Access: IP Readers vs. Control Panels

Author: Ethan Ace, Published on Jun 16, 2012

Should you continue to use traditional centralized, panel-based access control or does it make sense to use IP readers? Let's overview the 2 key options:

  • Control panels: Traditional access control systems have used control panels, typically controlling two, four, either, or more doors each. In these configurations, door devices are typically homerun to centrally located panels, though in larger facilities, panels may be distributed throughout. The panels, in turn, typically connect to the access control server via IP, though older or low-end systems may still use serial data connections.
  • IP readers: In the second, more recent, approach, intelligence is moved to the door, with a small (1-2 door) control panels located throughout a facility. While some readers now accept a direct IP connection, many deployments move the controller to the edge connecting to a traditional reader very close by. To that end, 'IP reader' is a misnomer, but expresses the intent of this shift.

The traditional approach of larger control panels has caused some problems:

  • Often, customers were forced to install four-door control panels to control one or two doors, which drove cost for these small systems up drastically.
  • Adding a door here or there, out of reach of existing the existing panel or panels, required a new multi-door panel to be installed.
  • IT staff is less comfortable with traditional security wiring. As security systems have become more IP-based, they have fallen more and more under control of network engineers and RCDDs. IP readers allow these designers to follow more familiar cabling topologies, making them more attractive.

While the traditional panel approach has issues, concerns about moving to IP readers also raised concerns including issues with sufficient power, manufacturer support, economics and scalability.

For background, we recommend you review HID makes the case for the edge to see how manufacturers pitch the idea of IP to skeptics.

Inside the Pro section, we examine the tradeoffs, key issues involved and make recommendations on best fits.

Note: inside the report, we will use the term 'edge controllers' rather than 'IP readers' for greater technical accuracy in describing the use of IP at the edge for access control.

Recommendations

Determining use of edge controllers vs. traditional panels depends on 3 fundamental questions:

  • Does your access control management system support it?
  • Will your locks support it?
  • What is the scale/reader density of the system?

The first issue is the simplest: Does the access management system in use or planned support these types of readers? While edge controllers have become much more common in the past couple of years (especially PoE varieties), a number of systems still lack support, or support only RS-485 connected versions. 

The second important consideration when selecting IP controllers is whether PoE will provide enough current to power the needed locks. Be sure to check the locking hardware specs for inrush and constant current, to make sure the controller output will be sufficient. Almost all electric latch retraction devices or high holding strength maglocks will require more power than PoE-powered controllers will provide, so in these cases a separate power supply must be provided, either centralized with network equipment or local to the door.

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

Regarding system size, there is no hard and fast rule as to where edge controllers are appropriate, but we recommend the following:

  • In very small systems (1-4 doors): Pushing controllers to the edge makes a lot of sense. Cabling and installation expenses are much smaller, and installing a single door doesn't require the purchase of a four-door panel, with three wasted ports. However, using single-door controllers without an access control system to manage all of them may become tedious if frequent changes are made, as each controller must be maintained individually. For a couple of doors in a small facility, this most likely will not be much of a timesink.
  • In medium-sized systems (4-32 doors): Edge controllers also make a lot of sense in systems of this size, as they're not so big that maintaining hundreds of doors attached to single-door controllers across a facility or campus becomes cumbersome. Adding this number of doors to a network is normally not much of an issue, either, as it incurs little added management, and even lack of PoE switches can be overcome for relatively little cost.
  • In large-scale systems: Most likely it will be easier to manage multiple-door control panels as opposed to single-door controllers. Maintaining a network to support only the access controllers will add substantial cost. However, selecting access management software that supports edge controllers will allow single doors may be added to new locations later at a much lower and more predictable cost.

Basics of Using Edge Controllers

While there are some variances between manufacturers of edge controllers, there are some common capabilities most share:

  • Power-over-Ethernet: One of the factors driving reduced costs of edge controllers is power-over-ethernet capability. This allows for the controller to be located near the door, reducing the cable that was traditionally run from a centralized control panel. It also simplifies power requirements, since no additional power supplies need to be installed for door control. PoE may not be a good choice for every door, however, which we’ll discuss later.
  • Simplified Cabling: Placing the controller at the edge requires less multi-pair cable to be run. Typical panel-based systems require substantial cabling, typically a 6-conductor for the reader, two conductor for the door position switch, four conductor for the request-to-exit device, and two or four conductors for the lock. These cables are either run separately, or via a composite cable which puts all four required cables in the same jacket. The composite cable saves some labor in cable pulling, but either method is expensive.
  • Local decision making: Edge controllers push access decision making to the door. Each controller holds the access database and processes events locally at the door(s) it controls. This removes multi-door controllers as a single point of failure in the system. If one controller should go down, only that controller is lost, not two, or four, or more doors.

Cost Comparisons

The prices below are based on online pricing, assuming typical building construction: 9’ drop ceiling with drywall walls. Prices are based on doors 300’ away from the IDF, using HID Edge Solo line, and an average cost of multiple manufacturers’ four-door control panels. We chose 300’ for two reasons: 1. It is the maximum cable length when using edge controllers so it is therefore worst-case, and 2. With Wiegand runs typically being limited to 500’, we felt it was a good middle ground. 

 

  Four-door Edge
Controller 1500 250
Cable 250 70
Power Supply 90 N/A
Labor 1200 1200
Total 3040 1520
Total for four doors $7300 $6080

On the surface, a substantial savings. Keep in mind, however, that the edge price assumes existing PoE switches are in place, and no external power is needed. When PoE switches must be supplied, the cost increases.

Assuming a Cisco 300 series switch, which we would recommend as the lowest-tier model that should be used in this scenario, add nearly $300 more. Some IT departments may demand a higher-class of switch, which may easily add a few hundred dollars more. These additions may reduce or eliminate cost savings.

Another cost which may vary widely is that of the access management software. Most access control panels do not have built-in webservers and on-board management; Honeywell NetAXS line and the HID Edge are two common exceptions. Having to add software, which is typically not free, and a PC to this mix would add further cost.

Should I use PoE?

While PoE is an important benefit for edge controller systems, using it depends on two key items:

  • Power output requirements: While it varies greatly by manufacturer and type of locking hardware, we would estimate that 40-50% or more of the locks on the market are unsuitable for use with edge controllers. In a brief search of five manufacturers’ electromagnetic locks and electric door strikes we saw many that required more power than most edge controllers will supply (>500-600mA). Generally speaking, most normal or light duty electric strikes, and low-holding-force mag locks (300 lbs. or below) will be okay with many edge controllers. Heavier duty-locks and electrified panic hardware is almost guaranteed to draw too much power. From a brand standpoint, our experience has pointed us to the Assa Abloy brands (HES, Securitron) when using PoE-powered controllers, as even most of their heaviest-duty locks fall under the typical limit of what a PoE controller can output. The Ingersoll-Rand brands (Von Duprin, Locknetics, etc.) seem to be more power hungry and less likely to work. Also, while card readers should not need more power than the controller will output, biometric readers such as hand geometry and iris readers may.
  • Power failure handling: If the door is in the path of egress, it typically must unlock in case of power failure. However, in the case of doors equipped with panic hardware, using electric strikes, the door may remain locked. In brief power outages, this is usually not a problem, as the switches powering the edge controller will typically be backed up. Even large UPSes typically do not run for more than 2-4 hours, however. In the case of extended power failure, however, once the UPS has failed, and the controller has lost power, there will be no way to electronically open any doors from card reader side. In these cases, keys must be used, or the door forced open. To combat this, it is recommended that critical doors be powered via a separate battery-backed power supply with as much run time as budget allows.

Mercury “The Myth of Access at the Edge”

In this section, we review Mercury Security whitepaper “The Myth of Access at the Edge”. While not explicitly anti-edge access control, it does offer some arguments against it, including:

Network resources are readily available: In short, this addresses the common misconception that Ethernet networks are everywhere, with cables just waiting to be utilized for various applications. This myth is put forward by many industries -- IP surveillance being famous for it as well.

  • Mercury concerns: According to Mercury, there are four factors at play here: 1. Available network ports are not necessarily available where the door is located. 2. Not all switches support PoE. 3. Not all switches are guaranteed to be on the same VLAN. 4. The access controllers may present a risk to network security.
  • Our comments: We would agree that all of the above are valid concerns. Whether they are showstoppers must be taken on a case-by-case basis. True, network ports may not be available. However, access control cabling is almost guaranteed not to be available, and as evidenced in our cost comparisons above, is more expensive than running a single UTP to the door. Switches supporting PoE may be a problem. Depending on the lock hardware being used, however, it may be a problem, anyway, if PoE won’t supply the power required for the locking device. Running a second power cable and supplying a low voltage power supply, or providing a PoE midspan, are reasonable options that do add more cost. The VLAN issue is more difficult to solve. If networks are segmented for security reasons, getting an IT department to open holes in those segments is often extremely challenging. The impact of compromising an edge controller may be mitigated somewhat by proper VLANs, so that anyone plugging a computer into the cable it uses would be unable to see any devices other than what is on the access control VLAN.

Total cost of ownership: The short version of the myth is that reducing cabling and utilizing existing network infrastructure lead to much lower TCO than using traditional RS-485 connected controllers.

  • Mercury concerns: Valid concerns over the ability of IT managers to manage an additional security network, whether it be VLAN or physical exist. Getting IT staff to prioritize a security LAN can be quite challenging (to which our experience can attest). Additionally, IT policies, such as requiring certain security measures to be in play on the entire network, forcing DHCP to be used, etc., may adversely affect security equipment performance (which we can also attest to).
  • Our comments: We agree. In many facilities, there is little advantage to running a new UTP cable to a door. Also consider that in some systems, Mercury-based systems are one example, a third option exists: utilizing RS-485-based single-door controllers. This reduces cabling, with wiring to all doors being in a loop configuration, instead of homerun.

Security and IT speak the same language: This myth speaks to differing expectations of IT and security managers.

  • Mercury concerns: Specifically, the whitepaper speaks to how “100% uptime” is interpreted. In the IT world, 99.9% uptime may be acceptable. In the security world, this equates to a full workday (8.75 hours) per year of downtime, which security staff would find unacceptable. It also speaks to the fact that IT may not grant access to network closets to security staff, so security staff may need to wait should a problem arise on the security network.
  • Our comments: The difference in uptime is a valid concern. Even if that workday per year were spread out, it would still equate to ten minutes of downtime every week. We believe security staff would indeed find that unacceptable. However, most network specs we see are aiming for four or five nines of uptime (99.99% or 99.999%), which reduces this drastically. Additionally, the impact of the network being down may vary. If each controller holds the cardholder database locally, and does not need to communicate to a central server or other controllers simply to grant access, the card readers will still function. If the system is being monitored in realtime, however, it will be a major concern, since guard staff will have no idea what is happening at their doors. Access to IT spaces is less of a problem. Waiting may occur, but we doubt it would be to an extreme level that would drastically impact system performance.

All-in-all, the Mercury whitepaper recommends knowing the limitations of the network and individual access control system before arbitrarily deciding upon edge-based controllers. They put forth separate networks, PoE+, encrypted communication between controllers and the host, and hybrid systems (consisting of some edge-based and some centralized as necessary), as potential considerations in system design. We’d agree that these may be intelligent recommendations.

Manufacturer Offerings

When discussing edge-based access control, there are two major manufacturers providing open platform solutions:

  • HID: HID provides the Edge and VertX solutions, which are both part of their OPIN API program, and utilized by over two-dozen different OEM partners. Both are available for use in host-based systems, and the Edge is available in the Solo version, a web-accessible single door standalone unit.
  • Mercury: Mercury also provides multiple edge-based products: The EP1501 is a multi-door controller with a single-door interface built into it. It is capable of controlling 16 doors through either the MR51e or MR50 single-door interfaces, or the MR52 two-door interface. The MR50 and MR52 door interfaces cable back to the EP1501 via RS-485. The MR51e is rather unique - an Ethernet-based “dumb” door interface with no processing on-board. It simply communicates with the EP1501 via Ethernet, where all access control decisions are made.

Additionally, proprietary options exist from most of the major manufacturers such as: GE (DirecDoor)Honeywell (NetAXS-123)Infinias (Intelli-M)S2 (MicroNode), and Software House (iStar Edge)

Related Reports

Mobile Surveillance Trailers Guide on Jan 17, 2019
Putting cameras in a place for temporary surveillance where power and communications are not readily available can be complicated and expensive....
Access Control Records Maintenance Guide on Jan 16, 2019
Weeding out old entries, turning off unused credentials, and updating who carries which credentials is as important as to maintaining security as...
Access Control Cabling Tutorial on Jan 15, 2019
Access Control is only as reliable as its cables. While this aspect lacks the sexiness of other components, it remains a vital part of every...
Avigilon Favorability Results 2019 on Jan 15, 2019
Since IPVM's 2017 Avigilon favorability results, the company was acquired by Motorola and has shifted from being an aggressive startup to a more...
Bad: Dahua Villa Video Doorbell Tested on Jan 11, 2019
Doorbells are one of the hottest segments in the residential market but Dahua's Villa Video Doorbell is the worst we have tested.   We bought and...
Winter 2019 IP Networking Course on Jan 10, 2019
Today is the last day to register for the Winter 2019 IP Networking course. This is the only networking course designed specifically for video...
Wavelynx Access Control Manufacturer Profile on Jan 10, 2019
Denver-based WaveLynx is not well known as an access reader manufacturer, but OEMs for big industry brands including Amag, Isonas (Allegion),...
Managed Video Services UL 827B Examined on Jan 09, 2019
Historically, UL listings for central stations have been important, with UL 827 having widespread support. However, few central stations have...
H.265 / HEVC Codec Tutorial on Jan 08, 2019
H.265 support improved significantly in 2018, with H.265 camera/VMS compatibility increased compared to only a year ago, and most manufacturers...
2019 Video Surveillance Cameras Overview on Jan 07, 2019
Each year, IPVM summarizes the main advances and changes for video surveillance cameras, based on our industry-leading testing and...

Most Recent Industry Reports

The IP Camera Lock-In Trend: Meraki and Verkada on Jan 18, 2019
Open systems and interoperability have not only been big buzzwords over the past decade, but they have also become core features of video...
NYPD Refutes False SCMP Hikvision Story on Jan 18, 2019
The NYPD has refuted the SCMP Hikvision story, the Voice of America has reported. On January 11, 2018, the SCMP alleged that the NYPD was using...
Mobile Surveillance Trailers Guide on Jan 17, 2019
Putting cameras in a place for temporary surveillance where power and communications are not readily available can be complicated and expensive....
Exacq Favorability Results 2019 on Jan 17, 2019
Exacq favorability amongst integrators has declined sharply, in new IPVM statistics, compared to 2017 IPVM statistics for Exacq. Now, over 5 since...
Testing Bandwidth Vs. Low Light on Jan 16, 2019
Nighttime bandwidth spikes are a major concern in video surveillance. Many calculate bandwidth as a single 24/7 number, but bit rates vary...
Access Control Records Maintenance Guide on Jan 16, 2019
Weeding out old entries, turning off unused credentials, and updating who carries which credentials is as important as to maintaining security as...
UK Fines Security Firms For Illegal Direct Marketing on Jan 16, 2019
Two UK security firms have paid over $200,000 in fines for illegally making hundreds of thousands of calls to people registered on a government...
Access Control Cabling Tutorial on Jan 15, 2019
Access Control is only as reliable as its cables. While this aspect lacks the sexiness of other components, it remains a vital part of every...
Avigilon Favorability Results 2019 on Jan 15, 2019
Since IPVM's 2017 Avigilon favorability results, the company was acquired by Motorola and has shifted from being an aggressive startup to a more...
Gorilla Technology AI Provider, Raises $15 Million, Profiled on Jan 15, 2019
Gorilla Technology is a Taiwanese video analytics manufacturer that recently announced a $15 million investment from SBI Group, saying this...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact