Access: IP Readers vs. Control Panels

Author: Ethan Ace, Published on Jun 16, 2012

Should you continue to use traditional centralized, panel-based access control or does it make sense to use IP readers? Let's overview the 2 key options:

  • Control panels: Traditional access control systems have used control panels, typically controlling two, four, either, or more doors each. In these configurations, door devices are typically homerun to centrally located panels, though in larger facilities, panels may be distributed throughout. The panels, in turn, typically connect to the access control server via IP, though older or low-end systems may still use serial data connections.
  • IP readers: In the second, more recent, approach, intelligence is moved to the door, with a small (1-2 door) control panels located throughout a facility. While some readers now accept a direct IP connection, many deployments move the controller to the edge connecting to a traditional reader very close by. To that end, 'IP reader' is a misnomer, but expresses the intent of this shift.

The traditional approach of larger control panels has caused some problems:

  • Often, customers were forced to install four-door control panels to control one or two doors, which drove cost for these small systems up drastically.
  • Adding a door here or there, out of reach of existing the existing panel or panels, required a new multi-door panel to be installed.
  • IT staff is less comfortable with traditional security wiring. As security systems have become more IP-based, they have fallen more and more under control of network engineers and RCDDs. IP readers allow these designers to follow more familiar cabling topologies, making them more attractive.

While the traditional panel approach has issues, concerns about moving to IP readers also raised concerns including issues with sufficient power, manufacturer support, economics and scalability.

For background, we recommend you review HID makes the case for the edge to see how manufacturers pitch the idea of IP to skeptics.

Inside the Pro section, we examine the tradeoffs, key issues involved and make recommendations on best fits.

Note: inside the report, we will use the term 'edge controllers' rather than 'IP readers' for greater technical accuracy in describing the use of IP at the edge for access control.

Recommendations

Determining use of edge controllers vs. traditional panels depends on 3 fundamental questions:

  • Does your access control management system support it?
  • Will your locks support it?
  • What is the scale/reader density of the system?

The first issue is the simplest: Does the access management system in use or planned support these types of readers? While edge controllers have become much more common in the past couple of years (especially PoE varieties), a number of systems still lack support, or support only RS-485 connected versions. 

The second important consideration when selecting IP controllers is whether PoE will provide enough current to power the needed locks. Be sure to check the locking hardware specs for inrush and constant current, to make sure the controller output will be sufficient. Almost all electric latch retraction devices or high holding strength maglocks will require more power than PoE-powered controllers will provide, so in these cases a separate power supply must be provided, either centralized with network equipment or local to the door.

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

Regarding system size, there is no hard and fast rule as to where edge controllers are appropriate, but we recommend the following:

  • In very small systems (1-4 doors): Pushing controllers to the edge makes a lot of sense. Cabling and installation expenses are much smaller, and installing a single door doesn't require the purchase of a four-door panel, with three wasted ports. However, using single-door controllers without an access control system to manage all of them may become tedious if frequent changes are made, as each controller must be maintained individually. For a couple of doors in a small facility, this most likely will not be much of a timesink.
  • In medium-sized systems (4-32 doors): Edge controllers also make a lot of sense in systems of this size, as they're not so big that maintaining hundreds of doors attached to single-door controllers across a facility or campus becomes cumbersome. Adding this number of doors to a network is normally not much of an issue, either, as it incurs little added management, and even lack of PoE switches can be overcome for relatively little cost.
  • In large-scale systems: Most likely it will be easier to manage multiple-door control panels as opposed to single-door controllers. Maintaining a network to support only the access controllers will add substantial cost. However, selecting access management software that supports edge controllers will allow single doors may be added to new locations later at a much lower and more predictable cost.

Basics of Using Edge Controllers

While there are some variances between manufacturers of edge controllers, there are some common capabilities most share:

  • Power-over-Ethernet: One of the factors driving reduced costs of edge controllers is power-over-ethernet capability. This allows for the controller to be located near the door, reducing the cable that was traditionally run from a centralized control panel. It also simplifies power requirements, since no additional power supplies need to be installed for door control. PoE may not be a good choice for every door, however, which we’ll discuss later.
  • Simplified Cabling: Placing the controller at the edge requires less multi-pair cable to be run. Typical panel-based systems require substantial cabling, typically a 6-conductor for the reader, two conductor for the door position switch, four conductor for the request-to-exit device, and two or four conductors for the lock. These cables are either run separately, or via a composite cable which puts all four required cables in the same jacket. The composite cable saves some labor in cable pulling, but either method is expensive.
  • Local decision making: Edge controllers push access decision making to the door. Each controller holds the access database and processes events locally at the door(s) it controls. This removes multi-door controllers as a single point of failure in the system. If one controller should go down, only that controller is lost, not two, or four, or more doors.

Cost Comparisons

The prices below are based on online pricing, assuming typical building construction: 9’ drop ceiling with drywall walls. Prices are based on doors 300’ away from the IDF, using HID Edge Solo line, and an average cost of multiple manufacturers’ four-door control panels. We chose 300’ for two reasons: 1. It is the maximum cable length when using edge controllers so it is therefore worst-case, and 2. With Wiegand runs typically being limited to 500’, we felt it was a good middle ground. 

 

  Four-door Edge
Controller 1500 250
Cable 250 70
Power Supply 90 N/A
Labor 1200 1200
Total 3040 1520
Total for four doors $7300 $6080

On the surface, a substantial savings. Keep in mind, however, that the edge price assumes existing PoE switches are in place, and no external power is needed. When PoE switches must be supplied, the cost increases.

Assuming a Cisco 300 series switch, which we would recommend as the lowest-tier model that should be used in this scenario, add nearly $300 more. Some IT departments may demand a higher-class of switch, which may easily add a few hundred dollars more. These additions may reduce or eliminate cost savings.

Another cost which may vary widely is that of the access management software. Most access control panels do not have built-in webservers and on-board management; Honeywell NetAXS line and the HID Edge are two common exceptions. Having to add software, which is typically not free, and a PC to this mix would add further cost.

Should I use PoE?

While PoE is an important benefit for edge controller systems, using it depends on two key items:

  • Power output requirements: While it varies greatly by manufacturer and type of locking hardware, we would estimate that 40-50% or more of the locks on the market are unsuitable for use with edge controllers. In a brief search of five manufacturers’ electromagnetic locks and electric door strikes we saw many that required more power than most edge controllers will supply (>500-600mA). Generally speaking, most normal or light duty electric strikes, and low-holding-force mag locks (300 lbs. or below) will be okay with many edge controllers. Heavier duty-locks and electrified panic hardware is almost guaranteed to draw too much power. From a brand standpoint, our experience has pointed us to the Assa Abloy brands (HES, Securitron) when using PoE-powered controllers, as even most of their heaviest-duty locks fall under the typical limit of what a PoE controller can output. The Ingersoll-Rand brands (Von Duprin, Locknetics, etc.) seem to be more power hungry and less likely to work. Also, while card readers should not need more power than the controller will output, biometric readers such as hand geometry and iris readers may.
  • Power failure handling: If the door is in the path of egress, it typically must unlock in case of power failure. However, in the case of doors equipped with panic hardware, using electric strikes, the door may remain locked. In brief power outages, this is usually not a problem, as the switches powering the edge controller will typically be backed up. Even large UPSes typically do not run for more than 2-4 hours, however. In the case of extended power failure, however, once the UPS has failed, and the controller has lost power, there will be no way to electronically open any doors from card reader side. In these cases, keys must be used, or the door forced open. To combat this, it is recommended that critical doors be powered via a separate battery-backed power supply with as much run time as budget allows.

Mercury “The Myth of Access at the Edge”

In this section, we review Mercury Security whitepaper “The Myth of Access at the Edge”. While not explicitly anti-edge access control, it does offer some arguments against it, including:

Network resources are readily available: In short, this addresses the common misconception that Ethernet networks are everywhere, with cables just waiting to be utilized for various applications. This myth is put forward by many industries -- IP surveillance being famous for it as well.

  • Mercury concerns: According to Mercury, there are four factors at play here: 1. Available network ports are not necessarily available where the door is located. 2. Not all switches support PoE. 3. Not all switches are guaranteed to be on the same VLAN. 4. The access controllers may present a risk to network security.
  • Our comments: We would agree that all of the above are valid concerns. Whether they are showstoppers must be taken on a case-by-case basis. True, network ports may not be available. However, access control cabling is almost guaranteed not to be available, and as evidenced in our cost comparisons above, is more expensive than running a single UTP to the door. Switches supporting PoE may be a problem. Depending on the lock hardware being used, however, it may be a problem, anyway, if PoE won’t supply the power required for the locking device. Running a second power cable and supplying a low voltage power supply, or providing a PoE midspan, are reasonable options that do add more cost. The VLAN issue is more difficult to solve. If networks are segmented for security reasons, getting an IT department to open holes in those segments is often extremely challenging. The impact of compromising an edge controller may be mitigated somewhat by proper VLANs, so that anyone plugging a computer into the cable it uses would be unable to see any devices other than what is on the access control VLAN.

Total cost of ownership: The short version of the myth is that reducing cabling and utilizing existing network infrastructure lead to much lower TCO than using traditional RS-485 connected controllers.

  • Mercury concerns: Valid concerns over the ability of IT managers to manage an additional security network, whether it be VLAN or physical exist. Getting IT staff to prioritize a security LAN can be quite challenging (to which our experience can attest). Additionally, IT policies, such as requiring certain security measures to be in play on the entire network, forcing DHCP to be used, etc., may adversely affect security equipment performance (which we can also attest to).
  • Our comments: We agree. In many facilities, there is little advantage to running a new UTP cable to a door. Also consider that in some systems, Mercury-based systems are one example, a third option exists: utilizing RS-485-based single-door controllers. This reduces cabling, with wiring to all doors being in a loop configuration, instead of homerun.

Security and IT speak the same language: This myth speaks to differing expectations of IT and security managers.

  • Mercury concerns: Specifically, the whitepaper speaks to how “100% uptime” is interpreted. In the IT world, 99.9% uptime may be acceptable. In the security world, this equates to a full workday (8.75 hours) per year of downtime, which security staff would find unacceptable. It also speaks to the fact that IT may not grant access to network closets to security staff, so security staff may need to wait should a problem arise on the security network.
  • Our comments: The difference in uptime is a valid concern. Even if that workday per year were spread out, it would still equate to ten minutes of downtime every week. We believe security staff would indeed find that unacceptable. However, most network specs we see are aiming for four or five nines of uptime (99.99% or 99.999%), which reduces this drastically. Additionally, the impact of the network being down may vary. If each controller holds the cardholder database locally, and does not need to communicate to a central server or other controllers simply to grant access, the card readers will still function. If the system is being monitored in realtime, however, it will be a major concern, since guard staff will have no idea what is happening at their doors. Access to IT spaces is less of a problem. Waiting may occur, but we doubt it would be to an extreme level that would drastically impact system performance.

All-in-all, the Mercury whitepaper recommends knowing the limitations of the network and individual access control system before arbitrarily deciding upon edge-based controllers. They put forth separate networks, PoE+, encrypted communication between controllers and the host, and hybrid systems (consisting of some edge-based and some centralized as necessary), as potential considerations in system design. We’d agree that these may be intelligent recommendations.

Manufacturer Offerings

When discussing edge-based access control, there are two major manufacturers providing open platform solutions:

  • HID: HID provides the Edge and VertX solutions, which are both part of their OPIN API program, and utilized by over two-dozen different OEM partners. Both are available for use in host-based systems, and the Edge is available in the Solo version, a web-accessible single door standalone unit.
  • Mercury: Mercury also provides multiple edge-based products: The EP1501 is a multi-door controller with a single-door interface built into it. It is capable of controlling 16 doors through either the MR51e or MR50 single-door interfaces, or the MR52 two-door interface. The MR50 and MR52 door interfaces cable back to the EP1501 via RS-485. The MR51e is rather unique - an Ethernet-based “dumb” door interface with no processing on-board. It simply communicates with the EP1501 via Ethernet, where all access control decisions are made.

Additionally, proprietary options exist from most of the major manufacturers such as: GE (DirecDoor)Honeywell (NetAXS-123)Infinias (Intelli-M)S2 (MicroNode), and Software House (iStar Edge)

Related Reports

UTC, Owner of Lenel, Acquires S2 on Sep 20, 2018
UTC now owns two of the biggest access control providers, one of integrator's most hated access control platforms, Lenel, and one of their...
Favorite Request-to-Exit (RTE) Manufacturers 2018 on Sep 19, 2018
Request To Exit devices like motion sensors and lock releasing push-buttons are a part of almost every access install, but who makes the equipment...
Amazon Ring Spotlight Cam Tested on Sep 17, 2018
Amazon's Ring has released their latest camera entry, the Spotlight Cam, which we bought and tested in our Consumer IP Camera Analytics...
IP Camera Cable Labeling Guide on Sep 14, 2018
Labeling cables can save a lot of money and headaches. While it is easy to overlook, taking time to label runs during installation significantly...
VMS Export Shootout - Avigilon, Dahua, Exacq, Genetec, Hikvision, Milestone on Sep 13, 2018
When crimes, accidents or problems occur, exporting video from one's video surveillance system is critical to proving incidents. But who does it...
Door Fundamentals For Access Control Guide on Sep 12, 2018
Assuming every door can be secured with either a maglock or an electric strike can be a painful assumption in the field. While those items can be...
IP Camera Cable Termination Guide on Sep 06, 2018
Terminating cables properly is critical to network performance, but it can be a tricky task with multiple steps. Fortunately, this task is easy to...
Access Control Course Fall 2018 on Sep 06, 2018
Registration IS CLOSED ends this Thursday. Register now. If you are looking to strengthen your ability to design and deploy access systems or...
Drain Wire For Access Control Reader Tutorial on Sep 04, 2018
An easy-to-miss cabling specification plays a key role in access control, yet it is commonly ignored. The drain wire offers protection for readers...
Why Vivint / Best Buy Failed on Aug 31, 2018
DIY has bested Vivint. In 2017, Best Buy and Vivint partnered with Vivint employees on the floor of 400+ Best Buy stores, helping customers with...

Most Recent Industry Reports

Alexa Guard Expands Amazon's Security Offerings, Boosts ADT's Stock on Sep 21, 2018
Amazon is expanding their security offerings yet again, this time with Alexa Guard that delivers security audio analytics and a virtual "Fake...
UTC, Owner of Lenel, Acquires S2 on Sep 20, 2018
UTC now owns two of the biggest access control providers, one of integrator's most hated access control platforms, Lenel, and one of their...
BluePoint Aims To Bring Life-Safety Mind-Set To Police Pull Stations on Sep 20, 2018
Fire alarm pull stations are commonplace but police ones are not. A self-funded startup, BluePoint Alert Solutions is aiming to make police pull...
SIA Plays Dumb On OEMs And Hikua Ban on Sep 20, 2018
OEMs widely pretend to be 'manufacturers', deceiving their customers and putting them at risk for cybersecurity attacks and, soon, violation of US...
Axis Vs. Hikvision IR PTZ Shootout on Sep 20, 2018
Hikvision has their high-end dual-sensor DarkfighterX. Axis has their high-end concealed IR Q6125-LE. Which is better? We bought both and tested...
Avigilon Announces AI-Powered H5 Camera Development on Sep 19, 2018
Avigilon will be showcasing "next-generation AI" at next week's ASIS GSX. In an atypical move, the company is not actually releasing these...
Favorite Request-to-Exit (RTE) Manufacturers 2018 on Sep 19, 2018
Request To Exit devices like motion sensors and lock releasing push-buttons are a part of almost every access install, but who makes the equipment...
25% China Tariffs Finalized For 2019, 10% Start Now, Includes Select Video Surveillance on Sep 18, 2018
A surprise move: In July, when the most recent tariff round was first announced, the tariffs were only scheduled for 10%. However, now, the US...
Central Stations Face Off Against NFPA On Fire Monitoring on Sep 18, 2018
Central stations are facing off against the NFPA over what they call anti-competitive language in NFPA 72, the standard that covers fire alarms....
Hikvision USA Starts Layoffs on Sep 18, 2018
Hikvision USA has started layoffs, just weeks after the US government ban was passed into law. Inside this note, we examine: The important...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact