Subnetting for Video Surveillance

By John Scanlan, Published Apr 30, 2019, 09:40am EDT

This guide explains when subnetting is used on security networks, and how it works. We explain how to add or remove IP addresses to your range, borrowing bits, and the role of the subnet mask.

free image

****** **** ****** ** provide *********** **:

  • *** ********* **** *****
  • *** **** ** *** subnet ****
  • ********* *** ** ****
  • ********* *** ** ****
  • ****** *** ** ********

Why ****** ** ***** ************

***** *** * *** reasons ************** *** **** to ****** ***** ******** network, ******** *****:

  • ******* *** ** *********
  • ******* ********
  • **** ** **************

Running *** ** *********, *** ******* **********

*** **** ****** ** address ****** ** ***.***.*.* (a ***** * *******) which ******** *** **** addresses. *******, ** **** mid-sized ************ *** ******** systems, **** ** * school, ****, ** ***** facility, ***** ********* *** be ******* ******** ** cameras *** ****. *******, adding ****** ******* *** consume ** ******* *** each **********. ******** ****** to ******* ****** ******* consume ********** *********. ********* viewing ******** **** **** require *********, ***.

** ****** ******** ****** mask ** *** *** (255.255.255.0 ** ***.***.***.*), *** network ***** ** ********** 255 ********* ***** *** be **** *** ********** devices. ***** *** **** this **** ******, ** using * **** ** 255.255.240 ***** ******* ****** 4,000 ******* ** *** subnet.

Network ********

** ***** ********* ******* for ********* ******* ******** (e.g., ************ **. ******* LAN **. *****), * device ** ****** ** prevented **** ********* * device ** *******. ** simply ****** **** *** route ** *** ***** host.

********** ** **** ***** deployed *********, ***** ** **** more *********** ** ****.

Ease ** **************

********* ********** ****** *** to ****** ** ** scheme **** * ********* and ********** ****** ** hosts. **** ******** * network ** ***** ********** ****** * ***** ******* it ** ******* ** scan * ******* *******, closer ** ****** ** actual **-*** *******, ****** than **** ********* ** unused *********; *.*.

******** ***.**.*.* - ***.**.***.*** with ****** ***.***.*.* = 65,534 *********

******** ***.**.*.* - ***.**.*.** with ****** ***.***.***.*** = 30 *********

*** ******* **** *** classfull ****** **** **** take ***** * ***** to **** **** * discovery ****, ************ ** *******, ***** *** ******* subnet **** **** **** just *******.

Subnetting ******

*** ****** **** ** a ********* ************* ** the ** *******, *** determines ***** ***** ** an ** ******* ******* the "*******" **. *** "host." ** ********, *** vast ******** ** ********, surveillance ********, *** ******* subnet *****, **** ****** classfull **********, *** *** IP ******* *****, **** commonly ***.***.***.*.

[****, *** **** ***** we *** **** ********* with ******* ********* ***** are ****** **** * classes *****.]

*********Addresses / ******* ** *********

********** ******* *** ****** mask **** ********* (***** A = ***.*.*.*, * = ***.***.*.*, * = 255.255.255.0) ** ********* ***** borrowed **** ** ****** those ******, *** ** doing ** ******* *** amount ** ***** *** networks. *** *** ****** to ****** ******** ***** and ******** ******** ** decrease ***** *** ******** networks. *** ******* ***** shows *** ****** ***** for **** ***** *** the ****** ** ***** and ******** ********** **** each.

Default Subnet Masks and Classes

*** ***** ***** ***** how **** **** ** the ****** ****. *** network **** *** *'*, and * **** ** 8 *'* (********) = 255. *** **** **** are *'*, ***** ******** = *. *** ******* below ***** *** ******* subnet **** *** **** class, *** ********** ****.

Subnet Masks Represented in Bits

Subnet **** ********** ******** *** *****

********* **** *** ********* subnet ***** ** **********, also ****** ********* **********. The *** **** **** is **** ** ** borrowing **** **** *** other **** ** **** by ******** * ** 0 ** * ** 1. ** **** ***** are ******* **** **** are ******** **** *** network *******, *** **** more ******** *** ******* bits *** ******** **** the **** *******.

Subnets ** ***** ***********

*** ****** ****** ******** which ******* **** *** device *********, ****** ***** are **** ***** **** to ****** *** ******* to ** ********** ****** or *******. **** ** done ** ******** *** last ***** ** *** mask. *** ***** *** that ** *******, ** additional *** **** ****** becomes *********.

** * ********* *******, changing ****** **** **** 255.255.255.0 ** ***.***.***.* ** * ***.***.*.* network ****** ***** ** expand **** *** ***.***.*.* network ******* ***** * router, * ***** ** 510 ***** ******* ** 255, *********** ******** ********* IP *********. ******** *** mask ** ***.***.***.* ******* this ******* ** *,*** IPs (***.***.*.*-***.***.*.***). **** ** illustrated *****.

Subnetting Examples

** *** *** ****** masks ****** ********* *********, users *** ***** ********** ********* ****** ***********.

Comments (26)

Undisclosed Distributor #1

04/30/19 08:25pm

You touch on the skirts of it, but everyone involved in setting up private networks should be familiar with RFC1918.  This defines the private subnets set aside for personal use, i.e. traffic from any device with one of these addresses will be dropped on the live Internet instead of forwarded on/processed.  These subnets include 10.x.x.x, 172.16.10.x-172.16.31.x and 192.168.x.x.

Subnetting can be a tricky beast, misplacing one bit will make devices unreachable and drive you insane.  If you're doing this for a living I found the Cisco books for their CCNA networking to be amazingly insightful (down to the bit level) even if you don't plan on pursuing the certification.

Good information!

 

Agree: 4
Disagree
Informative: 9
Unhelpful
Funny

Bob Brislin

IPVMU Certified | In reply to Undisclosed Distributor #1 | 05/01/19 12:33pm

RFC1928 has 3 bit blocks set aside for the private space :

24-bit block: 10.0.0.0 ~ 10.255.255.255 : 8-bit subnet (255.0.0.0)

20-bit block: 172.16.0.0 ~ 172.31.255.255: 12-bit subnet (255.240.0.0)

16-bit block: 192.168.0.0 ~ 192.168.255.255: 16-bit subnet (255.255.0.0)

 

 

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed Distributor #1

In reply to Bob Brislin | 05/02/19 01:36pm

RFC1928 references SOCKS Protocol Version 5, not private IP addressing.

RFC1928

(Edited to provide a better link)

 

Agree
Disagree
Informative
Unhelpful
Funny

Bob Brislin

IPVMU Certified | In reply to Undisclosed Distributor #1 | 05/02/19 03:46pm

Fat fingered - I meant RFC 1918

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed Integrator #2

05/01/19 01:19am

This is all beyond me. I doubt I will ever need to interact with a network containing more than 254 devices. 

The one thing I don't quite understand is how for instance a router with an address of 192.168.1.1 is able to interact with something with an address of of 192.168.2.XXX. If that 3rd digit doesn't match, wouldn't it be unreachable by the router? Or does it become reachable when the subnet digit is changed?

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

Sergio Guzman

Pine Crest School
IPVMU Certified | In reply to Undisclosed Integrator #2 | 05/01/19 02:11am

Just type in google a subnet chart and you can pick the one you want. It's not that difficult.

 

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

Craig Mc Cluskey

In reply to Undisclosed Integrator #2 | 05/01/19 03:28am

The subnet mask determines which other addresses a device at a specific address can reach. For any bit in the subnet mask which is a "1", the reachable address must be identical to that of the device's specific address.

If you have a subnet mask of 255.255.255.0, a device at 192.168.1.1 would be able to reach devices at          192.168.1.2 to 192.168.1.254. [It's 254 since 255 is usually reserved.] The first three "octets" being 255 are all "1"s, so a reachable device's address must be identical to the first three octets of the device at 192.168.1.1, i.e., 192.168.1  .

If you changed the subnet mask to 255.255.252.0, a device at 192.168.1.1 would be able to reach devices at 192.168.1.2 to 192.168.3.254.

See Undisclosed #3's "Subnet mask quick reference" below and RFC1918 at tools.ietf.org. (if you are really interested).

Agree
Disagree
Informative: 7
Unhelpful
Funny

Undisclosed #5

In reply to Undisclosed Integrator #2 | 05/01/19 12:30pm

Or does it become reachable when the subnet digit is changed?

Yes, this is the concept of subnet masks exactly.

When one device with an IP address wants to connect to another device with an IP address, one of the first things it needs to determine is if that other device is on the same LAN (meaning it can send packets to it directly), or if it on a remote network (meaning the packets need to be sent to a router, who can then route them to the appropriate remote network).

The subnet mask and local IP address are used to compute which IPs are local and which are remote.

If you use a subnet mask like 255.255.255.240, then even devices where the 3rd digit (octet) match won't necessarily be able to send packets directly to each other. (subnet masks where the 4th octet are non-zero are more common in datacenters where you might only be allocated 8 IP addresses for your specific use).

Agree
Disagree
Informative
Unhelpful
Funny

DC Long

In reply to Undisclosed Integrator #2 | 05/02/19 02:48am

All devices on the same subnet are on the same broadcast domain  talk directly and can not be firewall from EACH OTHER.  A bad network card can cause issues on the entire broadcast domain.  Routes between private subnets must be routed by a router.  So you need real router such as Cisco Mikrotik, etc. Security mandates Like Hippa require network isolation via separate networks IE.  subnets

Agree
Disagree: 1
Informative
Unhelpful
Funny

Undisclosed Distributor #1

In reply to Undisclosed Integrator #2 | 05/02/19 01:50pm

You may never need to deal with networks containing more than 254 devices, but chances are that you will encounter networks that were setup to deal with less.  The most common situation would be a small business that has requested a small block of public IP addresses in order to host something on their own network and provide access to the Internet.  The ISP will issue the minimum amount of IP addresses that it can get away with (they charge pretty heftily for public IP addresses) and they will use IP subnetting to do this.  In most cases a company will get a block of 8 public IP addresses which be a 255.255.255.240 subnet (of these only 6 are actually accessible, the first of the block is the "network" block and the the last of the block is the "broadcast" address, network is all 0's in the address, broadcast is all 1's)

It does get pretty complex, I still find myself working the bit chart -> 128 - 64 - 32 - 16 - 8 - 4  - 2 - 1, but I enjoy it.

Hope I didn't confuse things too much more.

 

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed Distributor #1

In reply to Undisclosed Distributor #1 | 05/02/19 03:24pm

Correction: 255.255.255.240 provides a block of 16 IP addresses, I should have said 255.255.255.248 provides 8 addresses, of which 6 are usable.

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed #6

In reply to Undisclosed Integrator #2 | 05/02/19 11:58pm

You can use https://angryip.org/ as a poor layman's tool to find how many subnets you can reach by using a static ip and launching angry.

Using IP: 192.168.1.1  SUB: 255.255.255.0

Using IP: 192.168.1.1  SUB: 255.255.248.0

Yayy, IPVMSTER..yes I am bored, should be finishing quotes.

Agree
Disagree
Informative: 2
Unhelpful
Funny: 1

Undisclosed #3

05/01/19 01:24am

Have a look

Agree
Disagree
Informative: 6
Unhelpful
Funny

Undisclosed Integrator #4

05/01/19 08:31am

Great article! - If you are new to CCTV, is there a book/course that someone can recommend on learning networking from dummy level to a decent standard?  

Agree
Disagree
Informative
Unhelpful
Funny

John Honovich

IPVM | In reply to Undisclosed Integrator #4 | 05/01/19 09:50am

#4, thanks for your first comment, yes, see our 2019 IP Networking Book and our Spring 2019 IP Networking Course (which starts next Tuesday).

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

Jon Dillabaugh

Pro Focus LLC
05/01/19 12:08pm

Just a small critique here. When you increase your network size, it isn’t called subnetting, it’s called supernetting. Sub infers that you are making something smaller. Super means making it larger. 

Agree: 2
Disagree
Informative: 2
Unhelpful
Funny
Avatar

Lynn Harold

In reply to Jon Dillabaugh | 05/03/19 07:24pm

You beat me to it!  I was going to also add, that if there is even the minutest possibility of increasing the scope of your network, to be certain to place the critical/static addresses at the bottom of the address scope.  For example, use x.x.x.1 for your Logical Default Gateway (assuming something like .2 and .3 will be the physical interfaces for redundant/failover routers) and reserve the rest of the single-digit last octet address for other network-specific devices. This way, if you ever have to expand, you don't have reprogram all your devices, and the network gear doesn't sit in the middle of your address scheme (I'm picky that way).

For a simple/small implementation, I always plan an addressing scheme based on the known Day-1 requirements, plus a 3 year out potential expansion forecast.  Something like this -

x.x.x.0 - network address
x.x.x.1 - Default G/W
x.x.x.2 - x.x.x.10 - network devices, DNS, SNTP, etc.
x.x.x.11 - x.x.x.30 - servers, storage, workstations (maybe)
x.x.x.31 - x.x.x.40 - encoders, decoders, audio, I/O, intercoms
x.x.x.41 - x.x.x.50 - reserved for who-knows-what may come
x.x.x.51 - x.x.x.254 - cameras (bottom-up) and access control (top-down)

For a larger implementation, video and access (and intrusion?) might be on separate VLANs.

Agree: 1
Disagree
Informative: 2
Unhelpful
Funny

Undisclosed #6

In reply to Jon Dillabaugh | 05/03/19 11:07pm

True but a subnet is always a sub of another net while a super is never a super of a supernet. Might as well add sub/super nets to IPv6 to further discombobulate the donkey logic of noobs.

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

Jon Dillabaugh

Pro Focus LLC
In reply to Undisclosed #6 | 05/03/19 11:33pm

The sub vs super tag is about the relation to a standard subnet mask for a given network class. All networks are divided into subnets. The difference is whether it’s a bigger (super) or smaller (sub) subnet than the standard subnet. 

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

Cary Menage

IPVMU Certified | 05/03/19 09:14am

How many device discovery tools lack the ability to deal with supernetting? I know that AD lacked this ability in their discovery tool a few years back, they only had options for A,B or C.

Also frustrated by many tools not accommodating multiple NIC's or Network adapters.

 

It never cease to amaze me, how many of these "dinosaurs" lack fundamental networking knowledge...

Agree: 1
Disagree
Informative
Unhelpful
Funny
Avatar

Mike Dotson

Seneca | IPVMU Certified | In reply to Cary Menage | 05/03/19 06:14pm

FWIW...I use Advanced IP Scanner all the time and it does see all the active NICs on a machine and allows you to scan all of them in a scan.  A very useful tool.

Agree
Disagree
Informative: 2
Unhelpful
Funny

Vasiles Kiosses

06/04/19 03:41pm

Do you have a similar report on IPV6?  Address space issues go away with V6 but a good understanding of the specification is very important.

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

Bobby Mancia Jr.

MIZELA Corporation
IPVMU Certified | 06/09/19 09:48am

Should I apply subnet masks to all connected cameras?

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

Jon Dillabaugh

Pro Focus LLC
In reply to Bobby Mancia Jr. | 06/09/19 01:31pm

Yes all network connected devices must have a common subnet mask. 

Agree
Disagree
Informative: 1
Unhelpful
Funny

Undisclosed #7

IPVMU Certified | In reply to Jon Dillabaugh | 06/09/19 06:47pm

Yes all network connected devices must have a common subnet mask.

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

Bobby Mancia Jr.

MIZELA Corporation
IPVMU Certified | 06/09/19 10:51pm

Hi Jon, Thank you for your response. Same goes to you U#7.

Agree
Disagree
Informative
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 7,023 reports, 934 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports