Network Architecture Planning
A well-designed network architecture ensures reliable camera connectivity, adequate bandwidth, and proper security isolation.
Dedicated CCTV Network
Best practice is to separate surveillance traffic from general business network. Use VLANs to logically isolate camera traffic on shared physical infrastructure. This prevents surveillance data from impacting business operations and enhances security by limiting camera accessibility.
Bandwidth Requirements
Calculate total bandwidth requirements based on camera count and streaming quality. A 2MP camera at 15fps typically uses 2-4 Mbps. 4K cameras can use 8-16 Mbps per stream. Account for multiple simultaneous streams (recording plus live viewing). Size network infrastructure with 30-50% headroom for growth.
Network Topology
Star topology with cameras connecting to access switches is most common. Aggregate switches connect access switches to the core network. Consider redundant paths for critical infrastructure. Position switches to minimize cable runs while maintaining path diversity.
IP Address Management
Proper IP addressing simplifies management and troubleshooting while supporting future expansion.
Address Scheme Design
Allocate a dedicated subnet for surveillance equipment. Use a logical numbering scheme - for example, cameras 192.168.10.1-100, NVRs 192.168.10.200-210, workstations 192.168.10.220-230. Document all assignments in a spreadsheet or IP address management system.
Static vs DHCP
Static IP addresses are recommended for cameras to ensure consistent connectivity. If using DHCP, configure reservations tied to MAC addresses. Ensure DHCP lease times are long enough to prevent address changes during extended offline periods.
DNS Configuration
Configure local DNS entries for cameras and recording systems. Meaningful hostnames simplify identification during troubleshooting. Format example: CAM-BLDG1-LOBBY-01 or NVR-PRIMARY. Keep DNS records updated as equipment changes.
Camera Network Settings
Configure individual cameras for optimal network performance and integration.
Basic IP Configuration
Access camera web interface using default IP address (consult documentation). Configure IP address, subnet mask, gateway, and DNS servers. Change default credentials immediately - use strong, unique passwords. Enable HTTPS for web interface access where available.
Streaming Configuration
Configure primary stream for recording at full resolution (H.265 preferred for storage efficiency). Set up secondary stream at lower resolution for live viewing and mobile access. Adjust bitrate settings based on scene complexity and network capacity. Variable bitrate (VBR) optimizes bandwidth but complicates capacity planning.
Time Synchronization
Configure NTP to ensure accurate timestamps across all cameras. Use local NTP server or reliable external source. Verify timezone settings match local requirements. Accurate time is critical for incident investigation and legal evidence.
NVR/VMS Configuration
The Network Video Recorder or Video Management System serves as the central hub for your surveillance network.
Camera Discovery and Addition
Most NVR systems support automatic camera discovery via ONVIF protocol. Verify discovered cameras match expected equipment list. Add cameras manually if auto-discovery fails, using IP address and credentials. Configure camera names to match physical labeling scheme.
Recording Settings
Configure recording mode for each camera - continuous, motion-triggered, or scheduled. Set retention periods based on compliance requirements and storage capacity. Configure pre-event and post-event recording buffers for motion-triggered recording. Establish recording quality settings per camera importance.
User Management
Create user accounts with role-based permissions. Operators may need live viewing only, while administrators require configuration access. Implement password policies including complexity requirements and expiration. Enable audit logging for all user actions.
Remote Access Configuration
Enabling secure remote access allows monitoring from anywhere while protecting system integrity.
VPN Access
VPN is the recommended method for remote access providing encrypted connectivity. Configure site-to-site VPN for permanent remote locations. Use client VPN for mobile administrators. Ensure VPN concentrator capacity supports expected concurrent connections.
Port Forwarding
If VPN is not available, port forwarding allows direct remote access. Forward only essential ports (typically 80/443 for web, RTSP 554 for video). Use non-standard external ports to reduce automated scanning exposure. Always enable HTTPS and change default ports where possible.
Cloud Services
Many modern systems offer cloud relay services eliminating port forwarding requirements. Evaluate cloud service security certifications and data handling policies. Consider bandwidth costs for cloud-connected systems. Ensure adequate upload bandwidth at site for cloud streaming.
Network Security
Protecting your surveillance network from cyber threats is essential.
Firewall Configuration
Implement firewall rules restricting camera communication to only necessary endpoints. Block internet access for cameras unless required for cloud services. Log and monitor all traffic crossing network boundaries.
Firmware Management
Maintain current firmware on all network devices including cameras, switches, and NVRs. Subscribe to vendor security bulletins for vulnerability notifications. Test firmware updates in non-production environment before deployment. Document all firmware versions for compliance and troubleshooting.
Access Control
Implement 802.1X port-based authentication where supported. Disable unused switch ports to prevent unauthorized device connection. Use MAC address filtering as secondary protection layer. Regularly audit connected devices against authorized equipment list.
