What you have shown above is a BI pc with only one NIC. If it has two, you are not showing the connections.
IReallyLikePizza2
Known around here
Thanks, I've corrected below. So, just to make sure I’ve got it, please take a look at the REVISED network diagram below.
Please confirm that:
THANKS!
.
Please confirm that:
- The BI PC can see all BLACK devices AND all RED devices
- ONLY the BI PC can see the RED devices
- The RED devices see ONLY the BI PC and each other.
- They RED devices can’t “phone home”.
- The BI PC can access the Internet
THANKS!
.
IReallyLikePizza2
Known around here
That will work, but you eventually "Trusting" the cameras that they won't talk on another subnet
Odds are they won't, but I wouldn't do it myself because I'm paranoid
Odds are they won't, but I wouldn't do it myself because I'm paranoid
Thanks, but I'm not sure I follow. Can you please be more specific about your concern and how my proposed design introduces the issue?
IReallyLikePizza2
Known around here
They are in the same broadcast domain and there is no firewalling, so there is nothing stopping from the camera talking to anything else on the network even though its not in the same subnet
It could send out broadcast traffic, and it would hit everything. If a camera were compromised, it could easily access everything else on the network
So, if I'm understanding you correctly, in the network example you provided, the cams all hang off the same switch directly attached to the BIPC, so the cameras are are, in effect, "quarantined" there. Whereas in my example, the cams are distributed around the network and not "quarantined" ??
The physical location of my cams forces me into a network design like the one I provided. I physically can't get the cams to all connect to a single switch that, itself, is only connected to the BIPC. For this reason, is my situation a better candidate for VLAN?
The physical location of my cams forces me into a network design like the one I provided. I physically can't get the cams to all connect to a single switch that, itself, is only connected to the BIPC. For this reason, is my situation a better candidate for VLAN?
NVR990, your situation would be a good application for VLAN. I have a similar situation with 30 cameras scattered across main lines . I implemented 3 VLANS and now my cameras are isolated from the internet. I had to replace some switches that didn’t support VLAN. I struggled with the concepts but got it working and all my devices are on the same subnet( makes book keeping easy) ( others don’t recommend) but different VLANS. I’m using 3 nic in my BI.
It is simplilist to understand one vendors implimentation of VLAN as they use different terminology . I had Netgear switches and stayed with them.
It is simplilist to understand one vendors implimentation of VLAN as they use different terminology . I had Netgear switches and stayed with them.
Each cam is physically connected to the internet. Why bother with two NICs in the PC if they are not on separate wired networks?
If you physically cannot change the wiring, then replace the two POE switches with managed POE switches and set up VLANS.
If you physically cannot change the wiring, then replace the two POE switches with managed POE switches and set up VLANS.
The cams are on a different subnet than the router/gateway, so how can they see the Internet?
IReallyLikePizza2
Known around here
In an ideal world, they won't. However the whole reason for segregating them is because Chinese network devices cannot be trusted
Technically, there is nothing stopping them from sneakily accessing the rest of the network
Technically, there is nothing stopping them from sneakily accessing the rest of the network
They are physically connected. Your router will rout to them. That is what routers do. Nothing is stopping any outside connection from seeing them either.