Network Design Basics

Hikvision Certified Security Associate

Contents

 Network Basics
 Network Device
 Network Planning
 Bandwidth Planning
 Network Security
Network Introduction
Network is a collection of computers, servers, mainframes, network devices, peripherals, or other
devices connected to one another to allow the sharing of data.
In video surveillance area, the network includes core switch, Ethernet cable, fiber, IP cameras,
servers, etc.

192.168.1.8
192.168.1.4
192.168.1.5
192.168.1.3 laptop

192.168.1.2
WIFI AP
PC

192.168.1.6
90 meter rule 90 meter rule
switch

WEB PC

router 192.168.1.11 LAN

192.168.1.1 Local Area Network
switch
switch
192.168.1.7 192.168.1.9
server
90 meter rule
laptop

switch 192.168.1.10
 IP Address
An IP address is the only way to identify a device in the network.

Host A
Host B
Private IPv4 Address

• Private IP address cannot be used on public network.

• On the public network, IP address is unique. While in different private networks,
the private IP address can be the same. It is an effective way to save IP address.

10.0.0.0/8— 10.255.255.255/8
172.16.0.0/12— 172.31.255.255/12
192.168.0.0/16— 192.168.255.255/16
Why IPv6？
 Explosive growth of Internet users, devices, apps creates demand for more IP
addresses.
 IPv4 uses 32-bit addresses and can support 4.3 billion devices connected directly to
the Internet.
 The replacement protocol IPv6 uses 128-bit addresses and provides such a vast
number of addresses that it can only be expressed mathematically: 3.4 x 10 to the
38th power.
IPv6
• An IPv6 address is written in hexadecimal notation with colons subdividing the
address into eight blocks of 16 bits each.
• For example: 2001:0da8:65b4:05d3:1315:7c1f:0461:7847
• For Hikvision camera, it supports IPv6 with three mode:
• Manually: Configure IPv6 address manually
• DHCP: Get IPv6 address automatically from DHCP server
• Route Advertisement: Get IPv6 address combining with route advertisement and its mac address.
TCP vs UDP
• TCP(Transmission Control Protocol): Ensures complete delivery of streaming data
and better video quality, yet the real-time transmission will be affected.
• UDP(User Datagram Protocol): Provides real-time audio and video streams.

TCP UDP
• Connection oriented • Connectionless
• Provide reliable transmission • Provide unreliable transmission
• FTP, HTTP • SNMP
Common Port Number
• 20 File Transfer Protocol [Default Data]
• 21 File Transfer Protocol [Control]
• 25 Simple Mail Transfer Protocol
• 80 World Wide Web HTTP
• 443 HTTPS
• 8000 Server( for software access)
• 554 RTSP

Port number range：0—65535

0—254 Public
255—1023 For company
1024 and above Random
PoE Technology Overview
 IEEE 802.3af Common PoE standard
• Power sourcing equipment（PoE switch or PoE Module）supply 48VDC, 15.4W power, PSE
for short
• Powered device receive 12.95W, short for PD

 IEEE802.3at PoE+ standard

• Power sourcing equipment（PoE switch or PoE Module）supply 48VDC, 30W power
• Powered device receive 25.5W
 PoE don’t affect cable transmission capability or distance
 It is Compatible with Non-PoE devices
PoE Features

Features 802.3af 802.3at

PD Power 12.95W 25.5W
PSE Power 15.4W 30W
PSE voltage range 44V-57V 50V-57V
PD voltage range 37V-57V 42.5V-57V
Cable type CAT3 or CAT5 At least CAT5
Wire pairs for power supply 2 2 or 4
SNMP
 SNMP (Simple Network Management Protocol)
 gives us the simplest way to monitor network devices’ working status information. Normally
network devices will only offer Mib-2 working status information via SNMP.
 Any network device which supports SNMP can be managed via SNMP management software.
These network devices include switches, routers, servers, IP phones and so on. The classic
SNMP model is as following:
Network Manager
SNMP

NMS Agent
Network Management System Network devices which support SNMP

SNMP
Simplified SNMP Model: NMS Agent
SNMP
 Many Hikvison hardware devices support SNMP function. Customers can use software(such as
SolarWinds) to monitor all devices’ running status via SNMP after enabled this function and typed
in the trap Address, the SNMP management software can get all information from the device
automatically.
 Some Hikvision software(such as maintenance software SADP TOOL) use SNMP protocol to
monitor the software component and hardware status.
The
NATbasic principle of NAT

 In the computer network, NAT (Network Address Translation) is a technique which rewrites
the source/destination IP address when the IP packets pass through a router.
 As the private IP address of local host can’t be routed in public network, NAT can also “hide”
the private IP address in the LAN so that it can protect internal network.
The basic principle of NAT
NAT
1. Static NAT
One-to-one mapping between public and private IP address——static configuration.
2. Dynamic NAT
Setting a mapping between a public IP address and private IP address, it can build a shared IP
address pool. We can select an IP address from the IP address pool and assign to a certain host,
and the host will release the IP address after use.
3. NAPT (Network Address Port Translation)
Based on “IP + Port” address translation, building a mapping between {private IP, private Port }
and {public IP, public Port}, so as to realize that multiple private IP can use a public IP to access the
Internet.
Full Cone NAT

Restricted Cone NAT

NAPT Classification
Port Restricted Cone NAT

Symmetric NAT
The basic principle of NAT
NAT

Server A

Internet
Server B IP C : Port D
PC1: 192.168.1.100:5000
WAN IP&Port:
187.15.85.75:3000

Server C

NAT will convert client address {192.168.1.100:5000} into a public address {187.15.85.75:3000} and
bind them.
Only after the internal host 192.168.1.100 sends a data packet to the server A, then 192.168.1.100
can receive data packet sent by Server A to 187.15.85.75:3000.
Port Forwarding
 What’s Port Forwarding？

 Due to the presence of NAT, the initiative access data flow of the external network will be
discarded by NAT. In order to let the external initiative access reach the server behind NAT
by Port Forwarding.
 In short, Port Forwarding allows remote computer to connect to the certain computer or
service in the internal network.
 Port Forwarding
The control client and VMS server are belong to different local network which was connected by
Internet. Now, the control client wants to access the VMS server, let us check the communication
process and find out the problem.

Local Network A Local Network B

Control Client
VMS Server

WAN A WAN B
Internet
IP: 172.168.10.10 NAT Router A NAT Router B IP: 192.168.1.100

The local IP of VMS server is 192.168.1.100, as we know, this IP address is private IP which
can’t be used for communicating on internal Network. So the control client needs to access the VMS
Server by it’s public IP. In this network, the public IP of the VMS server is NAT router’s WAN IP.
 Port Forwarding
Local Network A Local Network B
Control Client
VMS Server

WAN A WAN B
Internet
IP: 172.168.10.10 NAT Router A NAT Router B IP: 192.168.1.100

Control client NAT Router

The control client will send a request to NAT router’s WAN directly

The request will be blocked

Because the NAT will refuse
any external initiative access
 Port Forwarding
Local Network A Local Network B
Control Client
VMS Server

WAN A WAN B
Internet
IP: 172.168.10.10 NAT Router A NAT Router B IP: 192.168.1.100

To pass through the NAT, normally we need to do port forwarding on the router, router has many port forwarding
functions, such as Virtual server, UPNP, DMZ.
The port forwarding is adding a static NAT rule on the router, Once the external access data matched the NAT rule,
the data will be transferred to the specific host.
For example, We can use virtual server function to add this NAT rule on NAT router B.

External Port Internal Port Internal host

81 80 192.168.1.100

This rule mean all data that send to WAN IP(B):port(81) will be forwarded to 192.168.1.100:80
Port Forwarding
Local Network A Local Network B
Control Client
VMS Server

WAN A WAN B
Internet
IP: 172.168.10.10 NAT Router A NAT Router B IP: 192.168.1.100

Control client NAT Router

External Internal Internal host
The control client will send a request to WAN IP B & port 81 Port Port
81 80 192.168.1.100

Router B received the request

and check the NAT rule, there
is a rule matched, the data will
be forwarded to VMS server
Port Forwarding
UPNP (Universal Plug and Play)
UPNP can open the specific ports automatically by UPNP protocol, but it can only support
monolayer NAT. You can see this function on hardware device, such as NVR and IPC.
Contents

 Network Basics
 Network Device
 Network Planning
 Bandwidth Planning
 Network Security
Common Transmission Media

Twisted pair cable Fiber cable

Coaxial Cable Wireless

Network Interface Card

 NIC Interface Type includes PCI, PCI-E, USB

 Each NIC has a unique 48 bit hex address, which is call MAC address
 NIC allows devices to be communicate through network
How does the PC obtain an IP address
Dynamic Host Configuration Protocol (DHCP)
NIC can access available IP address from DHCP
server, and DHCP server is usually the router or
switch with IP allocation function.
Select obtain an IP address automatically in NIC
properties.

Configure IP address manually

You can configure IP address manually, and please
make sure that the IP address is available, and the
subnet mask and gateway is correct.
Domain Name & Domain Name System
A domain name is an identification string that defines a realm of administrative autonomy within the
Internet (such as hikvision.com). Domain names are used in various networking contexts and for
addressing purposes. In general, a domain name represents an IP address on Internet.
When you access to www.hikvision.com, the domain will be transformed into an IP address by the DNS
server first, then your computer will access to the website via the IP address.

Hikvision
PC DNS Server
website

Send name resolution request

Go back to the IP of the

domain name

Access to the Internet by IP address

DNS Configuration

DNS can be obtained by DHCP

from the router automatically or
it can be set manually as static IP
address configuration
Commonly used DNS server
8.8.8.8 (overseas)
Obtain from ISP(Internet Service
Provider)
Switch
 Main Function: Extend Network, Repeater
 Large network: core switch and edge switch
 Small network: one switch
 Basic switch: supply connection
 Management switch: supply security/address/power management and QoS
Switch Model Selection
 Backplane bandwidth- (Gbps)
 The Max throughput data between switch interface processor and data bus.
 Bandwidth of Backplane is the data amount that switch can handle. It should be
twice as the quickest speed of all the ports of switch. This value can be used to
judge the forwarding performance.
 Packet forwarding rate(Mbps)

 How many mega packets can be forwarded by switch in one second.

 It indicates the exchange capacity of switch.

Router
 Main Function: Data output gateway to connect to the Internet
Contents

 Network Basics
 Network Device
 Network Planning
 Bandwidth Planning
 Network Security
Network Structure-Full Mesh

 Advantage

 Highest redundant level

 Reduce network load

 Disadvantage
 Need more switches and cables .
Network Structure-Star

 Advantage

 Easy for management and

maintenance
 Disadvantage

 There may be network bottle neck.

 No redundancy.
Network Structure-Extended Star

 Advantage

 Supply some redundancy

 Supply some load balancing

 Disadvantage

 Need more switches and cables .

Network Structure-Partial Mesh

 Advantage

 There is redundant linkage between

devices
 Easy to be extended without affecting
current users

 Disadvantage

 Need more switches and cables .

 Network Design-Small System
Switch
 Single Switch
 POE could be used.
 Transmission distance smaller
than 100M
 Easy to install
 No redundancy
NVR without POE

NVR with POE

SWITCH
 Network Design-Flexible System Scale
Access Switch
 Two layer structure
 POE could be used.
 System upgraded
 Easy to install
 redundancy is available

Access Switch

Core Switch
Contents

 Network Basics
 Network Device
 Network Planning
 Bandwidth Planning
 Network Security
How To Calculate Bandwidth and Storage
 Hikvison design tool
Contents

 Network Basics
 Network Device
 Network Planning
 Bandwidth Planning
 Network Security
HTTPS
• Hyper Text Transfer Protocol over Secure Socket Layer
• communications protocol for secure communication over a computer network, with especially wide
deployment on the Internet. It adds the security capabilities of SSL/TLS to standard HTTP
communications.
• The main motivation for HTTPS is to prevent wiretapping and man-in-the-middle attacks.
• Default port number: 443
• The HTTPS port can be changed if desired (port numbers range from 1-65535)

Application: HTTPS
HTTP Default port:80
SSL / TLS
Data
TCP

IP

HTTPS Default port:443 Link

Data MAC
IP Address Filter
• Hikvision network products provide IP address filtering, which allows or forbids access
rights to defined IP address(es).
• A typical configuration is to configure the device to allow only the IP address of the server
that is hosting the VMS to access.

IP address filter
Server
PC

Firewall/IP Table
Camera
Internet

Laptop

Mobile Client
IP Address Filter
• Configuration -> System->Security-> IP Address Filter
Digital Watermark
• Digital watermark technology embeds the device information onto the recorded video.
• Digital watermarks may be used to verify the authenticity or integrity of the video or to show
the identity of its owners.
Watermark
• Open VSPlayer and play one video clip from Hikvision camera.
• Right click on the video: Image Control -> Watermark
• The watermark information will be displayed on the video.

• Only Hikvision VSPlayer can check and display the

watermark of video stream.
Thank You

49