I work for a council that has installed CCTV cameras around the town. The initial project was done by an outside vendor and we have had issues with it since day 1 and we no longer deal with the external vendor. The solution they provided seems overly complex for what we need and hard to maintain and i am looking for some advice on a design i have drawn up to make it easier to manage.
We have 8 sites connected in a ring with approx 30 cameras. There is a combination or Wireless bridges (500 mtr) and fibre connecting the ring. The current design is configured with 2 routers at each site using VRRP and VPLS and OSPF routes and nothing ever seems to work, the redundancy never works and i feel the VPLS is just overkill.
I would like to reduce the complexity to single router per site and use layer 3 routing instead of the VPLS as i dont see the benefit of it.
I am confident my design will work, im just not sure if its the best way to do it and im looking for some feedback on the design and if i realy should be using VPLS or some other layer 2 design.
It’s hard to give advice not knowing what was the intent of the consultants, but I’ll give you my 2 cents worth.
Your design looks good, but if you’re doing PtP links (cabled or otherwise), you may want to look into /32 addressing to save even more on your address space.
I’m with you on VPLS. I fail to see why you’d want to bring the cameras on the same L2 segment at the head office. Routed would work just as much and keep things MUCH simpler. You’ll also reduce the broadcast and collision domains. AND… you can add QoS and firewalling if need be.
If you wanted full redundancy like the consultants did, you’d have to have link run diversity also. That means, for cabled, different conduits going in different directions otherwise what’s the use? We’ve had a firm do that for use once. Imagine, same L3 switch, both link in the same blade going through the same conduits. When the blade failed, so did redundancy. Brilliant! And lets not talk if some digging had to be done. Rip both cables at once. Mind you, there’s much to be said about a dual setup (when done right). But you have to be sure about the physical infrastructure and your needs. It can cost more. If you’re doing a ring, unless you have two failures, the network will self-heal with OSPF.
Lastly, and I’m not sure if it can be done on MikroTik, video compression would be good to save on link usage. Otherwise, choosing the right codec. But don’t ask me, I’m not a video expert
I agree w/pe1chl and I wouldn’t bother w/anything less than a /30 for PtP links when using RFC1918 addressing. It’s simply not necessary especially in a smaller network. You are already very address conscious in your design on the camera networks. I would leave them at the /29’s that are put into place.
I also would disagree with the “all or bust” mentality on redundancy. While it would at a glance seem futile to place 2 routers in a place connected by fiber placed in the same “ditch” it offers you several advantages. Redundancy isn’t something to be approached with the mindset of well since I can’t make everything fully redundant I just won’t try then. Having 2 routers will allow you to do maintenance tasks with less stress while protecting you from singular device failure at that location. Also you do in essence have ditch diversity with the ring, 1 path in and 1 path out, assuming they don’t share ditches along the way. With that, I’d say add in both routers. Setup VRRP and go. I’m not sure where in the old design VPLS was configured and why it certainly isn’t necessary.
That said your design is solid and will work especially with an IGP like OSPF layered on to keep track of all the networks and paths. Make sure you have at least an SNMP and Syslog monitoring solution in place to help you detect any issues as early as possible as well as keep track of bandwidth consumption.
For QoS your camera manufacturer hopefully will allow you to mark the traffic otherwise you’ll have to look at marking it at one of the routers.
In general, I’ve struggled with IP camera networks in the past. Largely the most difficult issues were caused by the cameras themselves. I used to joke when I was doing PC work that Quickbooks must have been written by accountants that taught themselves how to code. I said this because the business and accounting users loved Quickbooks, it was easy to use and did what they wanted. That said it was terrible from a systems administrator perspective. I feel the same way about some IP camera vendors. They make these great cameras that take great quality pictures. When they develop their firmware they just give up. It comes with poor support of TCP/IP based features and the web UIs are often atrocious at best. Also because of extremely under powered management silicon the management plane often fails, locks up or just offers up totally piss poor performance when interacting with them. Again, camera’s made by camera people who barely know more about networks than they need to add an RJ45 port to their camera.
With that tangent. I’m a huge fan of Axis cameras. They make an excellent product all the way around. Good quality imaging with an IT guys wet dream from a management perspective. They have a great tool for managing cameras, deploying standardized settings by templates and mass upgrading firmware when needed. They also support SSL very well, features like ZipStream to help save on bandwidth and great SNMP based monitoring and management MIBs that include things like temperature sensors for outdoor cameras so you can determine if climate justifies putting up a more hardened device. All in all, if I’m asked to deploy an IP network for cameras I highly recommend that the business looks at Axis cameras. The difference in price upfront is easily saved in long term maintenance costs of rolling trucks all over the place to reboot a camera every 2 weeks that just decided today it was going to lock up for no good reason.
Thanks for the replies its always good to get some feedback.
Part of the reason i choose /29 is that i like to leave some addresses open in case i want to expand, i have been stung before trying to conserve addresses and then have to reinvent the wheel. There is a chance that the network will host a CBD wifi solution down the track so leaving some room to move later will help.
If i want to exapand the solution to add wifi later on will VPLS be needed for zero handoff? and if so can i keep layer 3 routing for the cameras and then use the VPLS just for the wifi?
Currently we use a cisco solution for our CBD wifi managed by external consultants but it never seems to work. Im expecting to be asked to fix it soon and then i would likely replace it with a Ubiquiti solution as thats what i have running at every other site i manage and its flawless so far.
VPLS hints at wanting layer 2 stretched. I wouldn’t think that’s a requirement unless you need a single SSID w/seamless roaming (aka no changing IP when changing AP). Even then you can use EoIP tunnels to share the VLAN.
/29 on the links is fine and allows for a wireless device management address in the same subnet,
but I would use /28 on the local networks (where the cameras are connected) because a /29 limits
you to max 5 cameras per router which is a bit close to the 3 you draw as example.
There is no address space shortage in that 10.0.0.0/8 network so don’t worry about optimizing that.
