A good article, but misses one of the critical disadvantages of using DHCP in security systems, namely if the DHCP server goes off-line for any reason the whole network will fail when the DHCP leases expire. When fixed addresses are used the DHCP server is not a single point of failure, and devices with fixed addresses will continue to communicate normally.
A few minutes assigning fixed addresses can save you a lot of problems later.
One gotcha with static IP addresses is the possibility of duplicates. If you set the address on a camera but forget to document it, and then decide to leave it disconnected because you're, say, short on patch cables, your friendly coworkers may accidentally assign that same address to another camera.
U2 - agreed, and there is also the chance that someone will assign a static address within the DHCP scope or pick a random address already assigned rather than checking documentation then scanning the network, pinging, etc. Also like you mention, undocumented adds/moves/changes can be a culprit.
Address allocation in IPv6 is completely different. The challenges that exist in IPv4 are not relevant for IPv6. There would be little/no reason to ever use static addresses in IPv6. It is easy mode and basically error-free.
Probably not the best thread to ask this question on, but I'm wondering if IPVM has any poll data on an integrator installing 801.x certificates on all cameras, and how often companies are requesting it?
Ha, yes. I must have typed fast this morning before my coffee hit. So you think the integrator world is light on adoption/use? Or not many people are willing to pay for the higher security? Seems kind of nuts to hang a blue cable on the outside of the building, and not use it. Unless of course you are still using that god awful Dedicated Micros switch thing. ( :) I crack myself up. )
When I was an installer and setup an Avigilon v4 solution, I used DHCP (reservations) at this one site and we would always lose a few frames in playback (and the camera would trigger a camera offline alarm) when the DHCP lease (7 day lease) would expire. In the end I set the cameras to have a static IP and still had the reservation set in the DHCP server. The other option was to set the static IP outside of the DHCP pool.
Another topic worth discussing - traditional VMS' add cameras via IP but many of the modern cloud solutions support or even suggest DHCP or DHCP with mac bindings since the cameras phone home to the cloud and register via alternative means. Extended DHCP lease times, dedicated security vlans, and other techniques greatly reduce concerns.
With a Microtik Router just make dynamic addresses static. The static IP assignment is managed by the Router DHCP Server via MAC bindings. This mapping can be stored in the config file even if you upgrade or replace Routers.
The main concern when using DHCP is device addresses changing. This may present problems, as cameras which connect to the VMS via IP address (the vast majority) will no longer work until the camera is re-entered into the VMS.
Is it still true these days? Some VMSes will automatically handle such a change of camera IP.
A valid route to the Camera must exist. In a well-designed securely segmented network there can be many routes with the shortest route taking priority. Routes can be discovered by protocols like OSPF or the statically in each router. Routers need to have the gateway to any desired/reachable subnet. NVS can only discover a cam on the same subnet unless the Camera knows the address of the NVS and initiates communication. The most common setup USED to be networks with a single common subnet so all traffic gets routed to the Public WAN and not an individually routed group of subnets. Routes and firewalls determine what devices are reachable to each other and this solves the security nightmare existing with a single subnet.
To be clear here - Cisco's recommendation for a high availability campus network has leveraged layer 3 in the access layer since about 2008. Basically meaning - OSPF or EIGRP running on access switches and not spanning VLans across data closets. Each data closet has individual subnets for different application types - aka, the voice vlan in IDF 2 is not the same broadcast domain as voice vlan in IDF 3. Obviously, that affects security vlans that are dispersed through a campus in the same way. Layer 2 discovery protocols would not work between data closets as it is hitting a (wire-speed) boundary at the L3 access switch in each closet.
Interestingly I have never had to use a DDNS service for my clients because their ISPs tend to re-lease the same IPs time and time again, even if they don't subscribe to static. I don't think my home or office WAN IPs have changed in about five years!
Most of our systems are 300 camera plus and we always use DHCP.... we deploy primary and secondary DHCP servers in failover mode and use address reservations. When you have a large camera count or a complex network DHCP is a hige advantage as it takes all of the manual configuration away. On a large system you will always get dublicate addresses when addressing manually and sorting that out can be a nightmare depending on your network topology and the size of your subnets. What is really annoying though is that there are still a small number of devices that ship from the manufacturer with static addressing (videotec and Flir PT series are two that come to mind). I agree that unless you have the correct infrastructure to support it then its dangerous and i would never dream of using it with at least two DHCP servers.