Available network topology options

Stdaver6

n3wb
Joined
May 24, 2021
Messages
13
Reaction score
18
Location
Canada
I am currently setting up a camera system which will end up being approximately 12 cameras total (4 on the way now). I just set up my ubiquiti network with USG and 8 port poe switch, so I am able to create VLANs to make things secure, etc. I will need to get another larger switch and may deploy the 8 port poe switch for cameras for now.

My hope is that I can use my existing desktop PC for BI and also use it for everyday tasks that require the internet and access the cameras directly from it. I am not opposed to having a dual nic setup, but isn't that used when people don't have a VLAN capable network? What is the best option for me to meet a standard of security but be able to access the internet and cameras?

My original idea was have the main switch with a VLAN on the one port that was daisy-chained to the cameras switch and isolated from the network. One ethernet port on the PC would go to the main switch for internet access and the other to the camera poe switch for access to the internet and everyday tasks. I would be able to manage that poe switch with the unifi controller this way, so I thought this would be a benefit and give more control.

Would I be better to just do the typical 2 nic setup with the switch downstream from the PC and physically isolated and forget VLANs? I would still have access to the internet through the other ethernet port, correct?

Sorry if this is an ignorant question/topic. Ultimately, I want to be able to view cams and access the internet from one PC and be as secure as possible doing so. Thank you for any guidance you can provide. Cheers.
 

sebastiantombs

Known around here
Joined
Dec 28, 2019
Messages
11,511
Reaction score
27,690
Location
New Jersey
The most secure method is to simply add a second NIC to the BI machine and connect all the cameras to that interface using a totally different subnet. No need for VLAN rules, and exceptions that way and it's as close as an air gap as you can get without actually air gapping them.
 

biggen

Known around here
Joined
May 6, 2018
Messages
2,539
Reaction score
2,765
If you know how to work VLANS and have intermediate to advanced level networking skills, than VLANS are the way to go. It's really about what you are comfortable doing. VLANS are designed for network segregation using the same interface.
 

Stdaver6

n3wb
Joined
May 24, 2021
Messages
13
Reaction score
18
Location
Canada
Thanks guys for the responses. I guess I am weighing the pros and cons of each approach. There are a million ways to skin a cat. Picking cams was easy but figuring out the best approach for networking has been a challenge. I got my cameras yesterday so I think I will play around with the switch I have, working with vLANs and seeing what is possible and upgrade to a 24port poe switch if I am happy with the results. If I hit any road blocks, I might try the dual nic setup and forget about vLANS. Cheers.
 
Joined
Aug 8, 2018
Messages
7,386
Reaction score
25,889
Location
Spring, Texas
I chose the dual NIC route as I do not know anything about VLANS and really did not want to spend the time on it. The dual-NIC is simple to install and simple to troubleshoot. Here are a couple of diagrams for you.

This one is a typical dual-NIC setup
Network Topology 0B.JPG

This next one would be a setup that you could use if the switch (black) supports VLANS.
Network Topology 2.JPG
If the black switch above was also a POE switch, you could get by with hanging all of the cams off of it and drop the red POE switch. Segregation of the network components would be done in the switch via VLANS.
 
Joined
May 1, 2019
Messages
2,215
Reaction score
3,504
Location
Reno, NV
go dual NIC. Easy peasy.
I started off long long long ago (2 years?) doing dual NIC. Fastest way to setup 99.999% secure system.
I acquired a Ubiquiti UDM and 48port POE switch and use VLANS and subnets now. Many hours of scratching my head to make things work. Hours? I mean...days :) I have other reasons to have gone the VLAN / subnet route... else I would of stayed dual NIC.
 

Stdaver6

n3wb
Joined
May 24, 2021
Messages
13
Reaction score
18
Location
Canada
I chose the dual NIC route as I do not know anything about VLANS and really did not want to spend the time on it. The dual-NIC is simple to install and simple to troubleshoot. Here are a couple of diagrams for you.

This one is a typical dual-NIC setup
View attachment 91869

This next one would be a setup that you could use if the switch (black) supports VLANS.
View attachment 91870
If the black switch above was also a POE switch, you could get by with hanging all of the cams off of it and drop the red POE switch. Segregation of the network components would be done in the switch via VLANS.
This is a huge help. I appreciate you providing these diagrams. This definitely gives me some options to play with depending on how ambitious I feel;)
 

Stdaver6

n3wb
Joined
May 24, 2021
Messages
13
Reaction score
18
Location
Canada
go dual NIC. Easy peasy.
I started off long long long ago (2 years?) doing dual NIC. Fastest way to setup 99.999% secure system.
I acquired a Ubiquiti UDM and 48port POE switch and use VLANS and subnets now. Many hours of scratching my head to make things work. Hours? I mean...days :) I have other reasons to have gone the VLAN / subnet route... else I would of stayed dual NIC.
I appreciate the input! Getting a NIC card is fairly cheap so I might get one for the fun of it. I am not a network engineer so I am sure I would be in the same boat as you unless someone had already laid out the foundation for me online. From one video I watched, the guy from "The Hookup" on YouTube said he was having image quality issues with his Ubiquiti vLANs and had to try another way to make it work (IP-based). I will have to watch the video again to see what he did exactly. I want to treat this like a learning experience, so I might try my hand at vLANS and fall back on the 2nd NIC if I have to. I want to setup vLANS anyway for some IoT devices/Guest network and not sure if it is much more difficult to vLAN a camera system? We will see...Thanks!
 
Joined
May 1, 2019
Messages
2,215
Reaction score
3,504
Location
Reno, NV
I appreciate the input! Getting a NIC card is fairly cheap so I might get one for the fun of it. I am not a network engineer so I am sure I would be in the same boat as you unless someone had already laid out the foundation for me online. From one video I watched, the guy from "The Hookup" on YouTube said he was having image quality issues with his Ubiquiti vLANs and had to try another way to make it work (IP-based). I will have to watch the video again to see what he did exactly. I want to treat this like a learning experience, so I might try my hand at vLANS and fall back on the 2nd NIC if I have to. I want to setup vLANS anyway for some IoT devices/Guest network and not sure if it is much more difficult to vLAN a camera system? We will see...Thanks!
I do have my Blue Iris machine & cameras all on the same "CAMERA" vlan subnet, just for that reason (not to tax the firewall computing power). Via firewall walls, "CAMERA" subnet is totally blocked (I additionally block all individual camera IP's and MAC addresses just to play it safe)...however, I do allow the Blue Iris machine access to the internet.
What would happen if I had Blue Iris on a different subnet from the cameras, in regards to taxing the router? Dunno's.
 
Joined
Aug 8, 2018
Messages
7,386
Reaction score
25,889
Location
Spring, Texas
FWIW, I have my BI PC upstairs and rarely actually sit at that machine. I added an Intel NIC PCI card to that machine. I have a different PC in my office downstairs. That motherboard has dual ethernet ports so I did not need to add an NIC PCI card. But that office PC is on both sub-nets by utilizing both ethernet jacks. Below is how I have it set up. This allows me to directly log in to any cam's web GUI from either PC, yet keeps the cams physically isolated from the internet and the rest of my home network.

Network Topology 4.JPG
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,428
Reaction score
47,550
Location
USA
I appreciate the input! Getting a NIC card is fairly cheap so I might get one for the fun of it. I am not a network engineer so I am sure I would be in the same boat as you unless someone had already laid out the foundation for me online. From one video I watched, the guy from "The Hookup" on YouTube said he was having image quality issues with his Ubiquiti vLANs and had to try another way to make it work (IP-based). I will have to watch the video again to see what he did exactly. I want to treat this like a learning experience, so I might try my hand at vLANS and fall back on the 2nd NIC if I have to. I want to setup vLANS anyway for some IoT devices/Guest network and not sure if it is much more difficult to vLAN a camera system? We will see...Thanks!
Keep in mind the hookup said that reolinks are great cameras, so consider what he says....

And plus whatever that dual NIC is the simplest and easiest way to go. Setting up VLANS has to be on a capable switch that can pass the data needed. The beauty of the dual NIC is not one bit of data goes thru any device that other stuff is connected to. You set up a complicated VLAN on a less than capable switch and you may have problems.

 

Stdaver6

n3wb
Joined
May 24, 2021
Messages
13
Reaction score
18
Location
Canada
Keep in mind the hookup said that reolinks are great cameras, so consider what he says....

And plus whatever that dual NIC is the simplest and easiest way to go. Setting up VLANS has to be on a capable switch that can pass the data needed. The beauty of the dual NIC is not one bit of data goes thru any device that other stuff is connected to. You set up a complicated VLAN on a less than capable switch and you may have problems.

Yes, I was going to caveat that I should take his information with grain of salt. Ubiquiti obviously didn't pay him enough in the video I watched to tout them that hard...

You make a great point about additional traffic through the switch, mirroring what holbs was eluding to. I think the switch I would be getting should be able to handle all of the camera feeds but that is only guess. I have four T5442's now and looking to have at least 3 times that at least so I may be putting additional, needless traffic through it.

I am also factoring in cost as well (at least my wife is). My 8 port switch is meeting my needs at the moment for other network usage. I could get a decent 16 port poe switch for the cameras $150-200 (just a guess) and add a dual nic card for $50 (I'm in Canada so everything is more $$) and call it done. If I went VLAN I would need to get a bigger switch like the 24 port for $500. It's not a fair apples to apples comparison as the latter setup would allow for future expansion in my home network.

You guys all make great points and have given me a lot to think about! Thank you!

Edit: The 8 port switch is JUST MEETING my home network needs so a larger poe capable (for AP's) switch is in my sights anyway. It may end up being cheaper to just bite the bullet and get the 24 port off the bat. Hmmm.
 
Last edited:

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,428
Reaction score
47,550
Location
USA
Those of us that use the dual NIC system will then simply put any IoT onto the guest network of the router. That puts it on it's own IP address range and isolates that traffic from the rest of the network. Kinda like the poor man VLAN lol. I am sure a network guru will say that isn't as secure as a VLAN and what not, but for most it will work fine.
 
Joined
Aug 8, 2018
Messages
7,386
Reaction score
25,889
Location
Spring, Texas
Realize that there are pros and cons to using one big switch versus a few smaller switches.

In my situation, I have 22 total cams connected, 18 of which are POE powered. Those 18 POE cams are spread out over 4 POE switches. If I loose a POE switch, most of my system still is recording. I have it setup such that multiple cams that cover similar areas are spread out over two or three POE switches. Yes this is more equipment and eats a little more electricity, but I have more versatility and redundancy.
 

Stdaver6

n3wb
Joined
May 24, 2021
Messages
13
Reaction score
18
Location
Canada
Realize that there are pros and cons to using one big switch versus a few smaller switches.

In my situation, I have 22 total cams connected, 18 of which are POE powered. Those 18 POE cams are spread out over 4 POE switches. If I loose a POE switch, most of my system still is recording. I have it setup such that multiple cams that cover similar areas are spread out over two or three POE switches. Yes this is more equipment and eats a little more electricity, but I have more versatility and redundancy.
Good point. I like the efficiency and ease of management of one switch but I would be out of luck if it went down. Turn-around to get a new one would like be a week at best given where I live, so it is something to consider. I am home-running all of my cables to a central location in the basement and would want everything to fit on my 8u rack but I could start with an 8 port switch and add another 8 port when it was needed and build a bit of redundancy over time. More to think about!
 

Stdaver6

n3wb
Joined
May 24, 2021
Messages
13
Reaction score
18
Location
Canada
FWIW, I have my BI PC upstairs and rarely actually sit at that machine. I added an Intel NIC PCI card to that machine. I have a different PC in my office downstairs. That motherboard has dual ethernet ports so I did not need to add an NIC PCI card. But that office PC is on both sub-nets by utilizing both ethernet jacks. Below is how I have it set up. This allows me to directly log in to any cam's web GUI from either PC, yet keeps the cams physically isolated from the internet and the rest of my home network.

View attachment 91884
I purchased a second NIC card for my current PC in anticipation of using my current PC for BI. I ended up buying a Dell 7040 locally as it was such a good deal and it already had a second NIC card in it, so I think I will be following your topology above. This seems like a great way to go. Cheers.
 
Top