Network structure question - separate vs single LAN

[FLcardio]

Starting the process of planning a home PoE IP ccm system (probably 6-8 cameras) for our new house and as I think many here have found out the more research I do the more I realize just how many different ways there is to structure a system. For background I don't have any formal computer/network engineering background though have also been comfortable with computers and networking (home networks, VPNs, IP devices, etc..) So not complete noob.

Initially looking at one of the many standalone NVR systems out there (Dahua, Lorex, Amcrest) and came across Blue iris and certainly interested in the flexibility.

My question relates to structuring the actual camera network.

From my understanding it seems like I have two options:
1. Everything on the main LAN. All cameras and NVR would reside on my LAN along with my computers. Obviously everything could talk to each other and I wouldn't run into issues with having to bridge across a subnet if I needed to directly reach a camera though I understand that really isn't a big deal. I also understand the security risk inherent to this setup. Also little concerned about the network congestion this could cause.

2. NVR and cameras on separate LAN. Seems like this is what the majority are doing with a dual NIC setup in BI. Also seems like this is what the majority of the stand alone NVRs do with their built-in PoE ports (or 2nd LAN port) creating a separate LAN for the cameras.

So obviously I'm assuming #2 is the preferred route for security and network traffic concerns.

About #1 though: I've seen some PoE Switches with 10/100 PoE ports and then 1 or 2 extra 10/100/1000 uplink ports. IF I went the route of putting all cameras on their own PoE switch, then sent one uplink to the NVR and the other uplink back to the main router this would keep everything on the same single LAN correct? In this case would there be any network congestion issues? Everything's on the same LAN though the cameras would be on their own switch with separate link to the NVR. Everything else (TVs, computers, phones) would be directly to main router. Obviously the security concerns are present with this setup.

Is there any advantage to keeping everything on the same LAN as in #1? I guess theoretically a little simpler set up (single NIC in a BI computer). I'm not sure though if these stand alone NVRs can be used in this way though it seems like most will recognize IP cameras on their "LAN" side.

 

[Hammerhead786]

My personal opinion is use a dedicated pc for Blue Iris as this will give you more flexibility and control rather than an NVR. Use a managed switch (preferably Layer 3) and have your home network on one vlan, the blue iris pc on another and your home network on a third. This will give you the security you need and the traffic from the cameras will be on it's own network.

If you use a layer 2 managed switch, this will allow you to set up vlans, but you will need a router and some static routes set up on it to enable communication between the vlans. If you use a layer 3 managed switch, then you can enable inter-vlan routing and the switch will take car of the routing between the cameras, NVR, and home network, however, you will still need to set up some static routes.

If you have everything on the one vlan then it is all on the same network, which is a security concern as you have correctly stated. I don't have any experience with dedicated NVRs, however, since I like to be in control, a dedicated BI pc is what I have implemented.

 

[FLcardio]

Thanks for the info. At this point managed switches and getting into that aspect of network management is above my knowledge level and I don't think I want to get into. Setting up a dual NIC BI setup I'm ok with and just directly accessing the cameras from the BI computer (or remote into it) I'm fine with.

Eventually would like to start playing with some automation as well with Home Assistant and I guess it can get tricky pretty quickly. I'm assuming if i start adding into a Home Assistant server and/or any other hubs for other device that they should be on the separate IP cam LAN for ease of integration OR would they be fine (besides security concerns) to keep on my main LAN since I guess they would just need to be able to reach the BI computer?
I've also seen some threads regarding setting up some static routes or using an extra router to sort of bridge and allow access between the two LANs.

 

[reflection]

About #1 though: I've seen some PoE Switches with 10/100 PoE ports and then 1 or 2 extra 10/100/1000 uplink ports. IF I went the route of putting all cameras on their own PoE switch, then sent one uplink to the NVR and the other uplink back to the main router this would keep everything on the same single LAN correct? In this case would there be any network congestion issues? Everything's on the same LAN though the cameras would be on their own switch with separate link to the NVR. Everything else (TVs, computers, phones) would be directly to main router. Obviously the security concerns are present with this setup.

Is there any advantage to keeping everything on the same LAN as in #1? I guess theoretically a little simpler set up (single NIC in a BI computer). I'm not sure though if these stand alone NVRs can be used in this way though it seems like most will recognize IP cameras on their "LAN" side.

There should not be any network contention issues if you set it up right. Most can do line rate on all ports. Switches are designed to store MAC addresses per port. They will only forward Ethernet frames out the port with the right MAC address. The only time that all ports get the Frames is for BUM traffic (Broadcast, Unknown Unicast, or Multicast). Turn off all unnecessary traffic from your camera.