Contoh Skema IP & Topologi — 10 NVR + 320 IP Camera (Enterprise)
Asumsi desain
-
Lokasi: gedung/kompleks dengan banyak lantai/area.
-
Tujuan: skalabilitas, isolasi trafik CCTV, keamanan, performa streaming/replay.
-
Rekomendasi umum: gunakan Class B private untuk fleksibilitas → 172.16.0.0/16.
1 — Ringkasan jaringan (high-level)
-
Address space:
172.16.0.0/16 -
VLAN utama:
-
VLAN 10 — Management / Servers / NVRs (
172.16.0.0/24) -
VLAN 20 — Client / Operator / Workstation (
172.16.1.0/24) -
VLAN 100–104 — CCTV camera pools (5 VLAN × 64 host → 320 kamera):
-
VLAN 100:
172.16.10.0/26(64 addresses) — Cameras Group A (Lantai/Area 1) -
VLAN 101:
172.16.11.0/26— Cameras Group B -
VLAN 102:
172.16.12.0/26— Cameras Group C -
VLAN 103:
172.16.13.0/26— Cameras Group D -
VLAN 104:
172.16.14.0/26— Cameras Group E
-
-
VLAN 200 — Storage / Backup (
172.16.2.0/24) -
VLAN 250 — Guest/IoT (terisolasi) (
172.16.3.0/24)
-
Kenapa /26 (64 host)? buat meminimalkan broadcast domain dan membatasi jumlah kamera per switch/shelf sehingga troubleshooting & multicast/bandwidth lebih mudah dikontrol.
2 — Penomoran IP (contoh praktis)
Gateway & Infrastruktur
-
Core Router / L3 Switch (gateway tiap subnet):
172.16.0.1(VLAN 10) -
DNS internal:
172.16.0.10 -
NTP server:
172.16.0.11
Server & NVR
-
VMS Server (Central CMS):
172.16.0.20 -
Storage NAS/iSCSI (primary):
172.16.2.10 -
Storage Backup (secondary):
172.16.2.11 -
NVR1..NVR10:
172.16.0.101—172.16.0.110(static IP di VLAN 10)
Camera pools (contoh)
-
VLAN 100 (Group A)
172.16.10.1–172.16.10.64-
Camera A-01:
172.16.10.10 -
Camera A-02:
172.16.10.11 -
...
-
-
VLAN 101 (Group B)
172.16.11.1–172.16.11.64-
Camera B-01:
172.16.11.10…
-
Client / Operator
-
Operator Workstation 1:
172.16.1.10 -
Operator Workstation 2:
172.16.1.11
3 — Topologi fisik & perangkat (rekomendasi)
-
Core / Aggregation: 2 × L3 switches (redundant), 10GbE uplinks (stacking).
-
Access / PoE Switches:
-
Untuk 320 kamera, gunakan PoE Switch 48-port PoE (48P) atau gabungan 24P.
-
Perkiraan: 320 / 48 ≈ 7 switches (7 × 48 = 336 port) — disarankan 8 x 48-port PoE untuk headroom.
-
-
Uplink: tiap access switch terhubung ke aggregation dengan 10Gbps link (atau LACP trunk 2×10G).
-
Router/Firewall: Mikrotik/OPNsense/pfSense/enterprise firewall (FortiGate/Cisco) dengan 10GbE uplink.
-
Server: VMS server dengan NIC 10GbE (dual NIC untuk redundancy), Storage NAS dengan 10/25/40GbE depending capacity.
-
Storage: NAS/iSCSI dengan RAID (RAID6/RAID10) tergantung kebutuhan retensi.
4 — Mapping kamera ke VLAN & switch
-
Kelompokkan kamera berdasarkan lokasi fisik: per lantai atau per zona bangunan.
-
Setiap PoE switch meng-handle 1 subnet/VLAN. Contoh:
-
PoE Switch S1 (VLAN100): Cameras 1–48
-
PoE Switch S2 (VLAN100): Cameras 49–64 + uplink ke aggregation
-
PoE Switch S3 (VLAN101): Cameras 65–112
-
dst.
-
Ini memudahkan routing, multicast/IGMP snooping, dan QoS.
5 — DHCP / IP assignment
-
Kamera & NVR: Static IP (recommended) — set manual di perangkat atau via DHCP reservation berdasarkan MAC.
-
Servers / NVRs: Static.
-
Client/Operator: DHCP pool di VLAN 1 (Client)
172.16.1.100–172.16.1.200.
6 — Routing / L3 & Firewall rules (konsep)
Isolasi trafik CCTV dengan aturan ketat:
Contoh aturan / kebijakan:
-
Default deny antar VLAN (deny all)
-
Allow dari VLAN Management (VLAN10) → CCTV VLANs (100–104) untuk port:
-
RTSP: 554 (jika perlu)
-
HTTP/HTTPS: 80 / 443 (web UI)
-
VMS protocol port (mis. 8000 untuk Hikvision)
-
SMB/NFS/iSCSI ke Storage (sesuaikan port)
-
-
Deny akses dari VLAN Client → CCTV VLAN (kecuali operator IP tertentu).
-
Allow akses operator (VLAN1) → VMS server (VLAN10) pada port aplikasi.
-
Block semua akses dari WAN → CCTV VLAN langsung. Akses remote hanya via VPN atau P2P resmi.
Contoh singkat Mikrotik-like:
/ip firewall filter
# Allow established
add chain=input connection-state=established,related action=accept
# Allow management hosts to access CCTV VLANs (example)
add chain=forward src-address=172.16.0.0/24 dst-address=172.16.10.0/26 protocol=tcp dst-port=554,80,443,8000 action=accept
# Deny client->cctv
add chain=forward src-address=172.16.1.0/24 dst-address=172.16.10.0/26 action=drop
7 — Remote access & keamanan
-
Jangan port-forward NVR/camera ke public internet.
-
Untuk remote monitoring, VPN adalah prioritas (IPSec/L2TP/WireGuard/OpenVPN) sehingga user terhubung ke network internal dan mengakses VMS/NVR dengan aman.
-
Jika vendor P2P digunakan, pastikan:
-
Hanya fitur vendor resmi.
-
Password perangkat kuat.
-
Update firmware.
-
8 — QoS & Bandwidth planning
Perkirakan bitrate rata-rata tiap kamera:
-
Contoh asumsi bitrate:
-
2 MP @ H.265: 1–2 Mbps per camera (stream utama)
-
4 MP @ H.264: 3–6 Mbps per camera
-
Conservative estimate gunakan 2 Mbps per camera → 320 × 2 Mbps = 640 Mbps total streaming peak ke NVR/VMS.
Tetapi in practice traffic sudah tersebar ke NVR (10 NVR menangani subset kamera), dan uplink antara access→aggregation harus mampu handle aggregated peak (sediakan headroom 50–100%).
Uplink rekomendasi:
-
Access switch → aggregation: 2×10Gbps LACP (atau 25Gbps) per block.
-
Core to Storage/VMS: 10/25/40Gbps tergantung retention.
9 — Storage & Retention (estimasi kasar)
Contoh: 320 kamera, 2 Mbps each, continuous recording, retention 30 hari.
Rumus kasar:
-
Mbps → MB/s = Mbps / 8
-
Daily per camera (MB) = (Mbps/8) × 3600 × 24 ≈ (Mbps × 10.8) MB/day
-
For 2 Mbps → ≈ 21.6 MB/s? Wait compute carefully.
Better compute step:
-
2 Mbps = 0.25 MB/s
-
Per day per camera = 0.25 × 86,400 = 21,600 MB ≈ 21.6 GB/day
-
For 320 cameras: 21.6 GB × 320 ≈ 6,912 GB/day ≈ 6.75 TB/day
-
For 30 days ≈ 202.5 TB
It shows continuous high-bitrate streams quickly explode storage. Real deployments:
-
Use motion-based recording (not continuous)
-
Use H.265 to reduce bitrate
-
Use retention policies (e.g., 7–14 days on disk, archive older to cold storage)
-
Use per-camera bitrate tuning, lower FPS for non-critical cameras.
Praktis: konsultasikan sizing storage dengan vendor VMS; gunakan tiered storage (hot NVMe for short-term, bulk HDD RAID for long-term).
10 — Monitoring, Logging & Maintenance
-
Gunakan NMS / monitoring: Zabbix / PRTG / Grafana untuk:
-
Uptime kamera/NVR
-
Latency / packet loss
-
Disk usage
-
Temperature & PoE power draw
-
-
Aktifkan syslog dari NVR/Cameras ke centralized syslog server.
-
Jadwalkan firmware update window & backup konfigurasi.
11 — Contoh tabel ringkas IP plan (sample)
| Fungsi | VLAN ID | Subnet | Gateway | Contoh IP Range |
|---|---|---|---|---|
| Management (servers, NVR) | 10 | 172.16.0.0/24 |
172.16.0.1 |
172.16.0.20 (VMS), 172.16.0.101-110 (NVRs) |
| Client / Ops | 20 | 172.16.1.0/24 |
172.16.1.1 |
172.16.1.10 (operator) |
| Cameras A | 100 | 172.16.10.0/26 |
172.16.10.1 |
172.16.10.10–172.16.10.63 |
| Cameras B | 101 | 172.16.11.0/26 |
172.16.11.1 |
172.16.11.10–172.16.11.63 |
| Cameras C | 102 | 172.16.12.0/26 |
172.16.12.1 |
172.16.12.10–172.16.12.63 |
| Cameras D | 103 | 172.16.13.0/26 |
172.16.13.1 |
172.16.13.10–172.16.13.63 |
| Cameras E | 104 | 172.16.14.0/26 |
172.16.14.1 |
172.16.14.10–172.16.14.63 |
| Storage | 200 | 172.16.2.0/24 |
172.16.2.1 |
172.16.2.10 (NAS) |
12 — Best practices ringkas
-
Semua kamera & NVR static IP / reservation.
-
Nonaktifkan layanan tak perlu (UPnP, Telnet, default accounts).
-
Ganti default credentials.
-
Isolasi CCTV via VLAN + firewall rules.
-
Akses remote hanya via VPN / P2P resmi.
-
Gunakan QoS / priority untuk video traffic jika perlu.
-
Rencanakan storage berdasarkan bitrate real tiap kamera & retention policy.
-
Sediakan dokumentasi IP mapping & label hardware di site.
13 — Contoh sederhana flow akses remote (aman)
-
Operator remote → koneksi VPN ke jaringan kantor.
-
Setelah VPN authenticated → operator mengakses VMS
172.16.0.20via HTTPS. VMS berkomunikasi ke NVRs & storage di VLAN Management; CCTV VLAN traffic tetap terisolasi.
){kind=link}
0 Komentar