Network Design Basics

Hikvision Certified Security Associate

Contents

 Network Basics
 Network Device
 Network Planning
 Bandwidth Planning
 Network Security
Network Introduction
Network is a collection of computers, servers, mainframes, network devices, peripherals, or other
devices connected to one another to allow the sharing of data.
In video surveillance area, the network includes core switch, Ethernet cable, fiber, IP cameras,
servers, etc.

192.168.1.8
192.168.1.4
192.168.1.5
192.168.1.3 laptop

192.168.1.2
WIFI AP
PC

192.168.1.6
90 meter rule 90 meter rule
switch

WEB PC

router 192.168.1.11 LAN

192.168.1.1 Local Area Network
switch
switch
192.168.1.7 192.168.1.9
server
90 meter rule
laptop

switch 192.168.1.10
 IP Address
An IP address is the only way to identify a device in the network.

Host A
Host B
Private IPv4 Address

• Private IP address cannot be used on public network.

• On the public network, IP address is unique. While in different private networks,
the private IP address can be the same. It is an effective way to save IP address.

10.0.0.0/8— 10.255.255.255/8
172.16.0.0/12— 172.31.255.255/12
192.168.0.0/16— 192.168.255.255/16
Why IPv6？
 Explosive growth of Internet users, devices, apps creates demand for more IP
addresses.
 IPv4 uses 32-bit addresses and can support 4.3 billion devices connected directly to
the Internet.
 The replacement protocol IPv6 uses 128-bit addresses and provides such a vast
number of addresses that it can only be expressed mathematically: 3.4 x 10 to the
38th power.
IPv6
• An IPv6 address is written in hexadecimal notation with colons subdividing the
address into eight blocks of 16 bits each.
• For example: 2001:0da8:65b4:05d3:1315:7c1f:0461:7847
• For Hikvision camera, it supports IPv6 with three mode:
• Manually: Configure IPv6 address manually
• DHCP: Get IPv6 address automatically from DHCP server
• Route Advertisement: Get IPv6 address combining with route advertisement and its mac address.
 TCP
TCP (Transmission Control Protocol ) is communication protocol of transmission layer which is
connected and reliable based on a stream of bytes.
Load level of TCP is decided by MSS (maximum segment size). The transmitting end notices the
maximum TCP data of each segmentation that receiving end can get.
MSS value is the difference that MTU value subtracts IPV4 Header (20 Byte) and TCP header (20
Byte). MTU(maximum transmission unit) is defined by hardware, for example, MTU of Ethernet
is 1500 bytes.
Connect after three times handshake Disconnect after four times handshake

Send SYN Send FIN

Receive FIN
Receive SYN
Send ACK
Send SYN-ACK Receive ACK Send FIN
Receive SYN-ACK
Receive FIN
Send ACK
Send ACK
Receive ACK Receive ACK
TCP vs UDP
• TCP(Transmission Control Protocol): Ensures complete delivery of streaming data
and better video quality, yet the real-time transmission will be affected.
• UDP(User Datagram Protocol): Provides real-time audio and video streams.

TCP UDP
• Connection oriented • Connectionless
• Provide reliable transmission • Provide unreliable transmission
• FTP, HTTP • SNMP
Common Port Number
• 20 File Transfer Protocol [Default Data]
• 21 File Transfer Protocol [Control]
• 25 Simple Mail Transfer Protocol
• 80 World Wide Web HTTP
• 443 HTTPS
• 8000 Server( for software access)
• 554 RTSP

Port number range：0—65535

0—254 Public
255—1023 For company
1024 and above Random
PoE Technology Overview
 IEEE 802.3af Common PoE standard
• Power sourcing equipment（PoE switch or PoE Module）supply 48VDC, 15.4W power, PSE
for short
• Powered device receive 12.95W, short for PD

 IEEE802.3at PoE+ standard

• Power sourcing equipment（PoE switch or PoE Module）supply 48VDC, 30W power
• Powered device receive 25.5W
 PoE don’t affect cable transmission capability or distance
 It is Compatible with Non-PoE devices
PoE Features

Features 802.3af 802.3at

PD Power 12.95W 25.5W
PSE Power 15.4W 30W
PSE voltage range 44V-57V 50V-57V
PD voltage range 37V-57V 42.5V-57V
Cable type CAT3 or CAT5 At least CAT5
Wire pairs for power supply 2 2 or 4
The
NATbasic principle of NAT

 In the computer network, NAT (Network Address Translation) is a technique which rewrites
the source/destination IP address when the IP packets pass through a router.
 As the private IP address of local host can’t be routed in public network, NAT can also “hide”
the private IP address in the LAN so that it can protect internal network.
The basic principle of NAT
NAT
1. Static NAT
One-to-one mapping between public and private IP address——static configuration.
2. Dynamic NAT
Setting a mapping between a public IP address and private IP address, it can build a shared IP
address pool. We can select an IP address from the IP address pool and assign to a certain host,
and the host will release the IP address after use.
3. NAPT (Network Address Port Translation)
Based on “IP + Port” address translation, building a mapping between {private IP, private Port }
and {public IP, public Port}, so as to realize that multiple private IP can use a public IP to access the
Internet.
Full Cone NAT

Restricted Cone NAT

NAPT Classification
Port Restricted Cone NAT

Symmetric NAT
The basic principle of NAT
NAT

Server A

Internet
Server B IP C : Port D
PC1: 192.168.1.100:5000
WAN IP&Port:
187.15.85.75:3000

Server C

NAT will convert client address {192.168.1.100:5000} into a public address {187.15.85.75:3000} and
bind them.
Only after the internal host 192.168.1.100 sends a data packet to the server A, then 192.168.1.100
can receive data packet sent by Server A to 187.15.85.75:3000.
Port Forwarding
 What’s Port Forwarding？

 Due to the presence of NAT, the initiative access data flow of the external network will be
discarded by NAT. In order to let the external initiative access reach the server behind NAT
by Port Forwarding.
 In short, Port Forwarding allows remote computer to connect to the certain computer or
service in the internal network.
Port Forwarding
UPNP
UPNP can open the specific ports automatically by UPNP protocol, but it can only support
monolayer NAT. You can see this function on hardware device, such as NVR and IPC.
Contents

 Network Basics
 Network Device
 Network Planning
 Bandwidth Planning
 Network Security
Common Transmission Media

Twisted pair cable Fiber cable

Coaxial Cable Wireless

Features of Different Media

Type Data rate Transmission media Transmission distance

100BASE-TX 100MBit/s CAT5 100M
100BASE-TX 100MBit/s Multi Mode Fiber 2000M
1000BASE-SX 1000MBit/s Multi Mode Fiber 500M
1000BASE-LX 1000MBit/s Multi or Single Mode 2M to 5KM
Fiber
1000BASE-T 10,000MBit/s CAT5E 100M
10G BASE-LX4 10,000MBit/s Multi or Single Mode 2M to 10KM
Fiber
10G BASE-T 10,000MBit/s CAT6 or CAT7 100M
Network Interface Card

 NIC Interface Type includes PCI, PCI-E, USB

 Each NIC has a unique 48 bit hex address, which is call MAC address
 NIC allows devices to be communicate through network
How does the PC obtain an IP address
Dynamic Host Configuration Protocol (DHCP)
NIC can access available IP address from DHCP
server, and DHCP server is usually the router or
switch with IP allocation function.
Select obtain an IP address automatically in NIC
properties.

Configure IP address manually

You can configure IP address manually, and please
make sure that the IP address is available, and the
subnet mask and gateway is correct.
Domain Name & Domain Name System
A domain name is an identification string that defines a realm of administrative autonomy within the
Internet (such as hikvision.com). Domain names are used in various networking contexts and for
addressing purposes. In general, a domain name represents an IP address on Internet.
When you access to www.hikvision.com, the domain will be transformed into an IP address by the DNS
server first, then your computer will access to the website via the IP address.

Hikvision
PC DNS Server
website

Send name resolution request

Go back to the IP of the

domain name

Access to the Internet by IP address

DNS Configuration

DNS can be obtained by DHCP

from the router automatically or
it can be set manually as static IP
address configuration
Commonly used DNS server
8.8.8.8 (overseas)
Obtain from ISP(Internet Service
Provider)
Switch
 Main Function: Extend Network, Repeater
 Large network: core switch and edge switch
 Small network: one switch
 Basic switch: supply connection
 Management switch: supply security/address/power management and QoS
Switch Model Selection
 Backplane bandwidth- (Gbps)
 The Max throughput data between switch interface processor and data bus.
 Bandwidth of Backplane is the data amount that switch can handle. It should be
twice as the quickest speed of all the ports of switch. This value can be used to
judge the forwarding performance.
 Packet forwarding rate(Mbps)

 How many mega packets can be forwarded by switch in one second.

 It indicates the exchange capacity of switch.

Router
 Main Function: Data output gateway to connect to the Internet
Contents

 Network Basics
 Network Device
 Network Planning
 Bandwidth Planning
 Network Security
Network Structure-Full Mesh

 Advantage

 Highest redundant level

 Reduce network load

 Disadvantage
 Need more switches and cables .
Network Structure-Star

 Advantage

 Easy for management and

maintenance
 Disadvantage

 There may be network bottle neck.

 No redundancy.
Network Structure-Extended Star

 Advantage

 Supply some redundancy

 Supply some load balancing

 Disadvantage

 Need more switches and cables .

Network Structure-Partial Mesh

 Advantage

 There is redundant linkage between

devices
 Easy to be extended without affecting
current users

 Disadvantage

 Need more switches and cables .

 Network Design-Small System
Switch
 Single Switch
 POE could be used.
 Transmission distance smaller
than 100M
 Easy to install
 No redundancy
NVR without POE

NVR with POE

 Network Design-Flexible System Scale
Access Switch
 Two layer structure
 POE could be used.
 System upgraded
 Easy to install
 redundancy is available

Access Switch

Core Switch
Contents

 Network Basics
 Network Device
 Network Planning
 Bandwidth Planning
 Network Security
How To Calculate Bandwidth and Storage
 Hikvison design tool
Contents

 Network Basics
 Network Device
 Network Planning
 Bandwidth Planning
 Network Security
HTTPS
• Hyper Text Transfer Protocol over Secure Socket Layer
• communications protocol for secure communication over a computer network, with especially wide
deployment on the Internet. It adds the security capabilities of SSL/TLS to standard HTTP
communications.
• The main motivation for HTTPS is to prevent wiretapping and man-in-the-middle attacks.
• Default port number: 443
• The HTTPS port can be changed if desired (port numbers range from 1-65535)

Application: HTTPS
HTTP Default port:80
SSL / TLS
Data
TCP

IP

HTTPS Default port:443 Link

Data MAC
HTTPS – Create Self-signed Certificate
• 1. In the web UI, enter HTTPS configuration menu by going to Configuration -> Network ->
Advanced Configuration -> HTTPS.
• 2. Click on Create button “Create self-signed certificate”
HTTPS – Create Self-signed Certificate
• 3. Type in parameters such as country, hostname/IP, and validity as shown below, then Click
on OK (there is no need to provide any other information, just the first three fields, as
specified).
HTTPS – Create Self-signed Certificate
• 4. Check Enable HTTPS checkbox, and then click on Save button
HTTPS – Create Self-signed Certificate
• When using HTTPS to access the device, type https://IP address:port number into the web
browser address bar (e.g. https://192.0.0.64:443 ).
• If self-signed certificate is used, web browser may pop up warning notification like shown
below.
IP Address Filter
• Hikvision network products provide IP address filtering, which allows or forbids access
rights to defined IP address(es).
• A typical configuration is to configure the device to allow only the IP address of the server
that is hosting the VMS to access.

IP address filter
Server
PC

Firewall/IP Table
Camera
Internet

Laptop

Mobile Client
IP Address Filter
• Configuration -> System->Security-> IP Address Filter
Digital Watermark
• Digital watermark technology embeds the device information onto the recorded video.
• Digital watermarks may be used to verify the authenticity or integrity of the video or to show
the identity of its owners.
Watermark
• Open VSPlayer and play one video clip from Hikvision camera.
• Right click on the video: Image Control -> Watermark
• The watermark information will be displayed on the video.

• Only Hikvision VSPlayer can check and display the

watermark of video stream.
Thank You

64