Saturday, April 25, 2009

Configuring a wireless video surveillance solution on a Cisco ISR.

If you read my VMSS post, you will know that Cisco offers a video management solution in a network switch module that plugs right into a typical integrated services router. That being said, wireless access points can also plug into these integrated servcies router. Hmm...are you thinking what I'm thinking? Full featured wireless video surveillance with just a Cisco router!

I recently setup an elaborate demo for one of the largest outsourced physical security firms in the nation. They wanted to increase their service offerings to their clients to provide more value added services as well as generate another stream of revenue for the firm. I told them to look at adding outsourced video surveillance which can be easily deployed as a kit and they loved the idea.

Basically the kit consists of a Cisco 2821 ISR with a VMSS and HWIC-AP cards and Cisco 2500 series cameras. The demo went over like a charm. Let me be the first to share this with the community...

First, let's start out by discussing what it takes to configure a wireless Cisco 2500 series camera.

These cameras come in either hard wired or wireless form factors. We will be focused on the wireless camera for this article.

First, connect the lens to the camera by inserting the lens in the front of the camera, then screw it in by turning the lens in a clockwise direction.

Once the lens is in, connect an ethernet cable to the camera and then connect the power adapter to the camera.

When the camera powers up, the default IP address of the camera is If for some reason the camera does not come up correctly, press and hold in the reset button on the back of the camera for 10 seconds and it will reset the camera back to default factory settings.

Connect and configure your computer to the same subnet and lauch your browser and connect to the camera IP address. The camera's web interface will prompt you to assign an admin password then allow you to configure the other camera attributes.

The basic setup in the camera's web interface allows you to change the IP specs to DHCP or to a different camera IP address, assign a default gateway, etc. Assign the IP specs you want for the camera then click on the wireless tab.

The wireless tab allows you to set the wireless specifications like the SSID and authentication/encryption settings. The wireless Cisco 2500 series cameras can easily support open,wep, or wpa security settings.

Once you finish entering and applying the wireless settings, disconnect the ethernet cable going to the camera and unplug the power to the camera. Congratulations, you just finished configuring the basic settings of your wireless camera.

Before you turn the wireless camera back on, you need to configure your router for wireless communications. The HWIC-AP card is basically an access point in a network module form factor available for the integrated service router.

The configuration below will show you how to configure your HWIC-AP module in your router for open, wep, and wpa wireless configurations. I'm providing a configuration that includes all three options for reference. Comments are provided in the configuration to help explain the configuration:

! Below is how you globally set an ssid and vlan for your dot11 configuration.
! I recommend you use vlan statements to easily configure multiple ip subnets for your wireless network.
!Below I show how to set three different ssid's using three different networks using three different security settings. This should cover any kind of deployment you may be considering.
! Below are the global commands needed for an unsecured/open wireless configuration set for vlan3.
dot11 ssid dswisropen
vlan 3
authentication open
mbssid guest-mode
! Below are the global commands needed for a wep based wireless configuration set for vlan1.
dot11 ssid dswisrwep
vlan 1
authentication open
mbssid guest-mode
! Below I show how to setup wpa with an ascii preshared key for vlan2.
dot11 ssid dswisrwpa
vlan 2
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 0 12345678901234567890123456
! Below are the interface specific commands for the wireless radio, note I'm using subinterfaces to support the multiple vlan configurations above as well as 802.1q to trunk the vlans over the wireless interface.
interface Dot11Radio0/3/0.1
encapsulation dot1Q 1 native
ip address
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0/3/0.2
encapsulation dot1Q 2
ip address
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
interface Dot11Radio0/3/0.3
encapsulation dot1Q 3
ip address
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 spanning-disabled
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding

Congratulations, you just finished configuring the wireless card on your router.

At this point, power on your wireless camera and watch your wireless camera associate itself with the access point on your router. Use show dot11 association on the router to check that your camera does in fact associate to your wireless network. If it doesn't, you probably type in something wrong.

At this point, you are ready to add your wireless cameras to your video surveillance management system and administer things as usual...

I hope you enjoyed this post, I went through a lot of trouble shooting to figure all this out. You now have the quick quide to setting up a wireless video surveillance system on an ISR.


-boni bruno

Thursday, April 16, 2009

Video Management & Storage System Network Module

Cisco is such a innovative company...just when you think their routers have reached the peak of functionality, Cisco goes ahead and throws in a Video Management & Storage System (VMSS)network module to the router providing you to rapidly deploy highly distributed, IP-enabled video surveillance at your offices, guard shacks, parking lots, basically wherever you need surveillance allowing you to easily migrate traditional analog surveillance equipment to IP. The Cisco VMSS module is designed to be deployed in highly distributed environments as an edge device.

This module plugs right into an available slot on your typical integrated services router (ISR) and will provide you with a full functioning version of Cisco's Video Surveillance Operation Manager (VSOM) and Video Surveillance Media Server (VSMS). Beautiful!

Just think of all the applications you can use this in... Since these ISR routers can also be equipped with integrated access points and 3G-GSM WAN cards, you can now provide very robust wireless surveillance solutions and architect a number of solutions that just where not available before.

So how do you configure one of these bad boys in an ISR anyway? First, it is important to know what the VMSS module interface name is. The module name will be Integrated-Service-Engine and the slot/unit number like 1/0 . For example, if you where connected to a router equipped with a VMSS network module, you would enter the following while in config mode and type:

Router (config) # interface Integrated-Service-Engine 1/0 [enter]

and you would be connected to the VMSS module in the router. From here you can enter all your ip related info. I recommend you specify an unnumbered interface for the router interface and assign an IP address to the VMSS module as follows:

# Router (config-if) # ip unnumbered gigabitethernet 0/0 [enter]
# Router (config-if) # service-module ip address [enter]
# Router (config-if) # service-module ip default-gateway
# Router (config-if) # exit

Following the example above, you would have connected to your VMSS and assigned it an IP address of with a default gateway going to the IP address of which is bound to gigabitethernet 0/0 on the same router. To finish with the layer three stuff, you need to add a host route for the VMSS as follows:

Router (config)# ip route Integrated-Service-Engine1/0 [enter]

Save your configuration by issuing the wr mem command. At this point you are half way done with the configuration. Are you getting excited? I am...

The next task is to open a session to the integrated service engine on your router and go through the one-time process of initializing your VMSS network module. To do this type the following:

Router# service-module integrated-Service-Engine 1/0 session

Once you run the above command, you will need to answer questions about host name, dns, ntp, etc. Go through and answer accordingly, if you do not have any of these services on your network, just answer no to a question and move on...

A key thing to set is the time zone and time. The format for the time would be:

( hh:mm[:ss] [YYYY-MM-DD] ), so you could enter: 19:01:00 2009-04-15 [enter]

to set the time and date for 7:01PM on April 15, 2009 in this example.

Once you enter the time and date, the system will configure itself, goto into run level 4, start some shell scripts in the background, then boot the VMSS moldule for you.

When the system finishes booting the VMSS, you will be dropped into a vmss> prompt.

The first time around not all the vmss processes may start, you can verify the status of VMSS by typing the following:

vmss> video-surveillance task status

If you notice that httpd is not running, your will have a problem connecting to VSOM. To resolve this issue, run the following command:

vmss> video-surveillance task restart

That's it my friends. At this point bring up your browser and connect to the VMSS as you would if it where a standalone VSOM appliance.

Using the configuration example above, you would access the management console by going to where you can enter your license info. The default username and password to access the console, or VSOM for that matter, is root and secur4u. To get a license, send email to, you will need to provide the MAC address of your VMSS module which you can get from the management console.

Remember to get licenses for VSOM and the Media Server. Once you get your VMSS fully licensed, just goto to configure your surveillance system just like you would do a normal Cisco VSM appliance...


-Boni Bruno

Friday, April 10, 2009

Cisco Stream Manager Plans...

Cisco Stream Manager has been the topic of many conversations. I have asked key Cisco Executives the question many others are asking - Now that Cisco VSM is out and being upgraded, advanced, and improved, what is the longevity of Stream Manager?

You may find the answer to your liking, Cisco is working on a converged product of the two enterprise solutions. With Cisco Stream Manager being the matrix integrated solution and Cisco VSM being the web-based distributed environment solution, the new product will combine the features of both solutions and finally put an end to customer concerns about the viability of Stream Manager and future enhancements. The Stream Manager thick client will go away and the Cisco ActiveX web-based GUI will take over as the primary video interface for both products.

So the next question you may be pondering about may deal with backwards compatibility. We’ve been assured that most of the current products will be upgradeable, with some minor inconveniences. For example, some of the older Stream Manager equipment doesn’t support H.264 video compression and may not scale beyond a couple of High Definition streams. If we were able to share some of the features being put into the converged system, you would all be very excited about what the future holds with the converged platform currently codenamed Viper!

Stay tuned...

Thursday, April 9, 2009

Cisco Medianet ... WOW!!!

WOW! At the 2009 International Security Conference (West) held in Las Vegas, NV, Dennis Charlebois (Cisco PSBU Director) announced Medianet ( A lot of people keep asking the questions “Why would Cisco get into Surveillance? Aren’t they a little late to the game? Don’t they have a long way to go to catch up? What can Cisco provide that others can’t?” All of these are great questions, and the answer is medianet. Medianet is the Cisco story for Video that they already have for Data and Voice. However, Medianet is actually one step up from regular switching that will revolutionize the way people work with Video Surveillance and many other Video technologies in only a way that Cisco can control.

So you’re asking, what is medianet? Imagine a world where you plug a device right out of the box with no configuration, no management, and everything worked exactly as it was designed to. Cisco medianet is an upgrade to their current Cisco switching topologies that adds intelligence to the network for IP video. Medianet provides a policy template manager that enables you to automate the configurations of video surveillance cameras and bind them to the nearest network video recorder with the right IP specifications. This prevents the need for manually assigning IP addresses, VLAN information, default gateway, netmask, and other related IP properties and stream lines the process of adding cameras to a video surveillance management system.

Many people may be wondering about the considerations you need to make with IP cameras over analog cameras. Medianet takes a lot of the guess work out of engineering video surveillance networks and addresses quality of service issues like Best Effort, Expedited Forwarding, Random Early Discharge, DSCP, etc. With the Medianet policy engine you will be able to simply apply templates to your devices in an easy to use format. For example, you can configure traffic from one camera with a higher priority over data traffic and configure another with a different set of priorities. Templates automate the switch configurations to ensure a high degree of service quality.

Medianet is an emerging technology solution slated for release in 2010. Medianet promises to deliver benefits to video surveillance architects that are unheard of in the surveillance industry today.