Access: IP Readers vs. Control Panels

By: Ethan Ace, Published on Jun 16, 2012

Should you continue to use traditional centralized, panel-based access control or does it make sense to use IP readers? Let's overview the 2 key options:

  • Control panels: Traditional access control systems have used control panels, typically controlling two, four, either, or more doors each. In these configurations, door devices are typically homerun to centrally located panels, though in larger facilities, panels may be distributed throughout. The panels, in turn, typically connect to the access control server via IP, though older or low-end systems may still use serial data connections.
  • IP readers: In the second, more recent, approach, intelligence is moved to the door, with a small (1-2 door) control panels located throughout a facility. While some readers now accept a direct IP connection, many deployments move the controller to the edge connecting to a traditional reader very close by. To that end, 'IP reader' is a misnomer, but expresses the intent of this shift.

The traditional approach of larger control panels has caused some problems:

  • Often, customers were forced to install four-door control panels to control one or two doors, which drove cost for these small systems up drastically.
  • Adding a door here or there, out of reach of existing the existing panel or panels, required a new multi-door panel to be installed.
  • IT staff is less comfortable with traditional security wiring. As security systems have become more IP-based, they have fallen more and more under control of network engineers and RCDDs. IP readers allow these designers to follow more familiar cabling topologies, making them more attractive.

While the traditional panel approach has issues, concerns about moving to IP readers also raised concerns including issues with sufficient power, manufacturer support, economics and scalability.

For background, we recommend you review HID makes the case for the edge [link no longer available] to see how manufacturers pitch the idea of IP to skeptics.

Recommendations

Determining use of edge controllers vs. traditional panels depends on 3 fundamental questions:

  • Does your access control management system support it?
  • Will your locks support it?
  • What is the scale/reader density of the system?

The first issue is the simplest: Does the access management system in use or planned support these types of readers? While edge controllers have become much more common in the past couple of years (especially PoE varieties), a number of systems still lack support, or support only RS-485 connected versions. 

The second important consideration when selecting IP controllers is whether PoE will provide enough current to power the needed locks. Be sure to check the locking hardware specs for inrush and constant current, to make sure the controller output will be sufficient. Almost all electric latch retraction devices or high holding strength maglocks will require more power than PoE-powered controllers will provide, so in these cases a separate power supply must be provided, either centralized with network equipment or local to the door.

Regarding system size, there is no hard and fast rule as to where edge controllers are appropriate, but we recommend the following:

  • In very small systems (1-4 doors): Pushing controllers to the edge makes a lot of sense. Cabling and installation expenses are much smaller, and installing a single door doesn't require the purchase of a four-door panel, with three wasted ports. However, using single-door controllers without an access control system to manage all of them may become tedious if frequent changes are made, as each controller must be maintained individually. For a couple of doors in a small facility, this most likely will not be much of a timesink.
  • In medium-sized systems (4-32 doors): Edge controllers also make a lot of sense in systems of this size, as they're not so big that maintaining hundreds of doors attached to single-door controllers across a facility or campus becomes cumbersome. Adding this number of doors to a network is normally not much of an issue, either, as it incurs little added management, and even lack of PoE switches can be overcome for relatively little cost.
  • In large-scale systems: Most likely it will be easier to manage multiple-door control panels as opposed to single-door controllers. Maintaining a network to support only the access controllers will add substantial cost. However, selecting access management software that supports edge controllers will allow single doors may be added to new locations later at a much lower and more predictable cost.

Basics of Using Edge Controllers

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

While there are some variances between manufacturers of edge controllers, there are some common capabilities most share:

  • Power-over-Ethernet: One of the factors driving reduced costs of edge controllers is power-over-ethernet capability. This allows for the controller to be located near the door, reducing the cable that was traditionally run from a centralized control panel. It also simplifies power requirements, since no additional power supplies need to be installed for door control. PoE may not be a good choice for every door, however, which we’ll discuss later.
  • Simplified Cabling: Placing the controller at the edge requires less multi-pair cable to be run. Typical panel-based systems require substantial cabling, typically a 6-conductor for the reader, two conductor for the door position switch, four conductor for the request-to-exit device, and two or four conductors for the lock. These cables are either run separately, or via a composite cable which puts all four required cables in the same jacket. The composite cable saves some labor in cable pulling, but either method is expensive.
  • Local decision making: Edge controllers push access decision making to the door. Each controller holds the access database and processes events locally at the door(s) it controls. This removes multi-door controllers as a single point of failure in the system. If one controller should go down, only that controller is lost, not two, or four, or more doors.

Cost Comparisons

The prices below are based on online pricing, assuming typical building construction: 9’ drop ceiling with drywall walls. Prices are based on doors 300’ away from the IDF, using HID Edge Solo line, and an average cost of multiple manufacturers’ four-door control panels. We chose 300’ for two reasons: 1. It is the maximum cable length when using edge controllers so it is therefore worst-case, and 2. With Wiegand runs typically being limited to 500’, we felt it was a good middle ground. 

 

  Four-door Edge
Controller 1500 250
Cable 250 70
Power Supply 90 N/A
Labor 1200 1200
Total 3040 1520
Total for four doors $7300 $6080

On the surface, a substantial savings. Keep in mind, however, that the edge price assumes existing PoE switches are in place, and no external power is needed. When PoE switches must be supplied, the cost increases.

Assuming a Cisco 300 series switch, which we would recommend as the lowest-tier model that should be used in this scenario, add nearly $300 more. Some IT departments may demand a higher-class of switch, which may easily add a few hundred dollars more. These additions may reduce or eliminate cost savings.

Another cost which may vary widely is that of the access management software. Most access control panels do not have built-in webservers and on-board management; Honeywell NetAXS line and the HID Edge are two common exceptions. Having to add software, which is typically not free, and a PC to this mix would add further cost.

Should I use PoE?

While PoE is an important benefit for edge controller systems, using it depends on two key items:

  • Power output requirements: While it varies greatly by manufacturer and type of locking hardware, we would estimate that 40-50% or more of the locks on the market are unsuitable for use with edge controllers. In a brief search of five manufacturers’ electromagnetic locks and electric door strikes we saw many that required more power than most edge controllers will supply (>500-600mA). Generally speaking, most normal or light duty electric strikes, and low-holding-force mag locks (300 lbs. or below) will be okay with many edge controllers. Heavier duty-locks and electrified panic hardware is almost guaranteed to draw too much power. From a brand standpoint, our experience has pointed us to the Assa Abloy brands (HES, Securitron) when using PoE-powered controllers, as even most of their heaviest-duty locks fall under the typical limit of what a PoE controller can output. The Ingersoll-Rand brands (Von Duprin, Locknetics, etc.) seem to be more power hungry and less likely to work. Also, while card readers should not need more power than the controller will output, biometric readers such as hand geometry and iris readers may.
  • Power failure handling: If the door is in the path of egress, it typically must unlock in case of power failure. However, in the case of doors equipped with panic hardware, using electric strikes, the door may remain locked. In brief power outages, this is usually not a problem, as the switches powering the edge controller will typically be backed up. Even large UPSes typically do not run for more than 2-4 hours, however. In the case of extended power failure, however, once the UPS has failed, and the controller has lost power, there will be no way to electronically open any doors from card reader side. In these cases, keys must be used, or the door forced open. To combat this, it is recommended that critical doors be powered via a separate battery-backed power supply with as much run time as budget allows.

Mercury “The Myth of Access at the Edge”

In this section, we review Mercury Security whitepaper “The Myth of Access at the Edge [link no longer available]”. While not explicitly anti-edge access control, it does offer some arguments against it, including:

Network resources are readily available: In short, this addresses the common misconception that Ethernet networks are everywhere, with cables just waiting to be utilized for various applications. This myth is put forward by many industries -- IP surveillance being famous for it as well.

  • Mercury concerns: According to Mercury, there are four factors at play here: 1. Available network ports are not necessarily available where the door is located. 2. Not all switches support PoE. 3. Not all switches are guaranteed to be on the same VLAN. 4. The access controllers may present a risk to network security.
  • Our comments: We would agree that all of the above are valid concerns. Whether they are showstoppers must be taken on a case-by-case basis. True, network ports may not be available. However, access control cabling is almost guaranteed not to be available, and as evidenced in our cost comparisons above, is more expensive than running a single UTP to the door. Switches supporting PoE may be a problem. Depending on the lock hardware being used, however, it may be a problem, anyway, if PoE won’t supply the power required for the locking device. Running a second power cable and supplying a low voltage power supply, or providing a PoE midspan, are reasonable options that do add more cost. The VLAN issue is more difficult to solve. If networks are segmented for security reasons, getting an IT department to open holes in those segments is often extremely challenging. The impact of compromising an edge controller may be mitigated somewhat by proper VLANs, so that anyone plugging a computer into the cable it uses would be unable to see any devices other than what is on the access control VLAN.

Total cost of ownership: The short version of the myth is that reducing cabling and utilizing existing network infrastructure lead to much lower TCO than using traditional RS-485 connected controllers.

  • Mercury concerns: Valid concerns over the ability of IT managers to manage an additional security network, whether it be VLAN or physical exist. Getting IT staff to prioritize a security LAN can be quite challenging (to which our experience can attest). Additionally, IT policies, such as requiring certain security measures to be in play on the entire network, forcing DHCP to be used, etc., may adversely affect security equipment performance (which we can also attest to).
  • Our comments: We agree. In many facilities, there is little advantage to running a new UTP cable to a door. Also consider that in some systems, Mercury-based systems are one example, a third option exists: utilizing RS-485-based single-door controllers. This reduces cabling, with wiring to all doors being in a loop configuration, instead of homerun.

Security and IT speak the same language: This myth speaks to differing expectations of IT and security managers.

  • Mercury concerns: Specifically, the whitepaper speaks to how “100% uptime” is interpreted. In the IT world, 99.9% uptime may be acceptable. In the security world, this equates to a full workday (8.75 hours) per year of downtime, which security staff would find unacceptable. It also speaks to the fact that IT may not grant access to network closets to security staff, so security staff may need to wait should a problem arise on the security network.
  • Our comments: The difference in uptime is a valid concern. Even if that workday per year were spread out, it would still equate to ten minutes of downtime every week. We believe security staff would indeed find that unacceptable. However, most network specs we see are aiming for four or five nines of uptime (99.99% or 99.999%), which reduces this drastically. Additionally, the impact of the network being down may vary. If each controller holds the cardholder database locally, and does not need to communicate to a central server or other controllers simply to grant access, the card readers will still function. If the system is being monitored in realtime, however, it will be a major concern, since guard staff will have no idea what is happening at their doors. Access to IT spaces is less of a problem. Waiting may occur, but we doubt it would be to an extreme level that would drastically impact system performance.

All-in-all, the Mercury whitepaper recommends knowing the limitations of the network and individual access control system before arbitrarily deciding upon edge-based controllers. They put forth separate networks, PoE+, encrypted communication between controllers and the host, and hybrid systems (consisting of some edge-based and some centralized as necessary), as potential considerations in system design. We’d agree that these may be intelligent recommendations.

Manufacturer Offerings

When discussing edge-based access control, there are two major manufacturers providing open platform solutions:

  • HID: HID provides the Edge [link no longer available] and VertX [link no longer available] solutions, which are both part of their OPIN API [link no longer available] program, and utilized by over two-dozen different OEM partners. Both are available for use in host-based systems, and the Edge is available in the Solo version, a web-accessible single door standalone unit.
  • Mercury: Mercury also provides multiple edge-based products: The EP1501 is a multi-door controller with a single-door interface built into it. It is capable of controlling 16 doors through either the MR51e or MR50 single-door interfaces, or the MR52 two-door interface. The MR50 and MR52 door interfaces cable back to the EP1501 via RS-485. The MR51e is rather unique - an Ethernet-based “dumb” door interface with no processing on-board. It simply communicates with the EP1501 via Ethernet, where all access control decisions are made.

Additionally, proprietary options exist from most of the major manufacturers such as: GE (DirecDoor) [link no longer available], Honeywell (NetAXS-123) [link no longer available], Infinias (Intelli-M) [link no longer available], S2 (MicroNode) [link no longer available], and Software House (iStar Edge)

Related Reports

Remote Network Access for Video Surveillance Guide on Jul 27, 2020
Remotely accessing surveillance systems is key in 2020, with more and more...
BICSI For IP Video Surveillance Guide on Feb 11, 2020
Spend enough time around networks and eventually someone will mention BICSI,...
ZKTeco Presents SpeedFace Recognition + Body Temperature Detection on Apr 21, 2020
ZKTeco presented its SF1008+ reader with body temperature and face mask...
Access Credential Form Factor Tutorial on Feb 10, 2020
Deciding which access control credential to use and distribute, including...
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
USA ICI Elevated Skin Temperature Detectors Examined on Apr 06, 2020
Infrared Cameras, Inc. (ICI) is aiming to help slow the spread of COVID-19...
Bias In Facial Recognition Varies By Country, NIST Report Shows on Jul 15, 2020
While many argue that face recognition is inherently racist, results from one...
Avigilon ACC Cloud Tested on Jul 08, 2020
Avigilon merged Blue and ACC, adding VSaaS features to its on-premise VMS,...
Euklis Presents AI Analytics on May 05, 2020
Euklis presented its AI facial recognition, LPR, and object recognition...
IPConfigure Presents Orchid Fusion VSaaS on Apr 30, 2020
IPConfigure presented Orchid Fusion VSaaS at the April 2020 IPVM New Products...
Directory of 202 "Fever" Camera Suppliers on Aug 04, 2020
This directory provides a list of "Fever" scanning thermal camera providers...
Optex Presents Outdoor Battery Powered Multitech Motion Sensors on May 07, 2020
Optex presented two outdoor rated, battery-powered motion sensors, the QX and...
Avigilon Open Analytics Tested on Apr 16, 2020
After years of effectively closed analytics, Avigilon decided in late 2018 to...
Spectron IR Thermal Fever Screening System Examined on Apr 14, 2020
Most are quick to avoid "fever screening" and "medical" labels, but...
Cast Presents PoE Perimeter Lighting on Apr 28, 2020
Cast Lighting presented its PoE powered Perimeter fence system during the...

Recent Reports

Genetec CEO Declares "We Don't Negotiate Payment With Patent Trolls" on Aug 11, 2020
Are patent trolls like terrorists? Genetec's CEO is coming out strongly...
Hanwha AI Analytics Camera Tested on Aug 11, 2020
Hanwha has released their Wisenet P AI camera, adding person and vehicle...
Alabama Schools Million Dollar Hikvision Fever Camera Deal on Aug 11, 2020
The Baldwin County, Alabama public schools purchased a $1 million, 144-camera...
Dahua Taunts Australian Government, Continues To Sell Illegal Fever Cameras on Aug 10, 2020
Dahua is effectively taunting the Australian government by continuing to sell...
HID Releases VertX Replacement Aero on Aug 10, 2020
HID is replacing two established and broadly supported types of access...
NDAA Compliant Video Surveillance Whitelist on Aug 10, 2020
This report aggregates video surveillance products that manufacturers have...
Telpo China Temperature Tablets Tested on Aug 10, 2020
The provider for overseas companies ranging from Canon Singapore to US'...
Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...
"Grand Slam" For Pelco's PE Firm, A Risk For Motorola on Aug 07, 2020
The word "Pelco" and "grand slam" have not been said together for many years....
FLIR Stock Falls, Admits 'Decelerating' Demand For Temperature Screening on Aug 07, 2020
Is the boom going to bust for temperature screening? FLIR disappointed...
VSaaS Will Hurt Integrators on Aug 06, 2020
VSaaS will hurt integrators, there is no question about that. How much...
Dogs For Coronavirus Screening Examined on Aug 06, 2020
While thermal temperature screening is the surveillance industry's most...
ADT Slides Back, Disappointing Results, Poor Commercial Performance on Aug 06, 2020
While ADT had an incredible start to the week, driven by the Google...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all...
SIA Coaches Sellers on NDAA 889B Blacklist Workarounds on Aug 05, 2020
Last month SIA demanded that NDAA 899B "must be delayed". Now that they have...