Which Private IP Addresses Do You Use For IP Video?

When it comes to setting up a standalone network for security/surveillance, what IP addressing scheme do you use and why?

In my experience, this was pretty heavily influenced by the default settings in the switch. Whatever scheme the switch maker (ie: Cisco, HP, Linksys) used at the factory often ended up being the base for the production scheme.

In retrospect, this seems terribly lazy (err: EFFICIENT). What scheme do you use?


Something else? I've always been a 192.168.1.x man myself.

Aren't the private subnets actually:

  • 10.xxx.xxx.xxx
  • 172.16-31.xxx.xxx
  • 192.168.xxx.xxx

I believe you are right, although my examples use the common default ranges.

You "can" use "any" IP address range in a closed network.

You can use any IP address range in a non-public facing network, or more specifically, a non-routable network. However, it is extremely bad practice to use addressing outside of the designated private (as well as experimental, and reserved) ranges. This is mostly because the other ranges are specifically licensed to other organizations.

I typically use a 192.168.x.x scheme with a brand new install and when the customer doesn't necessarily care.

I have used a 10.x.x.x scheme for larger installs and to leave room for future growth.

We used to use 192.168.x.x but IndigoVision defaults to 10.5.x.x so it was easier to go with the flow.

Really Depends on who it is for.

VPNs usually allow me to build my own with in thier network

so if i choose the 192.168.0.0/1 or what , it wont matter

Some require I build with in thier protection platform.

10.0.0.0/ what ever i choose for the build.

If Im lazy then i use the default for the basic systems with alot of tricky passwords,user names

lots of number,capital,lower case, and letters , numbers so if you try you will really have to work hard at decoding and usually get tired of it.

Something in the 10.xxx network other than 10.0.0.xxx. Much less likely there will be a customer network using that scheme. A router should not influence it since 95%(?) of the time the camera network is standalone and not part of a customer LAN or have an Internet connection.

90% of customer networks are in the 192 and 172 IP address range schemes.

I use what the client's requirements dictate. I prefer to utilize something in the 10.xxx.xxx.xxx network, but often the client's hardware limits the options available. Almost all of my installs require the ability to connect to the system from the Internet. In some cases, the client wants email alerts for some cameras when motion has been detected which necessitates the connectivity. If the hardware permits creating a separate subnet/network for the cameras, then I will do so. This adds the ability to create ACLs and firewall rules to restrict access according to the needs of the client.

It is worth noting that the "switch" manufacturer is not typically determining the network in use. A typical switch operates at layer 2 which has no knowledge of IP addresses. It is the layer 3 device (router/bridge) that determines the IP range that is capable of connecting to other networks. It is an easily confused situation given that many SOHO routers have built-in switch ports for the LAN.

Though managed layer 2 switches which are administered thru a built-in a web server will often come with a default IP address.

Most of our installations are done using 192.168.1.X. In some situations the IT group at the customer site may want us to put our devices (whether camearas or door controllers) onto their network and in such cases we provide the MAC and they will proving an IP Address.

The 10.x.x.x subnet is shorter to type!

All of the above? We have no set standard and it will vary job to job but 192. and 10. are the most common by far. We will usually base it on the equipment being installed. If it is our own network I like to turn DHCP off and use a non standard subnet scheme.

This may sound like a rookie question, but what are the advantages in using a non-standard subnet scheme?

NOTICE: This comment has been moved to its own discussion: Should Non-Standard IP Addresses Be Used?

If you have a physically seperate camera network with the same IP addresssing scheme as the LAN network, say for example both are 192.168.1.x, even if the NVR has 2 seperate physical network cards with one connecting to each, it can cause network issues for the NVR because it can get confused about which direction traffic should go.

If the cameras are on the same LAN, using a seperate subnet, or IP addressing scheme, can help make sure it does not conflict with other computers and devices on the LAN if one or more happen to use the same IP addresses. It can also make it easier to segregate traffic on the NVR- for instance you can make sure that the NIC servicing viewing clients is also not pulling camera streams because each are using different IP subnets.

Luis, I don't think that was what he was asking. He was asking why someone would go through the trouble of using custom subnets on a private network.

For instance:

IP Scope: 10.10.10.1~32 or 10.10.10.0/29

Subnet Mask: 255.255.255.248

To actually address the question Jerome asked above, I think they do this out of some false sense of added security by confusion. Or, job security because most end users wouldn't be able to maintain this network on their own, most likely. I would never use this approach.

"To actually address the question Jerome asked above, I think they do this out of some false sense of added security by confusion. Or, job security because most end users wouldn't be able to maintain this network on their own, most likely. I would never use this approach."

Partially yes, but I dont think for the reason you assume. It keeps the average joe out of our network. Most of our installs are small business, residential installs with no on site support. This does keep them out of it. It also is somewhat standardized so that a tech knows what the address scheme is without any investigation. I dont have very many talented techs that understand networking. We are a 40+ year security company with a good number of older techs that just wont move into this era.

It makes me feel better and does no harm in the scenarios above. The places I would use this approach will never have outside support of these systems. A larger integrated system at a site with IT I wouldnt even bother and would ask them to decide how they want it configured.

EDIT: I should have used address scheme instead of subnet to eliminate the confusion. I was not referring to non standard masking as stated below.

Luis' interpretation is unobjectionable. Jerome was only echoing David's use of 'non-standard subnet scheme', and neither one of them mention subnet masking directly, only non-standard subnets which may or may not involve masking.

Masking is not (in this forum) a rookie question in any event.

Not to start a war or anything, but how else do you interpret "non-standard subnets" without involving masking?

Maybe we should just wait for Jerome to clarify what he meant.

Jerome's question is substantial enough to stand alone, so I started this: Should Non-Standard IP Addresses Be Used?

Let's continue that line of conversation there. Thanks everyone.

Sorry for not replying before now, but I caught a nasty bug and have been out of commission for a few days. Although I will post my reply in the new topic created, I just wanted to post a hardy thank you for the replies in this discussion.

Could you give me just one example what is non-standard subnet in your mind?

If I am designing the camera network I almost always use a 192.168.187.xxx/24 network. Depending on camera count subnet will be changed to accomadate for the additinonal cameras. If I am doing a multi building install then we will have a different network at each location. I never use 192.168.0.xxx or 192.168.1.xxx because those are too common and sometimes can have negative effects when going in through a VPN.

Do you have a specific reason to use the CA penal code for murder as your IP scope? Are you a fan of Snoop Lion?

That was actually Dr. Dre feat. Snoop Dogg.

Yes, but he now goes by Snoop Lion as you can see here...

Thats funny... never realized that until you just brought it up

10.XXX.XXX.XXX /22

we have taken over several sites in the past month where the previous dealer has kept the zeroconf (169.254.x.x) ip addresses that were assigned to the camera on intial startup...

HAHAHAHHAHAHAHAH =D

Hi, we are using 10.X

Thanks

This is one reason I believe that IP camera installers should carry low level IP/networking certifications. The IP range you choose should be dictated by the size of the environment. Class A, Class B, and Class C addresses each allow a certain number of maximum hosts to be present in a subnet, or for a maximum number of subnets to be designated in a network. The class range should be chosen based on those determining factors. For virtually every install, this will fall into the Class C range of 192.168.x.x. It is good practice to have cameras on a separate subnet from any other traffic. This isolates security traffic. It also keeps the security equipment off of default plastic addresses so that it is harder to find. Additionally, because it's on a separate subnet, firewall rules become much easier to manage.

It is good practice to have cameras on a separate subnet from any other traffic. This isolates security traffic.

Isolates how exactly? You know that you can run multiple random subnets on the same LAN switches (without using VLANs).

Do you mean logically or after being routed?

I have my low level networking cert (Net+). First off, classful networks are a thing of the past now with CIDR. Even if they were around, 192.168.x.x wouldn't be a Class C network, as a Class C network would only have 8 bits for the host portion.

VLANs are really for segregating traffic on the same subnet. I was suggesting separate address ranges using different subnet masks. It's fine if they run on the same hardware (though for fault tolerance, I typically like security on its own switch). Having separate subnets means that security traffic is not routable with LAN traffic unless specific firewall rules allow it. i.e. John Doe salesman can't hop on your WiFi hotspot and run an IP scan to find your cameras. Neither can a burglar in your parking lot.) If the traffic is segregated on different hardware, it also prevents disgruntled LAN users from attacking your security system from the inside. Aside from that, video traffic tends to come at a huge bandwidth cost for most networks so that should be a consideration as well.

Having separate subnets means that security traffic is not routable with LAN traffic unless specific firewall rules allow it. i.e. John Doe salesman can't hop on your WiFi hotspot and run an IP scan to find your cameras.

You are assuming that there is a router between the camera network and sales network. They could be on different subnets but plug into the same LAN switch (without a VLAN).

I made no mention of a router. Separate subnets plugged into the same switch (without a router) is perfectly fine and exactly what I was suggesting. Without a router, separate subnets are non-routable (that's the entire point behind subnetting). The exception to the rule is a managed switch that provides layer 3 functionality. But even so, the default is to have subnets as non-routable. You would have to change that explicitly.

Nodes in separate subnets cannot communicate with each other without a router in between because they are in different logical (and sometimes even physical) networks. VLANs are very similar in function except that they segregate traffic within the same subnet. The problem with VLANs is that every device on the network must support them. If any one of them doesn't, it defeats the purpose.

Having separate subnets means that security traffic is not routable with LAN traffic unless specific firewall rules allow it. i.e. John Doe salesman can't hop on your WiFi hotspot and run an IP scan to find your cameras.

Ok, I think I understand, you mean from wifi and John Doe is not an employee of the company. If John Doe could plug his laptop into the network though, the seperate subnets would not stop him from getting to the cameras, and therefore subnetting doesn't equate to isolation as you stated: "This isolates security traffic."

The problem with VLANs is that every device on the network must support them. If any one of them doesn't, it defeats the purpose.

Do you mean supporting VLAN tagging? Simple VLANs that segregate traffic on a single switch by port, for instance, do not require any special support.

If John Doe plugs into the physical network, he still cannot access the cameras if they are on separate subnets even if they are plugged into the same switch. That's why subnets are used to segregate traffic and why I'm suggesting people use them for security.

As for VLAN tagging, every piece of equipment on the network must support tagging in order to have traffic routed properly. It sounds like you might have a specific piece of equipment in mind that you are referring to when you say simple VLANs so I can't really go any deeper into that without knowing the specifics. But true subnets are generally more secure than VLANs.

VLANs should be used for quality of service and bandwidth control. Subnets should be used for security.

If John Doe plugs into the physical network, he still cannot access the cameras if they are on separate subnets even if they are plugged into the same switch.

Sure he can, he just needs to add an ip alias for the subnet(s) he wants access to, like so (in Windows):

As for VLAN tagging, every piece of equipment on the network must support tagging in order to have traffic routed properly.

I agree, for VLAN tagging. But your statement was about VLANs in general:

The problem with VLANs is that every device on the network must support them. If any one of them doesn't, it defeats the purpose.

VLANs without tagging, can be used to seperate a single physical switch into 3 seperate switches, each with segregated traffic. Since this is done internally to the switch, no support is needed from any outside devices.

Sure, John Doe could add a gateway to another subnet, but he would first need to know it exists and where to find it. Since it won't appear on a network scan, this attack vector is fairly well mitigated. It also assumes that the firewall is turned off. The default for every device I can think of it to disallow traffic between subnets unless explicitly allowed. So even if John Doe adds the gateway, it only means he can send packets intended for that network. It doesn't mean they will be delivered or that he will receive a response.

A VLAN on a single device is virtual equivalent of a subnet. That would be fine. But VLANs are typically used in environments with more than one network device. Again though, the rule applies. Subnets should be used for security and VLANs for QoS.

Since it won't appear on a network scan, this attack vector is fairly well mitigated.

ARP tells you all you need to know.

So even if John Doe adds the gateway, it only means he can send packets intended for that network. It doesn't mean they will be delivered or that he will receive a response.

You have misunderstood, I'm not suggesting adding a gateway, I'm saying add an IP alias (the top part of the screenshot I gave.)

Anyway, this may be really useful for you if you haven't heard of it before because it's a quick way of connecting to a camera's factory defaulted IP addresses without hassle.

For instance, in your alias list, you could add entries for 192.168.0.200 and 192.168.1.200 and 192.168.2.200 and other any other addresses which reside within the subnet of various cameras default addresses.

Then you can address them directly in the browser by IP.

Get a laptop and two cameras with hard addresses on different subnets and plug them all into a dumb switch.

Then add alias addresses that reside in both cameras subnets.

You should be able to access either camera in either subnet.

Aliasing an IP places a single node in an additional network. Yes, very useful for attaching to devices with default addresses. Also useful when connecting to a VPN.

But again, the attacker would still need to know what network to alias.

I think you need to take a networking course or read up on it. After that, consider contacting your customers where you've implemented this "security".

I'm a certified network admin. I think you're missing what I'm saying.

The security is in the firewall rules. Firewalling is easier to implement and more logical to implement on subnets.

I'm a certified network admin.

I've had my certifications too and been at this for 20 years. With all due respects, we'll have to agree to disagree, and I strongly disagree.

Fair enough.

Just so I understand your stance, are you suggesting VLANs are better than subnets for security, or suggesting that neither one is necessary for IP camera networks?

Using the words "subnet" and "security" in the same sentence is like using the words "pen" and "car" together. They are unrelated, and one does not imply another.

The word "subnet" means sub network. As it, a part of a larger overall network. Typically it is used to break down a larger network scope into two or more smaller scopes. For example...

192.168.0.0/23 (MASK 255.255.254.0) can be broken into two evenly sized subnets, 192.168.0.0/24 and 192.168.1.0/24.

If you have a single "dumb switch" with a surveillance system in one subnet and computers in another subnet, there isn't much benefit at all, because the switch doesn't care what your IP is, it doesn't know anything about protocols above layer 2 (MAC).

If anyone connected to any individual port in that switch wants to talk to one, or both subnets, they can easily do so. Also, any broadcast traffic from one subnet will still be forwarded to all other ports in the switch. The NIC's of computers in one subnet will still receive the broadcast packet, but the NIC will discard it unless that computer also has an IP binding for that subnet range.

Where security begins to come into play is when you replace that dumb switch with one supporting VLANs, and then you split up all the switchports between the two VLANs. At that point, you have roughly the same level of security as you would if you had just added a second dumb switch and used each one for different subnets (and did not bridge the two).

Rob, I think you may be mixing the working of VLAN's and routing, but I could have been reading it wrong. At the very least relying on IP addresses having different network addresses to segregate and secure traffic when they are on the same physical LAN is not the way to go. If you have an outside camera I can get to, I can connect a laptop and use a packet sniffer to capture network packets to figure out the subnets in use, then change my laptop IP to match whatever network address I want to scan and probe. Same can be if I can get a connection inside.

You can't packet sniff across physical networks without first hacking into the switch to mirror ports.

If you connect to a camera, you can't sniff the internal LAN. If you connect to the internet LAN, you can't sniff the security LAN as long as they are on separate subnets.

The only way to sniff from one to the other is to take a LAN port and mirror a camera port or vice versa because the switch physically will not route internal LAN traffic to the port that the camera is attached to.

Not necessarily true of VLANs which is why I'm suggesting subnets for security.

You can't packet sniff across physical networks without first hacking into the switch to mirror ports.

How much time have you spent with Wireshark on a "typical" network?

There is a lot of broadcast traffic that goes on, and being that broadcast packets are Layer 2, any devices plugged into the same physical switch (or physical LAN) will get those packets. Even if their Layer 3 (IP) addresses are not on the same IP subnet.

Using IP subnetting as the primary "security" mechanism on a multi-service LAN is the equivalent of hanging a "Keep out" sign on your door. Yes, it will keep *some* relatively low-level/low-skill people out, but it is overall a false barrier.

The only way to sniff from one to the other is to take a LAN port and mirror a camera port or vice versa because the switch physically will not route internal LAN traffic to the port that the camera is attached to.

Not necessarily true of VLANs which is why I'm suggesting subnets for security.

If you have a dumb switch where all the connected devices are using a couple different IP ranges, I don't need to do port-mirroring to get a sense of what is going on. All I need to do is connect to any port, fire up Wireshark, and I'm going to immediately see broadcast traffic.

Within seconds I'm going to start seeing packets like "Who has 192.168.1.100? Tell 192.168.1.5"

Conversely, if you have a security network, and a business network, and those networks are run on different VLANs, there is absolutely no way I can connect to your security network from your business network. I won't see any broadcast traffic at all, I won't even know it exists, unless I hack your switch.

The only way VLANs do not add security in this way is if one or more of your VLANs have tagging enabled on a specific port. But you usually mark access layer switch ports as untagged unless you are connecting something like a server running a hypervisor with VLAN tagging awareness. If you ever find you have tagging enabled on an access-level switch port, you should find out why.

You are correct. That's exactly why I'm saying subnets are used for security.

Subnets are used to divide a network into smaller scopes so that firewall rules for each can be managed independently.

VLANs should be used to segregate traffic within a subnet for QoS.

I'm not suggesting that one can't be used for the other, I'm stating that these are best practices and how networks should be built.

Also, a dumb switch can't be used for subnetting. Each subnet would be on its own switch. (The only way to create physical subnets.) Subnetting as an addressing scheme only applies if you are actually doing addressing which you have correctly mentioned requires a Layer 3 device.

Also, a dumb switch can't be used for subnetting

A dumb switch can absolutely be used for subnetting. It is virtually equivalent to using VLANs. A VLAN is nothing more than dividing a single switch into multiple virtual switches.

Switches do not know anything about your IP's / subnets (ignoring for a moment the router which is built-in to a layer 3 switch). So you can subnet all you like within a single network, or multiple physical or virtual networks.

Where the confusion appears to be is the implied implementation behind the term "subnet". It sounds like when you subnet a network, you are putting each individual network range on their own VLAN or physical dumb switches, and routing between them as needed. And this does add security. But the term "subnet" does not automatically mean all of the above, so it is dangerous to say that subnetting adds security unless you also explain the other activities implicit in your statement.

There is absolutely zero security benefit to having devices in different subnets on the same physical dumb switch or VLAN.

VLANs should be used to segregate traffic within a subnet for QoS.

VLANs should be used to separate different subnets. You generally do not split a single subnet (like 10.1.1.0/24) between two VLANs unless you are subnetting that subnet into 10.1.1.0/25 and 10.1.1.128/25 for example. And while splitting networks into VLANs can improve quality of service by reducing the size of the broadcast domain, there is no other implied QoS (there's a whole world of unrelated QoS protocols and strategies).

A VLAN on a single device is virtual equivalent of a subnet

A VLAN, in every conceivable arrangement, is a virtual local area network. The term subnet is strongly related to IP address ranges which are entirely irrelevant to the concept of VLAN.

Subnets typically share a broadcast domain unless you physically (different physical networks) or virtually (such has with a VLAN) separate them.

In a shared broadcast domain - such as where subnets are the only divider - it is relatively easy to "see" from one subnet to the next. For instance, I have had times where I didn't know a subnet assignment so I just set my test computer to 255.255.0.0 and was able to communicate with all devices in the appropriate IP range, regardless of subnet.

VLANs are offer a similar concept to using separate switches and networks - it is just done virtually rather than physically. Unless VLAN traffic is specifically routed or bridged to another VLAN (not a best practice), one VLANs traffic cannot see or be seen from another VLAN.

This is perhaps an oversimplification, but I think it conveys my point well.

IT professionals typically recommend a 1:1 relationship for VLANs and subnets. This is a best practice, rather than a must do. A single VLAN can carry multiple subnets, since the VLAN is basically a virtual switch working at L2. Subnets are L3 and are IP-related. A subnet can be split across multiple VLANs, but again, unless routed or bridged at some specific point, the VLANs can't see each other.

Both VLANs and subnets can be used as security measures, but in different ways. VLANs virtually segregate network traffic. Subnets segregate IP addresses to SOME extent, but not totally while on the same physical network (or VLAN).

If you are wanting the better security solution, use VLANs with dedicated subnets (the 1:1 relationship).

And then implement MAC filtering.

Changing your subnet mask to 255.255.0.0 should not work if the network is configured correctly.)

Each IP address represents a 32-bit binary number that identifies the network that a node belongs to, and identifies the node. The subnet mask determines what the length of the network portion of that ID is. The broadcast address is the highest IP address in the range.

For my example, I'll use the network beginning at 192.168.1.1 since most people are familiar with it.

A standard /24 network using the subnet mask 255.255.255.0 has a broadcast address of 192.168.1.255.

By changing your subnet mask to 255.255.0.0 you are now on a network whose broadcast address is 192.168.255.255

Now, there's an age-old argument that ensues here about terminology. Most people will define a broadcast domain as all nodes connected on one side of a router. So any devices connected to a switch (since it's not a router) would be in the same broadcast domain as defined by CCNA, etc. HOWEVER, those definitions also assume that all of the nodes connected to a switch are intended to communicate with one another on the same network and share the same subnet mask. That's a huge assumption. If you intentionally give them different subnet masks, it segregates broadcast traffic. Yes, you can still sniff it out, but for general purposes it's simply dropped by any NIC that uses a different subnet mask.

I also get what you're saying about 1:1 relationships between VLANs and subnets and I don't disagree. They both accomplish essentially the same thing, VLAN at layer 2, subnetting at layer 3.

However, my suggestions still remain. I prefer to do QoS at layer 2 (since it's often required there anyway--many VOIP phones work at layer 2 and do not have IP addresses). I implement security rules mainly at layer 3. Especially in networks that use DHCP this is far easier to maintain than MAC filtering. I'm not suggesting that you don't have security at both layers. I would implement an example network like this:

10 IP cameras with Static IP addresses connected to a single dedicated PoE switch using addresses from the 192.168.50.0/24 space. (255.255.255.0 subnet mask.)

10 VOIP phones (no IP addresses), 5 workstations, connected to a second switch using DHCP addresses from the 192.168.1.0/24 network. Phones use VLAN 10, workstations use VLAN 150.

Both switches connected to UTM device (wireless router) with internet connection.

Wireless users are assigned a DHCP address from the 172.16.0.0/24 range (Easier to recognize in logs) with client isolation.

The UTM device acts as a firewall/router. It prevents communication between the cameras and the workstations. QoS is set up for VLAN 10 to ensure quality of service for voice calls. Bandwidth quotas are set up for VLAN 150 to control workstations.

For simplification, I'm not including any servers, VPNs, or DMZs.

There's a "global" broadcast address of 255.255.255.255, and there's a network-specific broadcast address which is the last IP of the subnet (192.168.1.255 for example). ARP will use the global address while other high-level protocols will typically use the network broadcast address.

In both cases, unless you have used VLANs, or just different physical network switches per subnet, you can communicate with any node on the network regardless of what their network address is. And every NIC on that network is receiving every broadcast packet whether it is the global address or a network-specific address. The NIC then has to decide whether to ignore that packet or pass it up the stack based on the bound network address(es).

VLANs there for provide up to the same level of security as using different physical switches for your phones and for your cameras, but using different subnets on it's own adds zero security.

VLANs do not have any QoS features on their own, it is up to the switches and routers to add this. I'm assuming when you say you use VLANs for QoS in this context, you mean that they allow you to shield networks from each other's broadcast traffic? That is definitely true, and can improve the quality of service, but is far from actual/active QoS such as diffserv.

I'm curious which VoIP phones you are using? You connect them to a TCP/IP network yet they do not use TCP/IP? I'm not saying it's not possible, but I've never seen a VoIP phone without an IP address, and I'm not sure I would want to use it.

Not sure how many others are out there, but ESI's line of IP phones are layer 2 devices. They can plug in directly or bridge between your workstation and switch, but they do not get assigned an IP address.

...ESI's line of IP phones are layer 2 devices. They can plug in directly or bridge between your workstation and switch, but they do not get assigned an IP address.

Then they are not by definition IP Phones.

Definition of IP phone: A telephone that converts voice into IP packets and vice versa for voice over IP (VoIP) telephone service.

That would be like an electric car that doesn't use electricity.

The IP phones do not have configurable network options (unless being set up as a standalone remote, then you specify the external IP of the PBX server). ESI techs always say that they are layer 2 devices, despite the fact that they do use true VOIP (as verified by closing the UDP ports in the firewall will kill communication).

I decided to curb some curiosity.

When the phones attach to a network, they reach out to a local ESI server (listening on a hard-coded IP address, in addition to it's configured LAN addresses). That server responds with a hard-coded IP address based on the IP phone's MAC address. I'm not on-site to verify but it's seems like the PBX is acting as a DHCP server, but only responding to requests originating from ESI MAC addresses.

Next time I'm on-site I'll fire up Wireshark and see if there is a handshake.

But the documentation is not correct. They are not layer 2 devices.

It all comes down to the fact that if devices have different subnets but are on the same physical or virtual network segment, they will receive basically all the traffic on that segment. As U8 and others have noted, the devices' NICs then have to decide whether or not pay attention to that traffic.

Ignoring traffic is not the same as having security. Using firewalls is fine to some extent, but it doesn't fix the issue that if a device is connected to a broadcast segment, it can potentially see all of that segment's traffic, regardless of subnet assignments. VLANs virtually segregrate ports on a switch to provide a more secure, dedicated broadcast segment.

For instance, I have had times where I didn't know a subnet assignment so I just set my test computer to 255.255.0.0 and was able to communicate with all devices in the appropriate IP range, regardless of subnet.

Kevin, I agree that this will let you send packets to devices on any of the subnets, however there's a problem that usually prevents getting a reply.

Lets say that you are using IP 192.168.0.1 MASK 255.255.0.0 and the camera is using 192.168.1.1 255.255.255.0.

When the camera tries to reply it will think that you are not on the same subnet, therefore it will send the reply packet to the default router.

Great Debut Guys

Keep on , Im learning a lot

cff/ppp

Private lan? Add your own router then DHCP with reservations.

Try it!

172.17.xxx.0

192.168.x.x

10.5.xxx.xxx