E.g. if you already have a router connected to your outgoing Internet connection, and that router has 2 ports, you could maybe connect both ethernet-networks (the main one, and the camera one) connect to that router. Give them 2 different subnets. You might even be able to configure some ACLs (if the router supports that). (ACL is access control list). Anyway, a router would give you more control over what traffic goes where.
sdifox
No Lifer
- Sep 30, 2005
- 98,821
- 17,302
- 126
Why not an used l3 gigabit switch and do vlan? They are a dime a dozen o ebay, you can even get poe switch for your ipcamera if they are poe capable.
Example, not recommendation
https://rover.ebay.com/rover/0/0/0?mpre=https://www.ebay.com/ulk/itm/253002111404
Example, not recommendation
https://rover.ebay.com/rover/0/0/0?mpre=https://www.ebay.com/ulk/itm/253002111404
Would having two separate subnets make it more difficult to access? Currently, I am able to access and control individual cameras and NVR simply by typing the local IP addresses in a browser. I do have four unoccupied ports on my router (Verizon Quantum Gateway), so it would not be too much effort to connect the dedicated switch directly to the router instead of the 16-port main switch.
Last edited:
I appreciate the suggestion, but seems a bit overkill for what I'm trying to accomplish, seeing as this is a home network. The 8 cameras are POE and already connected to 2 unmanaged POE switches and the idea was to plug the POE switches and NVR into a cheap (~$25) unmanaged 5-port switch which in-turn would be connected to the main switch (or router). In my current set-up, everything is plugged into my 16-port unmanaged switch (POE switches, NVR and a whole ton of other stuff).
Another goal which I didn't mention in my original post was to physically separate the cameras and NVR from the main network as much as possible for security purposes. As such, I could keep NVR and dedicated switch hidden somewhere.
Gryz
Golden Member
- Aug 28, 2010
- 1,551
- 204
- 106
That depends on how you set up the routing. With routing (layer-3) in stead of switching (layer-2) you can configure your devices in such a way that some subnets can reach or not reach other specific subnets. If you want real security, you need to configure ACLs. But not having routing work is already a big enough hurdle to stop certain attacks. Not sure if security is your goal. If you want to separate traffic to make your network robust, then routing is also a bit more robust than switching.
That also depends on whether you can configure your router to either route (layer-3) or switch (layer-2) between those ports.
No. You have now one subnet. If the destination is not in that subnet, then you send packets to the router. The router forwards your packets to other subnets.
If you do move some (camera) devices to another subnet, then they are no longer in your subnet. They will have new IP addresses, but you will know them.
When you reach for a camera, you will send to the router. The router will forward to the other subnet.
Just like your subnet, the other subnet will have the router as default gateway. The camera replies to you via the router.
The router may, with ACLs (aka firewall rules) decide to not forward (i.e. block/deny/reject) some connections. I have no idea what the Verizon Quantum Gateway can be configured to do.
Red Squirrel
No Lifer
You need the first switch to be managed, otherwise it's still all the same network.
Get a managed switch for the main one, then make a vlan for the cameras, set one port on that vlan, then plug the unmanaged switch into that port for the cameras. Then at your firewall you can block/allow traffic between the vlans as needed.
Get a managed switch for the main one, then make a vlan for the cameras, set one port on that vlan, then plug the unmanaged switch into that port for the cameras. Then at your firewall you can block/allow traffic between the vlans as needed.
I'm a little confused now. Shouldn't a network switch forwards data only to the devices that needs to receive it (even an unmanned switch). I'm not concerned about restricting access and my goal primary is to keep the traffic between the camera and recorder from clogging up the network. So would having both camera and recorder on the same switch accomplish this?
sdifox
No Lifer
- Sep 30, 2005
- 98,821
- 17,302
- 126
when a switch gets a packet, it examines the destination mac address. If it doesn't know it, it will be broadcast to all ports.
theoretically this should only happen once since switches remember mac addrs associated to ports.
example
computer A --- Switch a --- Switch b --- computer B
A sends a packet with B's mac, Switch a gets the packet, doesn't find the mac in its table, so it floods all its ports (except the port computer A is connected to of course) and switch b gets the packet.
Switch b checks the packet, forwards it to computer B if it knows which port B is on, if not it floods all ports.
Computer B gets the packet and send a response. Switch b now knows which port it should forward all packet to computer A and sends the packet to that port.
Switch a gets the packet from Switch b, it knows what port computer A is on and send the packet to that port.
Last edited:
So if I understand correctly, as long as one keeps everything stays plugged into the same port and the IP addresses are static, then the instances of all ports being flooded should be minimal, is that right?
Just curious, what would happen if if the main switch is powered down (or stolen or destroyed), but the switch with cameras and recorder are still connected and powered on? Would recorder still be able to receive a stream from from the cameras?
Some devices/protocols do send occational broadcast traffic, but I bet Windows machines are way worse that cameras. Broadcast, by definition, propagates to all devices on the subnet.
That said, if you do connect a camera and NVR to your main switch and the switch memorizes the mac addresses, then the unicast traffic between camera and NVR affect only those two ports of the switch and has no effect on the other ports of the switch. (Unless the switch has really weak entrails.)
That said, if you do connect a camera and NVR to your main switch and the switch memorizes the mac addresses, then the unicast traffic between camera and NVR affect only those two ports of the switch and has no effect on the other ports of the switch. (Unless the switch has really weak entrails.)
Red Squirrel
No Lifer
Yes the packets may only travel a certain route, but they CAN travel another. So from a security standpoint you are not isolating anything by using a separate switch. If switch B is plugged into switch A and both are unmanaged or on the same vlan, any device on either switch can talk to either device on either switch.
Thanks, this all very helpful information. I'm not that concerned about security...meaning anyone on the local network can access cameras and recorder as long as they have the correct passwords. I just want to make sure Netflix, HTPCs, music streaming, downloads, etc don't suffer in the event that all 8 cameras are simultaneously writing to the recorder.
See section "Switch Performance Issues" in https://www.safaribooksonline.com/library/view/ethernet-switches/9781449367299/ch01.html
What you had(?) was two POE-switches and one NVR connected to the backbone 16-port switch. Traffic coming in from two ports (at most 2*1Gbps?) of the backbone switch and going out (1Gbps?) via third (to the NVR). That outgoing link will throttle down the inputs (from cameras). The internals of the backbone switch must be really weak, if the activity on those three ports affects the remaining 13 ports.
What you had(?) was two POE-switches and one NVR connected to the backbone 16-port switch. Traffic coming in from two ports (at most 2*1Gbps?) of the backbone switch and going out (1Gbps?) via third (to the NVR). That outgoing link will throttle down the inputs (from cameras). The internals of the backbone switch must be really weak, if the activity on those three ports affects the remaining 13 ports.
Thanks for the link. Yes this is my current setup and the 16-port switch is gigabit. Just to clarify, I have not noticed any network stuttering yet, however I am running the cameras at only ~1/3 of the max bit-rate due to hard drive constraints. Once I get a better hard drive, I want max out the the video as much as I can (e.g. 4K at max frame-rate, bitrate, enable sub-streams etc) and thus my concern about network traffic. FYI, I already have a real lot of stuff currently on the main switch.
The other question that I'm still trying to get answered is what happens if the main 16-port switch is powered down or disconnected? Will the NVR and cameras still be able to communicate via the dedicated switch and continue to record video? The reason I ask is that I would like to physically hide the NVR, POE switches and dedicated switch for security reasons in the event that there is a break-in and main switch is taken out.
Put other way, you have some devices connected to switch A and one of them is switch B. What happens, if switch B powers down? Obviously any devices connected to B cannot reach A any more. Does this matter to devices that are not connected to A via the B and talk only to each other?
How do these devices get their IP address? From DHCP? DHCP server that is beyond the B? Yes, that server would become inaccessible is B turns off. At some point the dhcp clients want to renew their leases. The question is, how long do they cling to the old addresses?
How do they know each other?
Name set? (Depends on DNS.)
IP (of NVR) defined on cameras?
Broadcast?
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 24K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes Discussion Threads
- Started by Tigerick
- Replies: 19K
-
-
-
Facebook
Twitter