IP Networking for Security Systems - Kings Engineer Helper

# IP Networking for Security Systems

Essential networking knowledge for security engineers installing IP-based CCTV and access control systems.

## IP Addressing Basics

### IPv4 Address Structure
An IP address consists of 4 octets (0-255):
“`
Example: 192.168.1.100
Binary: 11000000.10101000.00000001.01100100
“`

### Private IP Ranges
Use these for internal networks:

| Class | Range | Subnet Mask | Devices |
|——-|——-|————-|———|
| Class A | 10.0.0.0 – 10.255.255.255 | 255.0.0.0 (/8) | 16.7 million |
| Class B | 172.16.0.0 – 172.31.255.255 | 255.240.0.0 (/12) | 1 million |
| Class C | 192.168.0.0 – 192.168.255.255 | 255.255.255.0 (/24) | 254 |

**Common for security systems:** 192.168.x.x range

### Subnet Mask
Determines network vs host portion:

| Notation | Mask | Usable IPs |
|———-|——|————|
| /24 | 255.255.255.0 | 254 |
| /25 | 255.255.255.128 | 126 |
| /26 | 255.255.255.192 | 62 |
| /27 | 255.255.255.224 | 30 |
| /28 | 255.255.255.240 | 14 |
| /29 | 255.255.255.248 | 6 |

**Recommendation for CCTV:** /24 (254 devices) or /23 (510 devices)

### IP Address Planning

**Example Network Design:**
“`
Network: 192.168.1.0/24 (255.255.255.0)
Gateway: 192.168.1.1
Subnet: 192.168.1.0
Broadcast: 192.168.1.255
Usable: 192.168.1.1 – 192.168.1.254

Allocation:
– 192.168.1.1 : Router/Gateway
– 192.168.1.2-9 : Network equipment
– 192.168.1.10-49: Servers/NVRs
– 192.168.1.50-99: CCTV cameras
– 192.168.1.100-149: Access control
– 192.168.1.200-254: DHCP pool
“`

## Bandwidth Calculation

### CCTV Bandwidth Formula
“`
Total Bandwidth = (Bitrate × Number of Cameras) / 1000

Example:
– 16 cameras at 4 Mbps each
– Total = (4 × 16) / 1000 = 64 Mbps
“`

### Typical Bitrates

| Resolution | Frame Rate | Codec | Bitrate |
|————|————|——-|———|
| 1080p | 25fps | H.264 | 4-6 Mbps |
| 1080p | 25fps | H.265 | 2-4 Mbps |
| 4MP | 25fps | H.264 | 6-8 Mbps |
| 4MP | 25fps | H.265 | 3-5 Mbps |
| 8MP/4K | 25fps | H.264 | 10-16 Mbps |
| 8MP/4K | 25fps | H.265 | 5-8 Mbps |

### Storage Calculation
“`
Storage (GB) = (Bitrate × 3600 × 24 × Days) / (8 × 1024 × 1024)

Simplified:
Storage (GB) = Bitrate (Mbps) × 10.5 × Days

Example:
– 16 cameras × 4 Mbps = 64 Mbps
– 30 days recording
– 64 × 10.5 × 30 = 20,160 GB ≈ 20 TB
“`

### Network Capacity Planning

**Switch Capacity:**
– 100 Mbps switch: Max 12-16 × 4 Mbps cameras
– 1 Gbps switch: Max 120-160 × 4 Mbps cameras
– Allow 20% overhead for network traffic

## PoE (Power over Ethernet)

### PoE Standards

| Standard | Power | Voltage | Cable |
|———-|——-|———|——-|
| 802.3af (PoE) | 15.4W | 48V | CAT5e+ |
| 802.3at (PoE+) | 30W | 48V | CAT5e+ |
| 802.3bt (PoE++) | 60W/100W | 48V | CAT6a+ |

### PoE Budget Calculation

**Example:**
“`
Switch: 24-port PoE+ with 370W budget

Devices:
– 16 × Dome cameras (8W each) = 128W
– 4 × PTZ cameras (20W each) = 80W
– 2 × IR illuminators (15W each) = 30W
Total: 238W

Remaining: 370W – 238W = 132W (safe margin)
“`

### PoE Cable Length
– Maximum: 100 meters
– Typical loss: 5-10% at 100m
– Use CAT6 for high-power devices (PTZ, heaters)

## VLAN Configuration

### Why Use VLANs?
– Separate security traffic from IT network
– Reduce broadcast traffic
– Improve security
– Easier management

### Recommended VLANs

| VLAN | Purpose | ID | Subnet |
|——|———|—–|——–|
| Management | Switches, routers | 10 | 192.168.10.0/24 |
| CCTV | Cameras | 20 | 192.168.20.0/24 |
| Access Control | Readers, panels | 30 | 192.168.30.0/24 |
| Intercom | Video intercom | 40 | 192.168.40.0/24 |
| Guest | Visitor WiFi | 50 | 192.168.50.0/24 |
| Corporate | Business traffic | 100 | 10.0.0.0/16 |

### VLAN Configuration Example

**On managed switch:**
“`
# Create VLANs
vlan 20
name CCTV
vlan 30
name ACCESS_CONTROL

# Assign ports
interface gi1/0/1-16
switchport mode access
switchport access vlan 20

interface gi1/0/17-24
switchport mode access
switchport access vlan 30

# Trunk to router/NVR
interface gi1/0/25
switchport mode trunk
switchport trunk allowed vlan 20,30
“`

## Network Design Best Practices

### Physical Layout

**Star Topology (Recommended):**
“`
Router
|
Core Switch
/ |
SW1 SW2 SW3
/ | / / |
C C C C C C C C

(C = Camera, SW = Switch)
“`

**Avoid:** Daisy-chaining switches more than 2 deep

### Cable Management

**Color Coding:**
– Blue: Data network
– Yellow: Security/CCTV
– Red: Management
– Green: Telephony

**Labeling:**
– Both ends of every cable
– Include: Location, device, port
– Example: "B1-Room3-Cam04-SW2-P12"

### Redundancy

**For Critical Systems:**
– Dual NICs in NVR (teaming/bonding)
– Redundant switches (stacked)
– UPS on all network equipment
– Backup internet connection

## IP Camera Configuration

### Static IP vs DHCP

**Static IP (Recommended):**
– Cameras always at known address
– No risk of IP conflicts
– Easier troubleshooting
– Required for port forwarding

**DHCP (Acceptable if):**
– Small system (< 10 cameras)
– DHCP reservations used
– Dynamic DNS configured

### Camera IP Scheme

**Sequential numbering:**
“`
192.168.20.10: Front Door
192.168.20.11: Reception
192.168.20.12: Warehouse
192.168.20.13: Office 1
…
192.168.20.50: PTZ Dome
“`

### Port Configuration

**Standard Ports:**
| Protocol | Port | Use |
|———-|——|—–|
| HTTP | 80 | Web interface |
| HTTPS | 443 | Secure web |
| RTSP | 554 | Video stream |
| ONVIF | 80/443 | Camera discovery |
| NTP | 123 | Time sync |
| SMTP | 587 | Email alerts |

**Custom Ports (Recommended):**
Change from defaults for security:
– HTTP: 8080 instead of 80
– RTSP: 8554 instead of 554

## Troubleshooting

### Common Issues

**1. Camera Not Detected**
– Check cable with tester
– Verify PoE power (LEDs on switch)
– Confirm IP in correct subnet
– Try direct connection to laptop

**2. Poor Video Quality**
– Check bandwidth (switch saturation)
– Reduce bitrate or resolution
– Verify cable quality (CAT5e minimum)
– Check for interference sources

**3. Intermittent Connection**
– Test cable continuity
– Check for loose connections
– Verify PoE budget not exceeded
– Update camera firmware

**4. High Latency**
– Check network utilization
– Reduce hop count (switch depth)
– Enable QoS on switches
– Use dedicated security network

### Diagnostic Commands

**Ping Test:**
“`bash
ping 192.168.20.10
# Should respond < 1ms on local network
“`

**Check ARP Table:**
“`bash
arp -a
# Shows IP to MAC address mappings
“`

**Port Scan:**
“`bash
nmap 192.168.20.10
# Shows open ports on camera
“`

**Bandwidth Test:**
“`bash
iperf3 -c 192.168.20.10
# Tests available bandwidth
“`

### Network Tools

**Free Tools:**
– Advanced IP Scanner – Device discovery
– Wireshark – Packet capture
– iperf3 – Bandwidth testing
– nmap – Port scanning
– PuTTY – SSH/Telnet

## Security Considerations

### Network Segregation
– Keep security network separate from corporate
– Use VLANs or physical separation
– Firewall between networks

### Camera Security
– Change default passwords
– Disable unused services (Telnet, FTP)
– Enable HTTPS only
– Update firmware regularly
– Disable UPnP

### Remote Access
– Use VPN (recommended)
– Or: Port forwarding with restrictions
– Change default ports
– Enable 2FA where possible
– IP whitelist if static

## Documentation

### Network Diagram
Create showing:
– IP addresses
– VLANs
– Switch ports
– Cable routes
– Internet connection

### Device List
Maintain spreadsheet:
– IP address
– MAC address
– Location
– Username/password
– Firmware version
– Installation date

## Quick Reference

### Subnet Cheat Sheet

| CIDR | Mask | Hosts | Example |
|——|——|——-|———|
| /24 | 255.255.255.0 | 254 | 192.168.1.0/24 |
| /25 | 255.255.255.128 | 126 | 192.168.1.0/25 |
| /26 | 255.255.255.192 | 62 | 192.168.1.0/26 |
| /23 | 255.255.254.0 | 510 | 192.168.0.0/23 |
| /22 | 255.255.252.0 | 1022 | 192.168.0.0/22 |

### Power Budget Quick Reference

### Bandwidth Quick Reference

—

*Last updated: February 2026*
*For security engineers and installers*