Monday, November 22, 2010
Cisco Physical Security Group on LinkedIn
Stay well,
-boni bruno
Monday, June 22, 2009
Physical Access Control - The new way!
The Cisco Physical Access Control solution is made up of both hardware and software
components. The Cisco Access Gateway connects door hardware (traditional readers and locks,
as well as the new Hi-O® hardware from Assa Abloy) to an IP network. In wired deployments, the device is capable of being powered by Power over Ethernet (PoE). It is also possible to connect to the gateway over a Wi-Fi 802.11a/b/g wireless link.
The diagram below depicts a typical Cisco PAC archtiecture:
Since there is a gateway for each door, access control can be deployed incrementally, door by
door. There is no central panel; this simplifies system design, wiring, and planning, resulting in
significant cost savings over legacy architectures. Additional modules can be connected to the
gateway, allowing for extensibility. All communication from and to the gateways is encrypted.
The Cisco Physical Access Control solution offers the following modules (in addition to the Access
Gateway):
Reader module: This module can connect to a complete set of door hardware, allowing an
additional door to be controlled by the same gateway.
Input module: Eight supervised inputs can be connected to this module and controlled
through the gateway.
Output module: Eight outputs can be connected to this module and controlled through the
gateway.
A picture of Cisco's Integrated Access Control Gateway is shown below for reference:
Cisco Physical Security Manager (CPSM) is the software application used to manage the Cisco Access Gateways on the network. The Web-based software provisions, monitors, and controls all the access control gateways on the network. Role-based access control policies are supported for CPSM. You can create access control policies for N-person, two-door, anti-passback, etc.
CPSM also integrates with MS Active Directory, LDAP, and some HR databases.
CPSM is integrated with the Cisco Video Surveillance family of products, enabling an organization to associate cameras with doors, and to view video associated with access control events and alarms.
In addition to basic access control features, Cisco plans to integrate physical access control with
network security to provide a comprehensive solution that spans both areas of security, allowing
enterprises to:
- Create and enforce policies so that network and application access is granted based on the
physical location of employees - Provide wireless access only if employees have badged into a physical location.
- Terminate an employee’s active VPN connection when that employee badges into a
physical location - Change an employee’s privileges on the network based on entering or exiting a secure
area
There is no question that Cisco is accelerating convergence in the physical security industry. The move to integrate physical access control and network security is something I've been preaching for a while now, it will be interesting to see how this evolves over time. I'll keep you posted...
Stay secure,
-boni bruno
Saturday, April 25, 2009
Configuring a wireless video surveillance solution on a Cisco ISR.
I recently setup an elaborate demo for one of the largest outsourced physical security firms in the nation. They wanted to increase their service offerings to their clients to provide more value added services as well as generate another stream of revenue for the firm. I told them to look at adding outsourced video surveillance which can be easily deployed as a kit and they loved the idea.
Basically the kit consists of a Cisco 2821 ISR with a VMSS and HWIC-AP cards and Cisco 2500 series cameras. The demo went over like a charm. Let me be the first to share this with the community...
First, let's start out by discussing what it takes to configure a wireless Cisco 2500 series camera.
These cameras come in either hard wired or wireless form factors. We will be focused on the wireless camera for this article.
First, connect the lens to the camera by inserting the lens in the front of the camera, then screw it in by turning the lens in a clockwise direction.
Once the lens is in, connect an ethernet cable to the camera and then connect the power adapter to the camera.
When the camera powers up, the default IP address of the camera is 192.168.0.100. If for some reason the camera does not come up correctly, press and hold in the reset button on the back of the camera for 10 seconds and it will reset the camera back to default factory settings.
Connect and configure your computer to the same subnet and lauch your browser and connect to the camera IP address. The camera's web interface will prompt you to assign an admin password then allow you to configure the other camera attributes.
The basic setup in the camera's web interface allows you to change the IP specs to DHCP or to a different camera IP address, assign a default gateway, etc. Assign the IP specs you want for the camera then click on the wireless tab.
The wireless tab allows you to set the wireless specifications like the SSID and authentication/encryption settings. The wireless Cisco 2500 series cameras can easily support open,wep, or wpa security settings.
Once you finish entering and applying the wireless settings, disconnect the ethernet cable going to the camera and unplug the power to the camera. Congratulations, you just finished configuring the basic settings of your wireless camera.
Before you turn the wireless camera back on, you need to configure your router for wireless communications. The HWIC-AP card is basically an access point in a network module form factor available for the integrated service router.
The configuration below will show you how to configure your HWIC-AP module in your router for open, wep, and wpa wireless configurations. I'm providing a configuration that includes all three options for reference. Comments are provided in the configuration to help explain the configuration:
! Below is how you globally set an ssid and vlan for your dot11 configuration.
! I recommend you use vlan statements to easily configure multiple ip subnets for your wireless network.
!Below I show how to set three different ssid's using three different networks using three different security settings. This should cover any kind of deployment you may be considering.
!
! Below are the global commands needed for an unsecured/open wireless configuration set for vlan3.
!
dot11 ssid dswisropen
vlan 3
authentication open
mbssid guest-mode
!
! Below are the global commands needed for a wep based wireless configuration set for vlan1.
!
dot11 ssid dswisrwep
vlan 1
authentication open
mbssid guest-mode
!
! Below I show how to setup wpa with an ascii preshared key for vlan2.
!
dot11 ssid dswisrwpa
vlan 2
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 0 12345678901234567890123456
!
! Below are the interface specific commands for the wireless radio, note I'm using subinterfaces to support the multiple vlan configurations above as well as 802.1q to trunk the vlans over the wireless interface.
!
interface Dot11Radio0/3/0.1
encapsulation dot1Q 1 native
ip address 192.168.193.1 255.255.255.0
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0/3/0.2
encapsulation dot1Q 2
ip address 192.168.194.1 255.255.255.0
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
!
interface Dot11Radio0/3/0.3
encapsulation dot1Q 3
ip address 192.168.195.1 255.255.255.0
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 spanning-disabled
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
Congratulations, you just finished configuring the wireless card on your router.
At this point, power on your wireless camera and watch your wireless camera associate itself with the access point on your router. Use show dot11 association on the router to check that your camera does in fact associate to your wireless network. If it doesn't, you probably type in something wrong.
At this point, you are ready to add your wireless cameras to your video surveillance management system and administer things as usual...
I hope you enjoyed this post, I went through a lot of trouble shooting to figure all this out. You now have the quick quide to setting up a wireless video surveillance system on an ISR.
Ciao,
-boni bruno
Thursday, April 16, 2009
Video Management & Storage System Network Module
# Router (config-if) # service-module ip default-gateway 192.168.192.1
# Router (config-if) # exit
Friday, April 10, 2009
Cisco Stream Manager Plans...
You may find the answer to your liking, Cisco is working on a converged product of the two enterprise solutions. With Cisco Stream Manager being the matrix integrated solution and Cisco VSM being the web-based distributed environment solution, the new product will combine the features of both solutions and finally put an end to customer concerns about the viability of Stream Manager and future enhancements. The Stream Manager thick client will go away and the Cisco ActiveX web-based GUI will take over as the primary video interface for both products.
So the next question you may be pondering about may deal with backwards compatibility. We’ve been assured that most of the current products will be upgradeable, with some minor inconveniences. For example, some of the older Stream Manager equipment doesn’t support H.264 video compression and may not scale beyond a couple of High Definition streams. If we were able to share some of the features being put into the converged system, you would all be very excited about what the future holds with the converged platform currently codenamed Viper!
Stay tuned...
Thursday, April 9, 2009
Cisco Medianet ... WOW!!!
So you’re asking, what is medianet? Imagine a world where you plug a device right out of the box with no configuration, no management, and everything worked exactly as it was designed to. Cisco medianet is an upgrade to their current Cisco switching topologies that adds intelligence to the network for IP video. Medianet provides a policy template manager that enables you to automate the configurations of video surveillance cameras and bind them to the nearest network video recorder with the right IP specifications. This prevents the need for manually assigning IP addresses, VLAN information, default gateway, netmask, and other related IP properties and stream lines the process of adding cameras to a video surveillance management system.
Many people may be wondering about the considerations you need to make with IP cameras over analog cameras. Medianet takes a lot of the guess work out of engineering video surveillance networks and addresses quality of service issues like Best Effort, Expedited Forwarding, Random Early Discharge, DSCP, etc. With the Medianet policy engine you will be able to simply apply templates to your devices in an easy to use format. For example, you can configure traffic from one camera with a higher priority over data traffic and configure another with a different set of priorities. Templates automate the switch configurations to ensure a high degree of service quality.
Medianet is an emerging technology solution slated for release in 2010. Medianet promises to deliver benefits to video surveillance architects that are unheard of in the surveillance industry today.
Sunday, February 22, 2009
Cisco Stream Manager vs. Cisco Video Surveillance Manager
In talking to members of the Cisco teams, we know there is a merged environment coming soon (codenamed Viper) that will merge the two product sets into what I consider an unstoppable product. They are also moving towards H.264 with their newer encoders and cameras.
So, here is a quick list of questions to answer when deciding on which of the current two systems Cisco offers:
1. Do you currently have a Matrix such as a Pelco 9760, 9770, or 9780, Bosch, or AD Megapower?
2. Are 90% or more of your current cameras Analog?
3. Do regulations in your industry require a limited number of connections per recorder?
4. Do you only have one property to secure?
With a handful of other questions to answer, if you answered yes to all of these questions, Stream Manager is likely the right choice. If you answered no to all of the questions, VSM may be the more likely choice.
A few more things to note about the product lines:
- Stream Manager Client is an application that runs on a PC, VSM is Web-based
- Both products can run a Virtual Matrix application
- Both applications can send video to Decoders
- Stream Manager and VSM have different Supported device matrices (If you already have IP cameras, this may tell you which one is right for you)
- The Cisco ISR blades are only supported by VSM
- The Cisco Hybrid Decoder is only supported by Stream Manager (there is a non-hybrid decoder for VSM)
- Integration with Cisco Physical Access Manager (PAM) is only available with VSM
If any of you have more details between these products, feel free to comment.
Ryan Peterson
www.dsw.net
Tuesday, February 17, 2009
Cisco Video Surveillance Encoder/Decoder Convergence Chassis
There are 2 versions of the Chassis currently available. The Fast Ethernet version and the USB version. Either way, this box is simply a power connection with communication ports on it. The actual Encoder or Decoder is a card that slides into the chassis. Those cards often confuse people. Here are some of those items that should be taken into consideration during your design phase:
1. The cards are not interchangeable between the USB Chassis and the FE Chassis.
2. The 4 port Encoder card is only available on the USB chassis (CIVS-4BECMD-C16U=)
3. The Fast Ethernet Chassis can only take 1 port Encoder Cards (CIVS-SG1B-ECMD-C16=)
4. The Fast Ethernet Chassis is only available with an Internal Power Supply which means you can only use 14 of the 16 ports for cards.
5. The USB Chassis requires an External Power Supply Chassis (CIVS-EXTPWR-CHS) which is capable of powering 2 Convergence Chassis. In addition, you need a Power Supply Module for each Convergence Chassis.
6. The cards have an A and B version. The A version is MPEG4 only and has been EOL'd by Cisco. The B Version is MPEG4 and MPEG4 v.10 (H.264).
7. On the USB chassis, 16 ports of Encoding match to each USB. So, the first 4 slots connect to one USB cable. There are 4 USB on the back of the USB encoder.
8. The USB cables for the USB chassis connect to a Cisco Services Platform aka SP (not the Integrated Services Platform aka ISP which has encoder cards built in)
9. There is currently no way to locate the USB Chassis in a separate location as the Recorder (SP) where the USB connection is made. Testing has been done using USB to Fiber converters, but the results are mixed due to the inconsistency of video over the 3rd party converter devices.
10. The costs of the cards are the same as the non-chassis cards making the non-chassis solution cheaper (but not as pretty).
11. The chassis does work with both the Cisco Stream Manager systems as well as the Cisco Video Surveillance Manager.
12. The ISP will not connect to the Chassis via USB.
13. Although the Single port Encoders support PTZ controls and alarm inputs, the 4 port Chassis card does not.
14. The Fast Ethernet Chassis has 14 Ethernet ports (1 for each analog port) There is not 16 ports since the first 2 slots are used by the power supply.
Since pictures speak 1000 words. Here are a few to give you a better idea of how the Chassis works.
As always, since this product line is an Emerging Technology, I would suggest getting an expert to assist in developing your design for any large scale system.
Feel free to contact me with questions.
Ryan Peterson
http://www.dsw.net/
Friday, February 13, 2009
Cisco HD Camera
The Cisco HD Camera (CIVS-IPC-4300) or (CIVS-IPC-4500 with DSP) run around $1600 list price. Figure that the average price off list to an end customer is 25% then to the end customer your looking at about $1200.
The camera is capable of running 1080p with 30 frames per second or 720p at 60 frames per second. Now due to a thing called motion blur, the human eye will normally only process about 24 frames per second. So why do we care about 60 fps then? Becuase you can stop the video. When doing a frame by frame review of the video later, you may want that 1 frame that happens to be 5 of 60 in that second. But I digress.
To make it clear, I have seen many HD Cameras and recently reviewed the Cisco HD Camera and I believe Cisco has a winner.
With the 1 exception that most consumers are beginning to see the value behind dome style cameras, this fixed directional camera really does a great job.
Expect to see this camera in buildings around mid-year. Even though Cisco is selling this item, it will take some time before customers see the value of the expense for the reward of higher quality when it comes to surveillance.
Cisco Surveillance Introduction
My name is Ryan Peterson and I work for a Cisco Partner (Data Systems Worldwide) in their Las Vegas branch office.
We are one of the first partners to begin selling Cisco's Surveillance product line and as of today, our largest install is right around 1000 cameras.
After using Cisco to do 1000 camera installations, you get to know the ins and outs of that product line. I would like to share that knowledge to those interested in what Cisco is doing.
So welcome to my blog, I look forward to answering any questions you may have about the product.
Ryan Peterson