Camera Bleg

It’s always interesting how many things my readers collectively know, hence why I ask. My club is looking to replace an old CCTV system with a new IP high-definition system. I’m interested in whether I have anyone among my readership that does this for a living and can offer advice.

We have a few quotes from vendors. One is for Hikvision gear, which is cheap, but Hikvision is also owned by the Chinese Communist Government and has been responsible for a number of security problems as of late. There have been accusations of outright espionage, but I’m not sure how much stock I put in those. But either way, their reputation is of being careless with security, and that rubs me the wrong way.

I have a vendor that resells Panasonic, but that stuff is expensive. Samsung and Axis seem to be cheaper options, but I have no experience with how well their NVRs work. These brands are the market leaders. Is there any up-and-comers I might want to look into? In theory I like Ubiquiti, but their solution seems to have a low end feel.

It seems to me like a lot of camera installers don’t really understand IP networking very well, and only have a few installation types they are comfortable with and don’t want to deviate from it. This is becoming a frustration for me, but maybe it’s my IT bias. They all seem to love microwave extenders, which I loathe. I like wires. That’s largely why I took up evaluating doing fiber on my own.

A lot has changed in the industry switching from analog CCTV to IP, and a lot of the IP camera vendors seem to cater to that mentality by building PoE switches into their NVRs like the old DVR systems used to be bristling with BNC connectors. To me this seems unnecessary. I expect to have only one or two LAN connectors on the back of an NVR, and put my PoE switches out where I have clusters of cameras. Is there any reason to bring 32 Cat6 cables back to one NVR rather than cluster and trunk? I can’t think of any reason not to, given that a 1080p H.264 stream is only like 8Mb/sec. A gigabit IP network seems to be a firehose compared to the needs of IP cameras.

30 thoughts on “Camera Bleg”

  1. You have to ask yourself three questions:

    – Wired or wireless?

    – Software NVR or dedicated hardware?

    – PoE or no?

    All my camera systems use Blue Iris running on Server 2012 running on Hyper-V with an Avaya/Nortel 5520 switch providing PoE. The biggest of them have 5520’s in a stack with overlapping camera feeds; if I lose a switch or a host, I still get half the take. For wireless I’ve got a bunch of Cisco 1262 AP’s. That’s probably overkill for your application. Regardless, Blue Iris works with anything that’s ONVIF compatible, which means I can hook anything I want up to it. You can set up two Hyper-V hosts with SOFS and can keep running if you lose a drive, a host, a switch, and it all still fits conveniently in 3 rack units.

    With respect to vendors, you’ve covered the high points – there’s Hikvision (ChiCom), Dahua, Panasonic, Axis, then a bunch of also-rans that use GWill or similar OEM reference designs. Most of my cameras in freezing/hot environments are either Lorex (which is a division of FLIR) or Hikvision with some Dahua thrown in. Panasonic is overpriced for the capability (I say that as a guy writing from a Toughbook), and Axis doesn’t like selling small-fry stuff. I’d recommend sticking with Hikvision or Lorex and just sticking to proper deployment protocols, below. If you *have* to have wireless, Dericam is the manufacturer with the best setup for the money.

    The proper SOP for a camera deployment is to put it on its own VLAN, turn off routing and NAT for said VLAN, and then multi-home your NVR solution so its got one interface on the camera VLAN and one on a network that your users can access. The IoT is notoriously insecure; the proper way to secure it is to just eliminate its access to the Internet and any access from the Internet to it. That’s one other reason I like BI; I can use standard Windows security techniques to limit access to it.

    I’ve done a few weird outdoor setups. Feel free to hit me up with any questions.

    1. Wired. They need power, and as long as you have to power them you might as well just do it all with PoE.

      I’m ambivalent about software NVR vs. dedicated. But my instinct is not to ask our club’s PC to do too much. I’d probably prefer a dedicated NVR.

      Definitely PoE. My IT biases say that is the way to go.

      1. How many cameras? There’s a middle ground here – using a QNAP or Synology or something similar that supports ONVIF feeds – but it won’t have the same remote notification options that either a purpose-built hardware or software NVR.

        And, what’s your story regarding illumination? Are you going to use illuminators on the camera, area illuminators, or visual light?

          1. At that number of cameras, I’d probably buy either a Nortel 5520 or two 5510’s, or even some old Baystack switches (Nortel bought Baystack, before Avaya bought their IP after the bankruptcy). Those Baystacks are bulletproof.

            That gives you 48 PoE switchports with a, I believe, 300 watt power budget. Hiks draw about 8 watts with the illuminators on, Dahua about 5. You’ll lose a little bit the longer the lines you run.

            Blue Iris is fairly cheap, $50. You could be out-the-door for under $4,000 (2K for switch and PC’s, 2K for cameras) if you’re on a really tight budget.

            If you’re an IT traditionalist, this should appeal. Cameras are a secondary part of what I do.

            1. Me too. I’ve done cameras, but I don’t do it for a living. But this all will have to be used and maintained by non-IT people, so I’m sensitive to that.

      2. When I say dedicated NVR, I mean hardware dedicated to it. I don’t care if it’s a Windows machine running something like Blue Iris.

        1. I wish more IT people were sensitive to the fact that non-IT people like things simple and easy.

  2. Centralized NVR systems are often less about bandwidth, at least in most environments, so much as about reliability and security. You don’t want an issue from the normal data side of the network to bring down your security system, particularly in an environment where you’d have relatively open access to your network (whether WiFi or unmonitored wall drops). VLANs can reduce that vulnerability, but you have to set it up right or it’s still got a wide attack surface, and even many places that are originally configured run into user error when the tech’s not onsite.

    Historically, there’s also been issues with the multiple variants (or worse, non-standard variants) of PoE, with conflicting DHCP, and with the provisioning of battery backup. That’s less likely to be an issue for you, since you’re familiar with the technologies, but some vendors historically used weird PoE styles specifically to require people to buy their larger equipment.

    While there’s enough bandwidth for 1080p on most gigabit networks, 4k video is much more of a bandwidth hog, starting around 35 Mbps per camera. Depending on the number of cameras you’re putting up that may or may not be too much of an issue from a future-proofing perspective. Of course, you’re likely to need to upgrade your NVR when that time comes, but better to be a drop-in replacement rather than running a half-dozen wires.

    I’ve been pretty happy with Ubiquiti’s offerings, both wireless links and cameras. They’re definitely lower-end — the lack of RAID or expandability on their NVR alone may be a deal-breaker for you — but their service lifetime makes them particularly appealing for businesses that aren’t going to replace gear every three years like clockwork. That said, haven’t done anything as heavily outdoors as your situation.

    1. My current design has cameras on their own VLAN. I’m not sure either of the vendors I’ve gotten quotes from have any idea what a VLAN is.

      1. Actually, in some cases NVRs use them exclusively for cameras whose ports they physically manage.

        Watch for NVRs that have built-in PoE ports – some of them require any connected device to be on its own VLAN and others will actually create a physical subnet and then prevent any other network from reaching cameras plugged into the NVR. So basically if you use the NVR PoE ports you “disappear” the cameras behind the NVR.

        It’s not universal and it’s not disclosed. That said, you can use your own PoE switch and ignore the NVR ports and avoid any trouble.

    2. I’ve tried to plan for 4k. We should be comfortably able to handle that in the future with minimal upgrades.

      I’m actually not all that concerned about RAID storage. I’m debating whether I should be. But most of the time, we’re not all that concerned about long term storage. When we have an incident, we know it. We’re talking days in the past rather than months or years.

      1. I mostly bring up RAID as a potential issue because you’re not going to be on site regularly: if a drive fails when you and Bitter are out of town for the week, you don’t necessarily want to have to run someone through the recovery steps to replace it via phone.

        May not be a particular issue if you have other tech-savvy people willing to lend a hand.

    3. I like Ubiquiti’s networking gear but their NVR software is rather lacking. They’re moving to standard 802.3af for POE and some of the upcoming cameras look nice, but neither motion detection nor the timeline view in the controller work particularly well.

      H.265 is supposed to be 20-50% more efficient than 264 so that will help with bandwidth by the time you upgrade to 4k.

  3. Our security team uses Pelco for IP cameras, and they have something close to 1000 (including the old coax ones). They also have about as as much storage in their DVR/NVRs as IT does total. But since they don’t do backups it’s a lot cheaper storage.

    Note that outdoor pan tilt zooms have heaters, so they can draw tens of watts. Ideally you’d want analytics, so the cameras recognize, zoom in on and record interesting things preferentially. That’s about the sum of my IP security camera knowledge.

    We have them on Cisco 3750Xs or 3650s in the TRs, the 3650s are better and can put out a lot of POE with 2 one KW power supplies.

  4. We use exclusively Mobotix cameras (German manufacture), Milestone NVR appliances, and are 100% Cisco in terms of network infrastructure. All access layer ports are 30W PoE+ capable, which was a wise (IMO) purchasing decision made prior to my arrival. Access layer ports are 95% Cisco 3850 switches with stack cables installed.

    No problems to report except with a few cameras that went bad fairly recently. Some of our outdoor cameras are pushing 10-11 years which is about how long I’d expect decent outdoor camera gear to last with the weather we get. I also like Axis brand but am not familiar with the rest. Hikvision is definitely bottom of the barrel but will work with darn near any vendor agnostic NVR solution out there.

    Then there’s the occasion camera that goes schizo, but that will happen with any gear. In my opinion don’t shortchange yourself with decent storage and switching capabilities. I would look at gig PoE switches with stack capability, and multi-10 Gig to your NVR/storage environment.

  5. In addition to your real cameras, a few dummy wireless cameras placed around the area don’t hurt either.
    Less cost and maintenance on those too.

  6. We stay away from Hikvision for the reasons you mentioned. Two security issues this year alone came up. The persistence of these concerns keeps me away. They’re priced aggressively now in consideration of these shortcomings, but not worth it, IMO.
    I would highly suggest you visit IPVM.com and use their calculator which will let you overlay the google maps view of your range with your camera placements, play with angle of view, and show you simulated image quality at different distances using specs from most every camera on the market. It’s an invaluable tool for this kind of planning that not enough pros use, frankly. I think the calculator may be free to use with some limitations, but a short-term membership ($100?) to the site is a no-brainer investment if you’re doing this setup yourself. There’s a difference between just putting some cameras up to “paint” a field and deliberately designing an installation to meet functional requirements.
    One of the biggest considerations in any camera setup is the metric of “pixels per foot” in the rendered image of what you’re monitoring. When you’re covering a wide and deep area, the 1080 camera (2.1mp) is going to have very low ppf beyond about 30 ft, making detail hard to tease out. Now, on some 1080 cameras you can narrow the angle of view to get denser ppf out at further range, but those UBNT G3s have relatively fixed AoV (75-80 deg, IIRC). In your situation, detail may not be as much a requirement as just knowing whether a body is downrange or not. But just know that beyond 30ft, identifying faces and license plates gets very difficult with 1080. A 5MP camera with adjustable AoV can get you the same ppf at 100 ft as G3 will have at 25-30 ft. With any camera setup, having overlapping fields of view makes sense.
    You can compensate for the diluted ppf of 1080s by increasing the quantity of cameras, and at $150 or so, those UBNT G3s will look pretty attractive. They are outdoor rated, and cheap enough that you could keep spares on hand. Specific concerns with build quality may include their not-very-beefy mounting base, and the fact that they are by no means vandal resistant. The G3 dome form factor will give you advantages on both these fronts, but they are not built to be in direct weather like the bullet form factor G3 is.
    UBNT’s NVR is offered as an appliance or a (free!) software install. We’ve used these camera setups a few times where need is high and budget is low, and we’ve had decent reliability with running their NVR on a hyper-v instance of Ubuntu, but I would probably err towards using the hardware appliance they sell. Even the best software NVR is going to have more maintenance overhead and complexity (points of failure) than a decent appliance.
    You’re right about GbE being overkill for 1080. Those G3s only have 100mb NICs in them, as I recall, and the stream (IIRC) is about 3-5mb, I think, even at 30fps. So yeah, I wouldn’t hesitate to trunk that traffic. Another consideration is that you could do longer than optimal cable home runs of Cat6 to the cameras and still provide them the bandwidth they need. You probably know this, but be aware that you may need shielded cable if you’re doing a long outdoor run, or burial cable.
    My own recommendation, if money allows, would be to go with Wisenet (aka Hanwha; aka Samsung). Samsung sold all their CCTV stuff to Hanwha, and it’s branded as Wisenet. Their latest XNV-8080R cameras, for instance, are really shit hot with really good WDR/HDR for backlight compensation, which I suspect you’d see a lot of value in. That model I mention is the vandal resistant model. Most dealers get them for about $800/per. Cheaper if you opt for the non vandal model. Their NVR, XRN-1610S, can support a lot of cameras, supports RAID, and has solid functionality for searching content. Distributors sell them for around $1500, with only about 2 HDDs or so. You can BYO disk to these and fill them up as needed. The reliability is miles better than the UBNT NVR, ime.
    Anyway, such are my thoughts. Seriously, check out IPVM.com. Not affiliated, just a user that sees the value in them.

    1. I’m not sure my edit got in under the wire, but was going to say – I mentioned the XRN-1610, but you can see there are models like the XRN-2010 that do 32 channels if that’s what you need.
      Your IT bias towards POE is rock solid. I would never consider any other method for powering a camera unless maybe you needed to power a supplementary heater out there for its housing, and even then I would be skeptical. These days, even that XNV-8080 is rated to operate at -40 degrees.
      And.. always opt for a wired connection over wireless if you have the choice.

      1. Thanks! I did find that IVPM.com site. That’s initially what made me start thinking we might be better off doing this ourselves.

        1. I really hope you post a follow up and let us (me) know what you end up doing. Sounds like a fun project and I’m curious which route you end up going and what your experience with it is after a bit of burn-in.

          1. I will. I’ve been looking at Samsung. I was wondering about what advantage I’d get from using their NVR versus a PC with say, Blue Iris.

            1. I don’t have direct experience with Blue Iris, so there’s that. But conceptually, here are my thoughts.
              WiseStream is a good example of the kinds of features that you get when using a homogeneous stack, where both the camera and the NVR support it, but you miss it when using a third-party NVR. I don’t know how many of these technology features there are that fall into this same bucket (camera tamper detection, e.g.), nor what value they are to your needs, but it’s worth being aware of and investigating. IME, the NVR’s complete “awareness” of the camera capabilities (fine adjustment of HDR, etc) is more solid feeling than what I’ve used through a third party server like Genetec. In the case of Genetec, to get the most out of the cameras (Sony) we were dependent upon Genetec having certified the camera model and having support for specific features. If the software just looks at it like a generic ONVIF camera, support for some of the tech baked into the camera may go underutilized. I think this risk lowers when the cameras are more basic.
              Layer 2 discovery of Samsung cameras is very easy from a Samsung NVR. I know finding and registering cameras isn’t difficult to do manually, but when you have a lot of them, OR need to drop them all and re-add, for whatever reason, this is a feature I’ve appreciated.
              Speaking of L2, he NVR actually has POE ports in it for the cameras. Personally, I like that. Whether you direct connect some or all the cameras, the ports can be part of the same broadcast domain as a broader network, so nothing stops you from connecting access switches out in the “field” back to the NVR ports, assuming you have sufficient bandwidth on the uplink.
              Interacting with the NVR as an appliance has some pluses to it, compared to using a web browser or client app on a PC. First of all, it’s very easy to just hang a viewing station off the NVR by plugging a couple monitors into it. Using a remote is somewhat more intuitive for people to use, even though a kybd/mouse combo can still be used by the admin (useful for naming cameras, etc), and you never have to worry about some user getting dumped out to the Windows desktop or shell because they clicked on the wrong thing or hit the wrong key combo, or because the computer rebooted.
              Which brings me to what I see as the biggest downfall for running software NVR solutions, even if managed by an IT guy. The daily “user” of the NVR often isn’t the IT guy, especially considering the system’s lifespan. There’s more complexity there when not using a purpose built appliance and especially when using a dual-purposed system. That host OS will need to periodically update, which probably means reboots or at least restarting processes. Even if your software NVR is set to run as a service and start automatically (even delayed), you know as well as I do that the risk is non-zero of everything starting and running as expected. This translates to more to worry about.
              Now, I don’t mean to be hating on the software recorders. I know (and live) that the server NVRs are the heavyweight solutions for the enterprise, but the support model is different and leverages processes already in place for managing systems in an enterprise environment. Outside of that, you kind of depend on a hobbyist’s devotion to tend to these things.
              I’ve never felt with a Samsung NVR that I needed supplemental monitoring to make sure it’s doing its job, whereas with the server solutions, I do. It sucks to find out your NVR solutions has been “running” for the last two weeks but not recording. My point is just that the overhead is higher than with an appliance, and that has a cost.
              Finally, with the appliance NVR (model-dependent) you can wire in exterior alarm triggers. Again, YMMV with the value there, but it’s an option. Motion detection is the more common way to record events, but if you want to do things like grab a picture of a license plate or face when someone badge swipes at the front gate, or use a trigger from an occupancy sensor to start and stop recording these can be valuable. Motion detection is awesome, but there are still some applications for integrating with exterior sensors/triggers. Blue Iris may have some capacity for this, but if you end up having to get creative by integrating Blue Iris with an ISY994 controller or somesuch, the complexity/brittleness will be exponentially greater than just connecting two wires from the sensor to the NVR. (Disclaimer: I don’t know whether this is the right approach with BI, just thinking conceptually of getting inputs from exterior sensors to a PC.)

    2. PPS.. after reading some of the other comments again. It’s best to match the NVR appliance to the camera brand if you’re going that way. ONVIF and RTSP sound great, but you usually lose features of the camera that can be leveraged by a homogeneous stack. We’ve tried using tools like surveillance station on a QNAP/Synology with different brands of cameras using the RTSP streams and ONVIF but it’s a shoddy result. Can give you specifics if interested.

    3. When you’re covering a wide and deep area, the 1080 camera (2.1mp) is going to have very low ppf beyond about 30 ft, making detail hard to tease out. Now, on some 1080 cameras you can narrow the angle of view to get denser ppf out at further range, but those UBNT G3s have relatively fixed AoV (75-80 deg, IIRC). In your situation, detail may not be as much a requirement as just knowing whether a body is downrange or not. But just know that beyond 30ft, identifying faces and license plates gets very difficult with 1080. A 5MP camera with adjustable AoV can get you the same ppf at 100 ft as G3 will have at 25-30 ft. With any camera setup, having overlapping fields of view makes sense.

      This is what I’m thinking of now. Currently we do a lot of field painting with our current setup. You can’t make out any great detail. But in a lot of cases, we don’t really need to see great detail. The trap field is a tough nut, because I don’t have many places to put cameras.

  7. I have built and managed three sites, all remote and several more than 1000 miles away. Some thoughts:

    – Go with cams designed for IP and avoid converting older analog units to IP. They will still be low-resolution and introduce video artifacts, and by the time you do the IP conversion with hardware you’ll not save any money (but might save installation if you are upgrading in-place cameras). I have one site like this and it works, but I will replace everything this year.

    Vendor notes:

    – HikVision (and clones): I’ve tested these and have them at one site when I was in a pinch and needd something the same day. They require Windows Active-X software to be viewed using H.264 thought you can force MJPEG streams if you must. Their video storage files are not of any standard I can recognize, and I write video CODECs. I am replacing all of these in December.

    – Axis: The gold standard for IP cams, and priced the same. Watch for the lower-end units. You can tell by the warranty – one year warranties are lower-end units they sell to compete with lower-end firms. I’ve had so-so luck with those, but their standard commercial-grade units are solid and run in horrible environments without complaining.

    – Ubiquiti: Saw someone mention these, so I’ll say they make terrific comms hardware but after evaluation I skipped them for Security Cams. They lock you into a UBNT environment and are damn near bricks without their NVR, which is also not interchangeable with anything else. I didn’t even look at the hardware because of these issues. That said, if you need a solid Access Point you would have a hard time beating them.

    – LG: I have a few new LG IP cams and an 8-port NVR (brand new, unused) that I will gladly send you for a cheap price. They work, but require Windows. I just won’t use Windows, so they are not for me. Serious – if you want them I can work out a great deal.

    – ReoLink: My current favorit for cheap IP cams. Works out of the box on OS X, Linux and Windows. Good feature set and good video. Have not tested their NVR but if it’s the same codebase as their cams it will be good. I am buying one for evaluation as soon as I get the time to test. Right now I assume that two of my remote sites are going to use these, assuming they work well through a VPN.

    – Software: I have built systems using most of the open source stuff (ZoneMinder, etc.) and have one site running ZoneMinder now. It works, but it also requires work to set up, tune, and maintain. It is not for the uninitiated or those looking for an easy time. I put these in the “advanced tinkerer” column for good reason.

    I am testing and looking for good NVR systems now that work with Linux, OSX and Windows. Most just support Windows. The problem is that Windows usually means out of date Active-X components and I just don’t like them. But if you normally run Windows at home, you have already made that decision whether you know it or not. So don’t let that stop you.

    You got my contact info. Feel free to use it. Thx.

  8. Some general observation:

    In terms of electronics techs, security guys are generally the lowest echelon. It is low-paying, entry level work. Their bosses are not all that much better. With your IT background, you are better off designing your own system, though you may want to hire out the installation.

    You will get what you pay for. The usual operating system caveats apply — if you run Windows, you get Windows-like usability and Windows-type problems, and so on. Your own experiences are your best guide.

    Once you get past the camera selection and to the (network) spigot at the back, it’s just IT and what you already know about networking applies. Most of the security people do not know what you know (they’d be working in IT if they did) and the systems are generally put together with an eye to their strengths (they’ll be darned good at mounting cameras and okay at running cables) and weaknesses.

  9. “Is there any reason to bring 32 Cat6 cables back to one NVR rather than cluster and trunk?”

    Only thing I can think of is security, if they all bunch together remotely and come in in one wire its only 1 wire to cut and kill all your video, or just 1 wire for a rodent to chew on and kill the system, either way redundancy means at least some cameras will still work.
    Hell, just one bad neworking wire could kill the whole feed to. They do go bad occasionally…

Comments are closed.