Cipvsv1 SG Ip Video Vigilancia Cisco

IPVS
Cisco IP Video Surveillance
Overview
This module summarizes high-level design recommendations and best
practices for implementing Cisco Video Surveillance on the enterprise network
infrastructure. In some instances, existing network equipment and topologies
have the necessary configuration and performance characteristics to support
high-quality IP Video Surveillance. In other instances, network hardware
might require upgrading or reconfiguration to support increased bandwidth
needed to support video. Quality-of-service (QoS) techniques are important for
any design because video has similarin some instances, more stringent
requirements than VoIP for loss, latency, and jitter.
Table of Contents
Course Introduction
Module1
Lesson 1 Architectural Framework
Lesson 2 Network Video
Lesson 3 Media Flow Considerations
Lesson 4 Network Services Considerations
Lesson 5 Network Performance Considerations
Lesson 6 Quality of Service Considerations
Lesson 7 Network Management Considerations
Module 2
Lesson 1 VMS.
Lesson 2 Deployment Scenario
Lesson 3 Determining the Required Resources
Lesson 4 Securing VMS
Lesson 5 Video Recording Options
Lesson 6 Server and Camera Network Configuration
Lesson 7 Understanding NTP Configurations Server
Lesson 8 Server high Availability
Lesson 9 Bulk Camera Configuration and Deployment
Lesson 10 Controlling User Access Permission
Lesson 11 Using Locations to Limit User Acces
Lesson 12 Using Using Events to Trigger Actions
Module 3
Lesson 1 Configurations VMOS
Lesson 2 Creating the location
Lesson 3 Add user and User groups
Lesson 4 Configuring Servers.
Lesson 5 Adding and managing camera
Lesson 6 Viewing Video
Lesson 7 Backup and Restore
Lesson 8 Monitoring System and Device Health
Lesson 9 VSM Safety and Security Desktop
IPVS
Course Introduction
Overview
Cisco IP Video Surveillance (IPVS) provides an opportunity to learn about a broad range of the
components and options that should be considered when designing and implementing a Cisco VSM
deployment.
Course Objectives
After completing this course, the delegates will be able to install, configure, operate and maintain Cisco
IP Surveillance components such as Stream Manager, VSM, VMOS as well as analogue and digital
cameras. In addition delegates will learn how to archive streams and operate live and playback
operation.
Prerequisites
CCNA Certified Network Associate (CCNA) or equivalent knowledge
Couse Flow
AM PM
Day 1 Course Introduction Considerations
Architectural Framework Network Performance Considerations
Network Video Quality of Service Considerations
Media Flow Considerations Network Management Considerations
Network Services
Day 2 VMS. Understanding NTP Configurations Server
Deployment Scenario Server high Availability
Determining the Required Resources Bulk Camera Configuration and Deployment
Securing VMS
Video Recording Options
Server and Camera Network Configuration
Day 3 Controlling User Access Permission Creating the location
Using Locations to Limit User Acces Add user and User groups
Using Using Events to Trigger Actions Configuring Servers
Configurations VMOS
Day 4 Adding and managing camera Monitoring System and Device Health
Viewing Video Safety and Security Desktop
Backup and Restore
Module 1
Network Considerations
Overview
This module summarizes high-level design recommendations and best
practices for implementing Cisco Video Surveillance on the enterprise network
infrastructure. In some instances, existing network equipment and topologies
have the necessary configuration and performance characteristics to support
high-quality IP Video Surveillance. In other instances, network hardware
might require upgrading or reconfiguration to support increased bandwidth
needed to support video. Quality-of-service (QoS) techniques are important for
any design because video has similarin some instances, more stringent
requirements than VoIP for loss, latency, and jitter.
Lesson 1
Architectural Framework
Overview
The IP Video Surveillance architectural framework refers to a set of building
blocks that are used as a guiding tool when designing and evaluating a Cisco
video surveillance solution. Based on the customer-stated business and
technical requirements, and the application of industry standards and best
practices, the right IP Video Surveillance solution can be developed and built
for an organization.
Architectural Framework
The enterprise IP Video Surveillance environment is built on a solid foundational framework that is
composed of a stack of four horizontal building blocks that define the solution architecture, as well
as a vertical services overlay that enables its successful implementation and sustenance.
Each block in the stack has a significant and integral role to play in the solution architecture to be
developed and should thus be exhaustively addressed to produce a scalable and resilient solution.
The enterprise architectures block defines the structure of the network deployment e nvironment on
which the IP Video Surveillance solution will be implemented. In general, there are three main
architecture models: centralized, branch and distributed. Each architecture model has unique
requirements and considerations, though there are areas of overlap.
The infrastructure platforms block describes the major infrastructure components that comprise the IP
Video Surveillance environment. This layer includes the Local Area Network (LAN) and Storage Area
Network (SAN) that form the building blocks of the network design, as well as the Unified Computing
System (UCS) and Multiservice Platform (MSP) appliances onto which all applications are hosted.
The management instrumentation block defines the system tools and processes that enable the scalable
management and flexible monitoring of the IP Video Surveillance solution. These tools leverage
embedded instrumentation within IOS, NXOS and MSP devices to extract relevant data points for
assessing the total health of the solution, as well as for fault iso lation and rapid resolution.
The endpoints and applications block sits at the very top of the stack, leveraging the infrastructure and
management capabilities offered by the lower layers. This layer defines the sources and consumers of
video data, including Video Surveillance Manager Server applications that manage these endpoint
devices as well as video traffic on the network.
The services block comprises the service offerings that support the IP Video Surveillance architecture.
These include security, business continuity and optimization services. Security services are composed
of the features and technologies necessary for securing the infrastructure and application environments.
Security policies could be applied on the network devices, servers and end points. Business continuity
focuses on maintaining an organizations IP Video Surveillance systems during and after a disruption,
and consist of both high availability and disaster recovery strategies. Optimization services provide
features that enhance the performance and intelligence of applications and the network environment,
including load balancing and caching. These services are not only related but dependent on each other,
supporting a fully functional solution architecture.
The solution framework forms the basis of the design and architecture of the IP Video Surveillance
environment, and as such it is important to understand its relevance. The following sections describe
these considerations in further detail.
Design
Network design considerations for IP Video Surveillance solutions are easy to overlook, and often are,
because it is assumed that the underlying network should be able to handle any type of traffic while
delivering acceptable performance.
While this may be true for very small deployments, it is most certainly a recipe for problems for
relatively larger deployments, and also for the time in the future when this small deployment needs to
grow. An IP Video Surveillance network that has not been designed in a systematic fashion will
invariably run into problems from the beginning of the implementation stage.
Network design is as much about developing the most appropriate solution given a set of requirements,
as much as it is about documenting these requirements, design decisions and pro posed architecture.
This allows new team members to easily understand what problems the design solves, how the system
operates and how to extend and expand the network when needed
Enterprise
This chapter discusses the considerations that need to be taken into account when designing the
enterprise IP Video Surveillance network.
Enterprise IP Video Surveillance architectures are characterized based on the following factors:
Network model (LAN/MAN or WAN)
Location of the VSM servers
Number of Operations Manager servers
Number of Media Servers
The following sections describe the different architecture models that can be adopted in terms
of their characterization and principles of design.
Centralized Architecture
The centralized IP Video Surveillance architecture is characterized by the existence of a single
Operations Manager server that manages one or more Media Servers at the same organizational and
geographical region. A campus with one or more locations that are interconnected by a Local Area
Network (LAN) or Metropolitan Area Network (MAN) defines this region.
In general, centralized architectures are classified as medium-sized deployments, which consist of 20
or fewer media servers, 1000, or fewer video endpoints and 20 or fewer active client endpoints, in a
single location.
In the figure above, the network spans two campuses that are interconnected
over a LAN or MAN. This implies that the campuses are within the same
general geographic area with the network providing a high-speed back-haul,
e.g. 1Gbps, 10Gbps or 40Gbps. The VSM servers can be located at either or
both campuses Building A and Building 1.
Design Principles
Compute
Computational resources for VSM servers, primarily CPU and memory, are provided either by MSPs
in a physical environment or UCSs in a virtualized environment. The provisioning of these resources
for VSM appliances should be guided by the expected workload from video endpoints, server
processing activities and servicing requests from client endpoints.
Cisco provides recommendations for sizing virtual environments in the VSM o n UCS Deployment
Guide
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6918/ps9145/ps9152/data_sheet_c78 -
712809.html.
MSPs that support Cisco Video Surveillance are equipped with up to a single -socket, quad-core
processor and 2GB of RAM. They provide a simple and standardized platform for deplo ying VSM in
centralized architectures. By that same token, the caveat that presents itself is that computational
resources cannot be grown to adapt to growth in workloads over time. So either the initial sizing will
need to be over-provisioned in anticipation of future resource demands, or multiple appliances would
be required to drive the same workload.
For VSM instances that are virtualized on the UCS platform, these concerns are addressed due to the
ability of UCS appliances to handle larger CPU and memory capacities. VSM virtual appliances can be
hosted on B-series hosts that provide a dense deployment environment serviced by up to two-socket, 6-
core processors and up to 384GB of RAM. C-series servers can be provisioned with up to two-socket,
8-core processors and up to 384GB of RAM. Therefore, these VSM virtual machines can be
provisioned with more memory and processor capacity flexibly when required.
Network
For simple deployments, the network should be designed with traffic localization in mind. The VSM
media servers should be placed as close as possible to video endpoints from which streams are sourced.
This will allow relatively higher quality video to be recorded locally, without being required to traverse
the network, which could result in additional latency and higher potential for packet loss.
Sophisticated networks that have end-to-end QoS deployed, with the recommended per-hop behavior
(PHB) applied to the video traffic class, allow video traffic to traverse the network to a centralized
location. For example in the data center where the associated VSM media server is located.
Cisco recommends that video traffic should be placed in a separate local VLAN for easy identification
and classification. The VLAN should not span multiple switches. Similarly, Ethernet storage and
management traffic should be placed in separate VLANs.
A logical and consistent IP addressing scheme should be adopted that allows for simplified
management, scalability and route summarization.
Cisco recommends that a network readiness assessment should be carried out to ensure that the
network has sufficient capacity to meet the performance requirements for delivering video between
endpoints and servers.
Storage
Video traffic requires a significant amount of storage space for recording and as such is the most
dominant factor to consider when designing IP Video Surveillance environments. Both MSP and UCS
appliances can provide local and remote storage capabilities.
Local storage on the MSP platforms can scale up to 24TB of raw capacity per server, when using the
standard 2TB disks in a 12-bay 2RU CPS chassis. The UCS C240 M3, on the other hand, can handle up
to 36TB raw capacity per appliance, when using 3TB disks in a 12-bay 2RU chassis.
External storage is supported using fibre channel SAN devices. These devices can scale up in excess of
100TB per appliance. Multilayer directors can be used to provide zoning and other advanced features
where multiple hosts and storage devices exist.
In general, virtualized appliances leverage external storage to take advantage of high availability
(which requires shared storage), storage scalability and high performance. Local storage on MSPs is
suitable for simple deployments that look for an all-in-one solution for recording and management.
Management
A single Operations Manager server that is located in the central data center manages video endpoints
and media server resources. A single VSOM instance can scale management of up to 10,000 video
endpoints and up to 250 media servers. For deployment environments that exceed these endpoints and
servers, such as city-wide deployments, multiple VSOM instances can be provisioned to provide load-
balancing.
Branch Architecture
Characteristics
The IP Video Surveillance branch architecture is characterized by the existence of a single Operations
Manager server that manages one or more Media Servers at the same organizational and geographical
region. This region is defined as an autonomous campus with one or more locations that are
interconnected by a Local Area Network (LAN).
In general, branch architectures are classified as small-sized deployments which consist of 5 or fewer
media servers, 100 or fewer video endpoints and 5 or fewer active client endpoints, in a single location.
Multiple such branches can exist in the organization; however, each is characterized as being managed
independently of each other.
The following sample topology illustrates this model:
Design Principles
Compute
Computational resources at the branch environment are provided either by an MSP appliance for
physical environments or the UCS E-series blades for virtual environments. The UCS E-series blade is
a Cisco ISR G2 router service module that provides the functionality of a compact, power-optimized,
multipurpose x86 64-bit blade server.
The E-series offers a single-socket, up to 6-core processor option with up to 48GB of RAM. These
specifications best the MSP appliances, while providing the flexibility of a virtualized environment and
functionality of a branch-in-a-box. The caveat to consider is that the ISR G2 is a required component,
which could add to the cost factor. However, this could also be an advantage to be leveraged if the
router exists already or is to be used to provide other services for the branch.
The MSP is a viable alternative where simplicity is key, and the solution requirements fall within the
fixed configuration options available.
Network
The small office/branch office network is typically a flat, switched environment with relatively few
endpoints and traffic generated. Video traffic is not expected to traverse long distances from the
endpoints to the VSM server; however, Cisco recommends that QoS is implemented to provide
differentiated services from other traffic types, especially during periods of relatively higher than
normal use. Depending on the size of the environment, all devices may be placed into a single VLAN
and IP addresses sourced from a single subnet. If the IP address space is subdivided for different
functions, Cisco recommends that video traffic should be placed in its own VLAN for easy
identification and classification.
Storage
MSP appliances can provide local on-board storage for recording video. E-series blades, on the other
hand, do not have sufficient storage capacity to meet most solution recording needs. The blades provide
up to 3TB raw capacity for SATA drives. If RAID arrays are created for fault tolerance, this available
capacity is further diminished. As a result, whenever E-series blades are required, external storage
options will need to be evaluated.
In particular, iSCSI SAN devices are appropriate for this environment to provide the needed storage
scalability and at the same time leverage existing Ethernet infrastructure, which lowers the total cost of
ownership. The E-series has in-built optimizations for iSCSI, specifically TCP/IP Offload Engine
(TOE) and iSCSI hardware offload. These enhancements offload the processing of packet headers to
hardware ASICS which translate to a significant performance improvement for VSM applications.
Management
The Operations Manager centrally provides management of the video surveillance environment. As
noted earlier, the Cisco Physical Security Multiservices Platform (CPS MSP) appliances provide out-
of-band management capabilities through Intelligent Platform Management Interface (IPMI). The UCS
E-series blade server has an integrated Emulex Baseboard Management Controller (BMC) that provides
for management via IPMI as well as through the Cisco Integrated Management Controller (CIMC)
interface.
In addition, the VSM virtual appliances can be managed using the vSphere client interface. This
capability is especially important in remote branch environments where IT staff may not be available at
every site for monitoring or troubleshooting.
Distributed Architecture
Characteristics
The distributed IP Video Surveillance architecture is characterized by the existence of a single
Operations Manager server that manages one or more Media Servers across multiple organizational and
geographical regions. These regions are typically composed of a central campus and one or more
remote campuses interconnected by a private Wide Area Network (WAN) or the public Internet over a
secure virtual private network.
In general, distributed architectures can be classified as a small, medium or large deployment

depending on the number of media servers, video and client endpoints, at each location. The principle-
defining characteristic of this architecture is that, except for large citywide deployments, a single
Operations Manager instance manages multiple media servers and endpoints that are spread out across
multiple locations in the enterprise. Each remote location does not operate independently but with
dependency on the central location where the VSOM instance is hosted.
Design Principles
Network
The network connectivity between the branch and central campus could either be over a private WAN
service such as Multi-Protocol Label Switching (MPLS) or Frame Relay, or over the public internet,
typically over a secure Virtual Private Network (VPN) service such as IPsec VPN, Dynamic Multipoint
VPN (DMVPN) or GET VPN.
Remote users can gain access to IP Video Surveillance resources, such as the Operations Manager
instance, through an ezVPN or Secure Sockets Layer (SSL) VPN connection.
Bandwidth is typically a limiting factor as traffic traverses the WAN. Users also need to balance the
need to record high-fidelity, evidence-quality video with monitoring live video from remote locations.
Cisco recommends that in such cases secondary streams of lower resolution and bit rate or frame rate
should be considered. The lower quality stream is used for live viewing across the WAN from remote
branches to users at the central site, for example, while the higher-quality stream is recorded locally for
later retrieval should the need arise.
Cisco recommends that network readiness assessments should be carried out across the central campus
to multiple remote locations to determine the appropriate stream settings at which the network can
sustain acceptable video performance.
Management
Network management tools should be leveraged to monitor the health of video traffic as it traverses the
enterprise network. This is especially important for distributed architectures due to the physical
separation and often the lack of trained IT staff at remote locations to assist with troubleshooting and
remediation measures.
IOS embedded instrumentation that is leveraged by the Medianet architecture should be employed to
provide proactive and reactive monitoring capabilities across the enterprise IP Video Surveillance
network. These tools should be used in conjunction with management capabilities available within the
campus environments.
Campus Network Design
Understanding and designing the structure of the network design is crucial to creating scalable and
available campus architectures. This section describes the building blocks of the enterprise campus
model as well as considerations for designing the IP Video Surveillance network structure.
Hierarchical Model
The hierarchical model of network design simplifies the architecture of campus networks into modular
components, each representing a functional service layer within the campus hierarchy. A hierarchical
design is also important as it avoids the need for a fully meshed node network.
The modularity of the design is important for the following reasons:

Allows the network to scale to meet current as well as future requirements
Allows traffic to flow in a more deterministic pattern
Allows for effective fault isolation and faster resolution
The enterprise campus hierarchical model consists of the following layers:

Access Layer
The campus access layer aggregates end users and edge devices, such as IP cameras, and provides
uplinks to the distribution layer. At layer 2, each switchport creates a single collision domain.
In general, network devices at this layer provide the following features:
Power over Ethernet (PoE) provides power to PoE-capable edge devices such as IP cameras.
QoS trust boundary traffic flows are typically marked at this layer on ingress at the
switchport.
Link aggregation high availability is provided to the distribution layer through Etherchannel
or 802.3ad Link Aggregation Control Protocol (LACP).
IGMP snooping helps control multicast packet flooding for multicast applications.
Security services various security features are typically configured at this layer such as
DHCP snooping, 802.1x, port security, Dynamic ARP Inspection and IP source guard.
Distribution Layer
The campus distribution layer acts as the services and policy boundary, connecting both access and
core layers. Network devices in this layer typically participate in Layer 2 switching on downstream
access trunks and Layer 3 switching on upstream core links.
In general, network devices at this layer provide the following features:
Redundancy through Virtual Switching System (VSS) for Catalyst 6500 series switches or
first-hop redundancy protocols such as Hot Standby Routing Protocol (HSRP), Virtual Router
Redundancy Protocol (VRRP)
Route summarization summarizes routes from the access layer to the core
Route filtering limits route advertisements to access devices
Policy-based routing controlled routing decisions and packet manipulation is carried out at
this layer, and also forms the boundary between static and dynamic routing protocols
Layer 2 boundary VLANs are terminated at this layer and traffic is subsequently routed
between VLANs or to the core for external networks
Core Layer
The campus core layer acts as a high-speed backbone for fast and efficient movement of packets across
multiple networks. This layer provides a limited set of services and is designed to be highly available
and reliable to allow for rapid adaptation to network changes, for instance rerouting of traffic when
network failure occurs.
For smaller campuses, the core can be combined with the distribution to form a collapsed core. In this
configuration, the collapsed core must be fully meshed to provide proper connectivity. However, the
setup is difficult to scale. Additionally, network changes to one part of the core/distributed layer can
result in network disruption in other layers as well. As such, while convenient for small environments,
these caveats should be carefully considered.
Layer 2 Design
The two over-arching design goals for the IP Video Surveillance Layer 2 network are high availability
and determinism. The optimal Layer 2 design should provide a measure of redundancy and alternate
paths to network destinations, and should also establish predictable patterns for video traffic on the
network.
The following features are important in ensuring a suitable Layer 2 design is formed. Considerations for
designing the IP Video Surveillance network with these features in mind are discussed in the following
sections.
LAN Switching
The goal of the Layer 2 switching or forwarding logic in IOS Catalyst devices is to deliver Ethernet
frames to appropriate receivers based on the destination MAC address. Physical switches can either be
statically configured with MAC addresses or they can be learned dynamically by inspecting the source
MAC address field of incoming frames.
If the MAC address is known, it would be present in the Content-Addressable Memory (CAM) table,
along with the associated VLAN ID, egress switchport and timestamp of when the MAC address was last
seen. This information will then be used to forward the frame.
If the MAC address is unknown, the forwarding behavior will depend on the type of address:
Unknown unicast the frame is flooded out all interfaces, except the interface on which the
frame was received
Broadcast the frame is flooded out in the same manner as unknown unicasts
Multicast the frame is flooded out in the same manner as unknown unicasts, except when
optimizations such as IGMP are implemented
For the switch to forward on the outgoing interface, the port must be the forwarding state in the STP
configuration. Spanning Tree Protocol enables switches overcome the possibility of bridging loops
occurring along redundant switching paths.
Virtual LAN
A virtual LAN (VLAN) refers to host devices linked to a subset of switchports that communicate as a
logical network segment. VLANs are used to limit the size of a broadcast domain, and to assist in
allocation and management of subnetworks. As such, VLANs form a critical component of hierarchical
and modular network designs, and they enable isolation of different traffic aggregates.
Cisco recommends that the following traffic aggregates should be separated by VLANs on the network:
Management traffic generally consists of to-the-box traffic. Examples include Secure Shell (SSH),
telnet, vSphere connectivity, Cisco Integrated Management Console (CIMC), Cisco Integrated
Management Console Express (CIMCE) and device-generated data traffic such as L2/L3 protocols.
Video traffic consists of traffic from camera endpoints to media servers, and on to client endpoints
Storage traffic consists of fiber channel over Ethernet (FCoE) and iSCSI storage traffic
This traffic separation provides for simplicity in managing and monitoring endpoints, and in applying
differentiated service levels for these traffic classes.
When traffic is received on an ingress switchport, the frames are tagged with a VLAN ID. By default,
VLAN 1 is the tag that is applied to all traffic; however, each switchport can be associated with a
different VLAN as shown below:
! Configure the VLAN database

!
vlan 22
name management
!
vlan 23
name video
!
vlan 24
name storage
!
! Assign the VLANs to switchports
!
interface FastEthernet1/0/3
switchport mode access
switchport access vlan 22
!
interface FastEthernet1/0/4
!
interface range FastEthernet1/0/5 - 6
!
Spanning Tree Protocol (STP)
STP is a LAN protocol that is used to prevent loops from occurring in a network with redundant Layer
2 links by deterministically blocking switchport interfaces.
Per-VLAN Spanning Tree Plus (PVST+) is an enhancement to STP (802.1d) that provides for a separate
spanning-tree instance for each VLAN in the network. Rapid PVST+ (RPVST+) further improves the
convergence time of STP, while providing optimizations to the STP instance.
! PortFast: access ports enter the forwarding state immediately by skipping the
listening and
! Learning STP states
! Do not configure on trunk ports (will likely cause STP loops).
!
interface range FastEthernet1/0/5 switchport access vlan 19 spanning-tree portfast
!
! BPDU Guard: if BPDUs are seen on a switch port, the port goes into error-disable
state and
! must be manually recovered before traffic can pass through again
! Typically configured along with PortFast
!
interface range FastEthernet1/0/5 spanning-tree bpduguard enable
!
! Root Guard: if superior BPDUs are seen on a switch port, the port goes into error-
disable
! state to prevent the rogue switch from becoming the root. Automatically recovers the
port
! when the BPDUs are no longer received on the interface
!
interface range FastEthernet1/0/5 spanning-tree guard root
!
! UplinkFast: for access switches with redundant uplinks, optimized convergence and
failover
! to alternate links is achieved for direct link failures
! Configured globally on a switch
!
spanning-tree uplinkfast
!
! BackboneFast: when a switch learns of an indirect link failure independently, instead
of
! waiting for max_age timer to expire, it reduces convergence time by querying
neighbors
! Must be configured globally on all switches in order to be effective
!
spanning-tree backbonefast
!
Cisco recommends that these spanning-tree optimizations should be implemented as a best practice,
where appropriate.
Trunking
In order to transport information from more than one VLAN across the switch fabric, trunks between
participating switches must be configured.
Packets belonging to each VLAN are tagged with identifying information in the frame header using
either 802.1q or Inter-Switch Link (ISL) encapsulation; dot1q is standards-based and the most prevalent
in networks today.
Also, set the native VLAN to something other than the default (VLAN 1) for security purposes in order
to mitigate VLAN-hopping attacks.
!
! Configure trunking on the connected ports on both switches
!
interface GigabitEthernet1/0/24
switchport trunk native vlan 22
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 22 - 24
!
Etherchannels
EtherChannels allow multiple uplinks (up to eight Ethernet interfaces of the same type) to be combined
together and considered as a single link in the spanning-tree domain. All links are in the forwarding state
resulting in increased total bandwidth available. Without EtherChannels, only one link would be in the
forwarding state and all the others would be blocking in order to prevent STP loops.
EtherChannels also allow for load balancing between the configured link bundles based on the
EtherChannel hashing algorithm. Note that, while Cisco switches can, routers do not negotiate port
channels through LACP or PAgP, so the far end would need to be unconditionally on.
The link between SW6 and SW4 is configured as a Gigabit EtherChannel:

!
! Creating a Layer 2 port channel
! Trunk ports must have same native VLAN, encapsulation and list of allowed VLANs
!
interface port-channel 1
!
interface range gi1/0/23 24

channel-group 1 mode on
!
!
! Creating a Layer 3 port channel
!
interface port-channel 2
ip address 10.100.22.50 255.255.255.0
!
interface range gi1/0/6 7 no switchport
channel-group 1 mode on
!
Layer 3 Design
When designing the Layer 3 network, speed of convergence and scalability are two of the main features
to take into consideration. Layer 3 networks should also be designed to be resilient and highly available.
The following sections describe the considerations that should be taken into account to achieve these
objectives.
IP Addressing
The foundation of an efficient, scalable and manageable routing domain is the IP addressing scheme. A
properly designed IP addressing scheme allows the network to take advantage of route summarization.
Route summarization allows a Layer 3 device to only advertise summary routes to upstream devices,
thus reducing router workloads and resource consumption. This leads to faster convergence times,
reduces instability during high-traffic periods and promotes determinism.
Properly designed IP addressing schemes also make it easier to implement access control lists for
matching interesting traffic for security purposes or applying differentiated services.
The IP addressing scheme should also be scalable and account for future growth; this allows for new
switches, routers or endpoints to be added to the network without impacting the rest of the topology.
Consider the following sample topology:
In this example, the IP address allocation scheme allows for up to 255 distribution groups each with up
to 255 possible local VLANs. Each local VLAN can have up to 254 hosts. More importantly, the
distribution switches can send summary routes up to the core and to each other over Layer 3 links which
enable efficiency and fast routing protocol convergence.
IP Unicast Routing
Unicast routing could occur either at the access or distribution layer, with high-speed hardware-based
switching reserved for the Campus core layer. In order for all participating hosts and routers to learn
about destinations within the network, an interior gateway routing protocol must be configured. For most
enterprise networks, the routing protocol of choice is either EIGRP or OSPF.
Enhanced Interior Gateway Protocol (EIGRP)
EIGRP is a classless, distance-vector routing protocol that is simple, scalable and fast. Classless
meaning subnet masks are included in route advertisements, and distance-vector meaning it shares all its
routing information but only to connected routes. The protocol is Cisco proprietary.
EIGRP provides multi-protocol support (IP, IPX, AppleTalk), sends some packets reliably
(acknowledgements required) using Reliable Transport Protocol (RTP), uses hellos to discover
neighbors and as a keep alive, and uses Diffusion Update Algorithm (DUAL) to select best paths and
feasible failover routes. A combination of bandwidth and delay (by default, and optionally load,
reliability and MTU) is used as the metric.
EIGRP achieves fast convergence through the concept of successors and feasible successors. A
successor route has the lowest metric to the destination prefix and is installed in the routing table. A
feasible successor has a higher feasible distance (metric to reach a destination) than the metric that its
neighbor reports that it, it satisfies the feasibility condition. The FS is stored in the topology table.
Should an input event occur (new route, failed route), local computation is triggered, the result of which
is that either the FS is promoted to be the successor or neighbors are queried for a valid route (i.e. the
route goes active). EIGRP also offers MD5 authentication to protect routing updates between neighbors,
as well as unequal-cost load balancing of traffic.
Open Shortest Path First (OSPF)
OSPF is a classless, link-state routing protocol that is fast and offers scalability to much larger networks.
Link-state routing protocols advertise information only about directly connected links, but they share
this information with all routers in their OSPF area. The protocol is an open standard developed by the
IETF.
OSPF employs the use of routing domains (areas) to subdivide the network in order to introduce a two-
level hierarchical framework that allows for scaling large and complex networks by containing the flow
of routing protocol traffic and thus reducing the impact on CPU and memory resources.
The two-level hierarchy consists of a backbone area (Area 0) and all other areas. If an OSPF design has
multiple areas, the Area Border Routers (ABRs) must connect to the backbone area in addition to its
own attached area. If not physically feasible, an OSPF virtual link can be created that traverses a non-
backbone area, to Area 0. Autonomous System Boundary Routers (ASBRs) inject external routes,
typically learned from an exterior protocol such as Border Gateway Protocol (BGP), into the OSPF
process. All OSPF-speaking routers in the same area have the exact same topological database.
For multi-access topologies, broadcast (e.g. LANs) and non-broadcast (e.g. Frame Relay), a Designated
Router (DR) and Backup Designated Router (BDR) are elected based on OSPF priority and/or router ID
in order to form adjacencies with all participating routers (DROther) on a segment. A DR/BDR
significantly lowers the number of neighbor relationships that need to be formed and as a result reduces
the volume of link-state advertisements (LSA) flooded in the domain. In selecting best routes to a
destination, OSPF uses a Shortest-Path First (SPF) calculation based on Dijkstras Algorithm. OSPF also
provides equal-cost load balancing as well as plain-text and MD5 authentication.
Considerations for EIGRP and OSPF

Both EIGRP and OSPF are very capable routing protocols; however, in determining which IGP to select
for your network environment, there are several factors to take into account including, but not limited to:
EIGRP is cisco proprietary hence only works on Cisco devices, whereas OSPF is an open standard that
will work on multi-vendor devices
Link-state routing protocols require greater CPU and memory resources relative to distance-vector
protocols because they process routing information locally from all participating routers in the domain,
not just connected routes
OSPF adapts well to larger, more complex networks due to its hierarchical architecture, fast convergence
and varied network topology support; EIGRP is much simpler to deploy for relatively smaller networks
with fast performance
EIGRP, as a distance-vector protocol, is more susceptible to routing loops and counting-to-infinity and
as such must implement avoidance measures such as split-horizon, route-poisoning, and hold-down
timers; OSPF is not subject to these routing issues
IP Multicast Routing
Multicasting involves sending packets to a designated group address. In the IP Video Surveillance
environment, multicasting is used to transfer video traffic from a single source, the video endpoint, to
the Video Surveillance Manager server.
Multicasting is useful for bandwidth consumption. Instead of sending multiple video streams to
individual receivers, the same stream can be sent to a strategically placed rendezvous point on the
network and all interested receivers can subscribe to the group to receive the stream. The current release
of VSM does not support multicasting to client endpoints.
For multicast traffic to be properly routed, the network must be multicast-enabled. A multicast-enabled
network is defined as a network where the following requirements are met:
A defined set of IP addresses by which multicast groups are identified
A mechanism by which hosts can join and leave multicast groups
A routing protocol for efficient delivery of multicast traffic to group members
Class D IP addresses in the 224.x.x.x 239.x.x.x range are reserved for multicast. Note that multicast
addresses always begin with 1110 as the first four bits and are not subject to subnetting rules because
these addresses are used to represent multicast applications, not hosts. Therefore, 28 bits (out of 32 in an
IPv4 address) are available for a total of 228 (268,435,456) multicast groups possible. However, there
are certain address ranges that have been reserved for specific use, for example 224.0.0.0/24 for
link-local addresses. Of note is the reserved Administratively Scoped range of 239.0.0.0/8, defined in
RFC2365. This range is designed to be used in private multicast domains and can be bound by filtering
for these addresses at the network edge as well as other defined points where the multicast traffic should
not traverse. It is therefore required to select multicast IP addresses, for IPICS in particular, from this
address range.
Internet Group Management Protocol (IGMP)

When a router becomes aware of a multicast stream from a connected source, it must be able to
determine whether any of its connected networks have hosts that want to join the group to receive the
traffic. Once the host has joined the group, the router needs to have a way to query the network to
determine if the host still wants to receive the multicast traffic, and when the host is done, it also needs a
means to efficiently leave the group. The Internet Group Management Protocol (IGMP) carries out these
functions. All participating hosts and routers must support IGMP to enable multicast sessions. IGMP is
designed to be limited to the local link only this is enforced by always setting the Time-To-Live (TTL)
value in the encapsulated IP header to 1.
To join a group, a host sends a membership report message to the router. The router then identifies the
host as a group member and allows it joins the session. Periodically, the router sends a query to
determine if there are any remaining receivers in the subnet; group members receiving the query respond
with a report sent to the group address. Note that only one membership report is sent in a group per
subnet and its sufficient to inform the router that there are still members attached. To leave a group, a
leave message is sent to the All routers on subnet group address (224.0.0.2).
IGMP snooping is a standards-based switching feature that allows for identification of hosts that request
multicast traffic and therefore provide the ability to limit forwarding of group traffic to specific ports.
This feature is enabled by default.
Multicast Distribution Trees

While unicast routing attempts to find and forward packets through the shortest path to a particular
destination, multicast routing is concerned with finding and forwarding packets through the shortest path
to the source, also known as reverse path forwarding (RPF). Routers along these forwarding paths keep
the topology loop-free by implementing RPF checks on incoming traffic the source IP address of an
ingress packet on an interface is examined, then the unicast routing table is consulted to determine the
next-hop interface as known by the router, and if they match then the packet is forwarded, otherwise it is
dropped. In other words, the RPF check verifies that the packet arrived on the same interface that would
be used if the router were to send traffic to the source.
These forwarding paths form the multicast distribution trees, and are of two types:
Shortest Path Tree (SPT) or source-based tree rooted at the source, with individual (S,G) pairs
recorded for each multicast source within the group
Root Path Tree (RPT) or shared tree rooted at a router designated as the Rendezvous Point
(RP), with only one (*,G) entry created for each group even if the RP has multiple upstream
sources
Protocol Independent Multicast (PIM)

PIM is a routing protocol used to forward multicast traffic in an IP network. Other routing protocols
exist such as Distance Vector Multicast Routing Protocol (DVMRP), Multicast Open Shortest Path First
(MOSPF) and Core-Based Tree (CBT), however, only PIM is fully implemented in Cisco IOS and is
thus the preferred protocol.
PIM exists in four variants:
Dense Mode (PIM-DM) source-based trees are built by sending traffic to every DM router in
the network; if no hosts register on DM routers via IGMP, a prune message is sent back to the
host (i.e. flood-and-prune method). Recommended where theres a large number of recipients,
who are located on every subnet (dense) and bandwidth is plentiful (e.g. on a LAN).
Sparse Mode (PIM-SM) shared trees are only built for and traffic forwarded to hosts that have
sent an explicit join message to the RP. Note that PIM-SM can initiate a switch over from RPT
to SPT, therefore potentially improving the packet forwarding efficiency with a shorter route to
the source. Recommended where there are relatively small number of sources, with recipients
sparsely distributed on the network and bandwidth is constrained (e.g. over a WAN).
Sparse-Dense Mode provides support for operating in DM or SM on the same interface

depending on the mode the multicast group is configured for. If a group has a known RP, then
SM is selected, otherwise DM becomes operational. Interfaces must be configured in this mode
when implementing group-to-RP mapping (automated RP discovery for SM) via Auto-RP. This
is because RP mapping announcements are sent to all participating routers through dense mode
flooding.
Bidirectional (bidir-PIM) an extension to PIM-SM that addresses its limitations in scaling to

large numbers of sources. When multicast traffic is sent from the source, the first-hop leaf
router doesnt send Register messages to the RP so that it can join the source-specific tree as in
SM; instead, it just forwards the multicast traffic upstream to the RP, through its RPF interface.
In SM this action is not allowed as the RPF check only allows packets to be forwarded
downstream, not upstream. To maintain a loop-free topology, a Designated Forwarder (DF) is
elected on each segment to forward multicast traffic received on the network to the RP of the
bidirectional group. As a result, any multicast traffic from any source is sent through the RP,
loop-free, and with little overhead for multiple sources and recipients
Boundary Design.
There are main models for designing the boundary of the Access Distribution block. Each method
optimizes for different requirements and has caveats as discussed in the following sections.
Layer 2 Distribution.
In this model, the Layer 2 Layer 3 boundary is placed at the distribution layer, as illustrated in the
figure below:
The distribution switches are interconnected via a Layer 2 trunk. This topology is considered suboptimal
due to the additional complexity and reliance on STP to maintain a loop-free topology. If a failure
occurs, convergence times are relatively slower.
In this topology its also important to ensure that the HSRP primary node and STP root bridge are
defined on the same switch so that as VLANs are load-balanced, the inter-distribution link is not used
consistently for transit traffic.
This topology is typically used when VLANs are spanned across access switches. Cisco recommends
that VLANs should not be spanned across switches whenever possible, particularly when a first-hop
router protocol such as HSRP is deployed. This topology could lead to asymmetric routing which can
cause unicast flooding whenever traffic is sent to a receiver and this is due to the difference in the aging
timers of the Content Addressable Memory (CAM) table and Address Resolution Protocol (ARP).
Layer 3 Distribution
In this model, the Layer 2 Layer 3 boundary is also placed at the distribution layer, but the inter-
distribution link is routed. The following figure illustrates this topology:
VLANs do not span across switches, but as in the previous model, the STP root is aligned with the
HSRP primary. All links on the distributed switches are in the forwarding state with HSRP providing the
first-hop redundancy.
This topology is considered optimal and provides the highest availability. At the access layer, Layer 2
switches can be used which saves on cost. The inter-distribution link allows for route summarization
between the distribution switches.
Layer 3 Access
In this model, the Layer 2 Layer 3 boundary is established at the access switch level, as illustrated
below:
VLANs do not span the access switches. Since a routing protocol is required on the switches, first-hop
redundancy protocols like HSRP are not required. This design also supports equal-cost load balancing on
all Layer 3 switch links.
This design is considered optimal because its relatively easier to implement and achieves the fastest
sub-second convergence due to the routing protocol convergence algorithms. However, multilayer
switches will be required for all access switches, which can drive up cost and may be prohibited due to
the existing architecture.
Virtual Switching System

As an alternative to installing two independent chassis at the distribution layer for the datacenter
network, the Virtual Switching System can be deployed.
VSS 1440 is a system virtualization technology that combines a pair of Catalyst 6500 switches, deployed
in the datacenter, into a single logical network segment, as shown in the comparative illustration below:
The
benefits of VSS are that the need for first-hop redundancy protocols, like Virtual Redundancy Routing
Protocol (VRRP) and Hot Standby Routing Protocol (HSRP), is negated since the chassis-pair are pooled
and operate as a single network node. Only one IP address is required per VLAN.
Also, the need for Spanning-Tree Protocol (STP) is negated as port channels on uplinks connect to a
single device, forming a loop-free topology. Access switches can connect to and form a port channel
between two different distribution switches through the use of a multi-pathing technology Multichassis
Etherchannel (MEC).
A caveat to note with VSS designs is the fact that they must be deployed in pairs; its not possible to add
a third switch to a VSS to increase availability.
Lesson 2
Network Video
Overview
There are various considerations to be taken into account when transporting
video over an IP network. This section examines compression techniques as
well as factors that impact overall video stream quality.
Video Compression
Video endpoints consume a large amount of raw data from the scene in their field of view. This raw data
in its present form is unsuitable for transport over the network and for storage by the Media Server due
to its large footprint, so therefore must be intelligently compressed before transmission to the receiver.
Compression refers to the reduction of redundant and irrelevant signal data in a vid eo stream to lower
the network bandwidth and storage requirements.
Compression Algorithms
When compressing raw data, video codecs strive to strike a balance between intelligently reducing the
size of output data, while still maintaining image quality. There are three main algorithms or techniques
that are widely used for compression of video streams:
Chroma subsampling
This technique involves the reduction of color detail (chroma) in a video frame, in favor of variations in
its brightness (luma) levels. This approach takes advantage of the fact that the human eye is
comparatively less perceptive of subtle changes to color richness, in contrast to changes in the amount of
light in the image.
Depending on the field of view, this technique has the potential to achieve relatively modest reductions
in the average frame size.
Spatial compression
This technique involves the reduction of redundant data within a video frame, also referred to as
intra-frame coding. This technique leverages the property that pixels in a video frame are closely related
to their neighbors.
Therefore, a reduction in the number of pixels within a frame that contain very similar data, has the
potential to result in an appreciable 20 70% reduction in average frame sizes, depending on the scene
in the field of view.
Temporal compression
This technique involves the reduction of redundant data between successive frames, also referred to as
inter-frame coding. This technique exploits the property that, in general, sequential frames in a group of
pictures (GOP) contain areas with redundant data quite similar to those in preceding frames.
With this algorithm, average frame sizes can potentially be drastically reduced by 50 80% in scenes
with little to no motion as only the portions of the scenes that have changed are transmitted in
subsequent frames. In scenes with medium to high complexity, the gains in compression are capped as
more data must be transmitted in subsequent frames to represent scene changes in the field of view.
Group of Pictures
A Group of Pictures (GOP) is a sequence of frames in an encoded video stream. There are three types of
video frames as illustrated in Figure.
Sequence of Frames in an Encoded Video Stream
Intra Frames
These frame types consist of a complete picture, representing the complete scene in a field of view. The
image is coded without reference to other frames in the GOP. They are also referred to as I -frames. Each
GOP structure starts with this frame type. The I-frame interval is typically not directly configurable the
Media Server programmatically determines this value based on other stream options. I -frames are used
with both spatial and compression algorithms.
Predictive Frames
These frames are also referred to as P-frames. These frame types represent only the data within a field
of view that has changed. They are coded with reference to the preceding I -frame or P-frame in the
GOP. P-frames are used with temporal compression.
Bidirectional Predictive Frames

B-frames utilize either the previous and next I-frame or P-frame as reference points for motion
compensation. B-frames are not as commonly implemented in compression due to increased latency
associated with the compensation prediction, which can potentially be a drawback for real -time video
delivery.
Video Codecs
Raw video data is encoded into a video stream in order to allow for efficient network and system
resource utilization. At the receiver, the data needs to be decoded for consumption by video clients. This
process is implemented using codecs.
The following codecs are commonly used in VSM for camera configuration:
Motion JPEG
Motion JPEG (MJPEG) consists of a series of individual JPEG images. These images are coded as
individual I-frames therefore every frame that is produced by the codec is a complete reference frame
that is representative of the field of view.
Typical MJPEG Stream Profile
The main advantage with this encoded format is that it provides a measure of robustness in stream
delivery. Any occurrence of packet loss in the network flow does not adversely affect subsequent
frames, since each frame is a complete image. In other words, if a frame is lost, the next frame clears up
any residual effects from the previous image (e.g. a frozen image on screen), since it has no missing
information.
The main drawback with MJPEG is that it has higher bandwidth and storage requirements. Average
frame sizes are relatively large due to the fact that it uses spatial compression that realizes fairly modest
compression ratios within frames.
MPEG-4
Video data encoded in this MPEG-4 (strictly MPEG-4 Part 2) format is composed of both I-frames and
P-frames in its GOP structure. Since this format uses temporal compression, in general bandwidth and
storage utilization is much lower than MJPEG, although this is also dependent on the amount of motion
occurring in the scene.
H.264
This encoding format, also referred to as MPEG-4 Part 10 or AVC, is based on the MPEG-4 standard but
achieves much higher predictive compression ratios when compared to both MJPEG (up to 80%) and
MPEG-4 Part 2 (up to 50%). This format delivers high compression at high bit rates, while resulting in
higher quality streams. This codec uses temporal compression.
H.264 stream profile, showing I-frames and P-frames:
Note
The relative bandwidth and storage efficiencies are largely dependent on the scene complexity high complexity
scenes result in very modest to no resource efficiencies when compared to MJPEG encoded data under similar
conditions, because each frame (I-frames and P-frames) will be coded essentially as complete frames in order to
represent the scene changes in the field of view. However, where these conditions are not sustained over long
periods of time, H.264 turns out to be far superior as an encoding format.
The main drawback with H.264 is the higher hardware (GPU, CPU, memory) and software (DirectX and other
software components) resource requirements to perform the encoding and decoding operations. This is
especially pronounced at the client endpoint, as it will impact the total number of H.264 streams that can be
rendered at any point in time.
Stream Quality
The perception of the quality of a stream to end users is affected by various factors as outlined below:
Resolution
Stream resolution describes the total number of pixels in each horizontal and vertical (x/y) dimension.
The following table defines some of the most common resolutions in use today:
Common Stream Resolutions
Resolution
Analog QCIF 176 x 120
CIF 352 x 240
704 x 480
D1/480p 720 x 480
HDTV 720p 1280 x 720 (0.9 MP)
1080p 1920 x 1080 (2.1 MP)
Digital VGA 640 x 480
SXGA 1280 x 1024 (1.3 MP)
1400 x 1050 (1.5 MP)
UXGA 1600 x 1200 (1.9 MP)
1920 x 1200 (2.3 MP)
QSXGA 2560 x 2048 (5.2 MP)
The stream resolution directly influences the data-carrying capacity of each frame the higher the
resolution, the larger the amount of video data that can be encoded and transmitted resulting in a richer
and sharper image quality. For example, 1080p resolution has six times as many pixels per frame as
compared to D1 resolution.
Consequently, higher resolutions are typically paired with higher bitrate settings in a stream profile in
order to allow the codec to produce compressed data at a rate that mainta ins the same perceived quality
as at lower profiles. The corollary is that if comparatively low bitrate settings are used with high
resolutions, the image may appear to be of lower quality (e.g. grainy or blurry), since the codec cannot
not produce enough data to be represented by all available pixels as required to maintain the same
quality.
Processing of streams at higher resolutions is resource intensive thus imposes higher hardware
requirements particularly at the client since there is more pixel data to process per frame per unit time.
Therefore, in order to perform near real-time processing, higher-end GPU, CPU and memory is required.
Lower stream resolutions conversely have lower infrastructure resource requirements but also typically
result in relatively lower quality images. The choice of resolution will largely depend on the respective
use case.
Bit Rate
The stream bitrate describes the data transfer rate produced by a codec for transmission to receivers. A
stream profile can be defined with either of the modes below:
Variable Bit Rate (VBR) mode the data transfer rate is automatically varied by the codec to
match a desired image quality. The image quality is defined by the quantization level. In a
complex scene, the amount of data required to fully represent the field of view is typically
higher than in less complex scenes where theres little to no motion activity present.
Constant Bit Rate (CBR) mode the image quality is varied to match the target data transfer
rate. In this case the data transfer rate is fixed so the encoder has to produce sufficient data to
match the mean target rate, typically with a small standard deviation. With CBR, on average the
same amount of data is produced always.
VBR is generally used in instances where image quality is fixed and is desired to be maintained at that
level regardless of the scene complexity. CBR is generally used in instances where determinism in the
bandwidth utilization of video streams on the network is desired.
Frame Rate
The frame rate refers to the number of individual encoded video frames transmitted per unit time.
As a primary function, the frame rate directly influences the visual perception of continuous motion in a
scene (i.e. the smoothness) as observed by the end user. High frame rates (generally above 25 fps)
produce the best perception of smooth video, while low frame rates (generally below 5 fps) cause the eye
to perceive the apparent discontinuity in the rendering of the image stream.
In addition, the frame rate of a video stream indirectly influences its network bandwidth utilization.
When VBR mode is selected, the bit rate is automatically adjusted to match a desired quality or
quantization level, which results in the respective variation in frame rate and average frame s ize as the
amount of encoded data increases or decreases based on the scene complexity.
In CBR mode, the frame rate does impact bandwidth but to a smaller extent than in VBR mode.
Increasing the frame rate may result in an increase in data transferred but does not exceed the target
bitrate. In Figure of an H.264 stream at 768 Kbps CBR, reducing the frame rate by 80% from 30fps to
5fps, only resulted in a 30% drop in bandwidth, all else remaining constant.
H.264 Frame Rate Reduction Example

However, higher frame rates will also impose additional processing overhead due to the increased
number of frames in the same time period at the client endpoint. Therefore, when choosing stream frame
rates, pay close attention to the client compute resources available to ensure an appropriate viewing
experience is achieved for the environment.
Quantization Factor
The quantization level defines the compression level used by a codec to convert raw video data into an
encoded format. Typically, the reference scale varies by manufacturer e.g. 1-10, 0-100,
low/medium/high, etc. Lowering the quantization level on the respective reference scale increases the
compression level and lowers the image quality.
Lowering the image quality is appropriate in situations where bandwidth or storage resources are
limited, and the need for high quality images is not a top priority for users in the environment.
Quantization Settings For Two Stream Profiles
Since the quantization level lets one set the desired image quality le vel, it is only directly configurable
when VBR mode is used. When CBR mode is used, the quantization level is varied automatically by the
codec compression algorithm in order to match the target bit rate. Therefore, the direct programmability
of quantization and CBR mode are mutually exclusive.
Lesson 3
Media Flow Considerations
Overview
A media flow refers to the session that is established for media delivery
between a source host producing the video and a destination host receiving the
video, using an agreed-upon transport protocol and communicating between
two established ports.
This chapter examines these data flows, protocols mechanics and the
interaction between the servers and endpoints on the network
Data Flow
Once a stream profile, based on options such as resolution, bitrate, frame rate, quality, etc., has been
established, the media server can initiate the stream request for video endpoints that are in the Enabled
state. The media server logs into the video endpoint device and applies the configuration settings, and
once completed successfully, the requested video data begins streaming to the server.
Media Server Data Flow and Components
All device management and streaming operations from particular camera endpoints are manag ed by
unique umsdevice processes on the server. The video stream from the endpoint is then made available to
internal processes that consume this data such as the recording process, analytics or can be
immediately served out live to client endpoints through the MediaOut subsystem.
Each client request for streaming of live or recorded video is managed by a MediaOut process on the
server.
When a client requests to view a particular stream, the server establishes the session to the client
endpoint and delivers the stream as it is available.
Data Flow Sequence
The end user will first be required to successfully authenticate their log -in credentials with the
Operations Manager (OM) server, using the web or desktop client application.
Step 1 The end user will first be required to successfully authenticate their log-in credentials with
the Operations Manager (OM) server, using the web or desktop client application.
Step 2 Following a successful login-in, the client application retrieves and displays the list of
configured cameras in the OM database that the user is authorized to access.
Step 3 When a particular stream is selected for viewing by the end user, the OM server identifies
the host Media Server (MS) that manages the requested endpoint device and redirects the
client to establish the media session directly with that MS.
Step 4 Once established, if the camera is in a streaming state or the recording is available, the live
or recorded media stream is served to the client application.
Note
The connection between the server and camera endpoint is always streaming, unless the stream is optimized through
the use of the economical streaming feature that only streams live from the video endpoint when requested by client
endpoints
Media Transport Protocols

IP video surveillance traffic is delivered from sources to receivers using a set of standards -based
protocols that govern the initialization, transfer and teardown of media flows on the network. This
section describes these protocol mechanics.
Real Time Streaming Protocol (RTSP)

RTSP is an session-layer protocol that is used to control the delivery of real-time streaming audio and
video content over IP networks. RTSP is typically implemented over TCP, listening on the well -known
port 554. Video payload does not actually use RTSP for delivery; rather, Real -Time Protocol (RTP) is
used for this purpose.
RTSP maintains state between clients and servers when media sessions are active in order to correlate
RTSP requests with a video stream. The simplified finite-state machine is illustrated in Figure:
Simplified Finite-state Machine
The RTSP state machine uses the following main protocol directives to control the multimedia session:
OPTIONS
After establishing the TCP connection to the server on port 554, the client issues an OPTIONS command
to request the list of supported options. The server then responds with a list of all the options that it
supports e.g. DESCRIBE, SETUP, TEARDOWN, etc.
DESCRIBE
The client issues a DESCRIBE command to notify the server the URL of the media file that its
requesting.
Illustrates the request made from the VSM server (acting as the RTSP client) to a Cisco 2611 IP
camera:
Stream Description
The parameters of the stream are defined in Session Description Protocol (SDP) format
Stream Parameters
SETUP
The client issues a SETUP command to indicate to the server the transport mechanisms to be used for
the session.
illustrates the client request:
In this example, for media delivery the VSM server will use UDP port 16102 for RTP and 16103 for
RTCP. The IP camera then responds, acknowledging the clients port assignment and indicating its own
(5002 and 5003, respectively) as well as a session ID
IP Camera Response
PLAY
Once the client is ready to begin receiving video data, it issues a PLAY request to the server
PLAY Request
PAUSE
If a client wants to momentarily stop the delivery of video traffic, the PAUSE request can be issued.
This directive has the effect of stopping the media stream without freeing server resources. Once the
PLAY command is re-issued, the stream resumes the data flow.
TEARDOWN
If a client wants to permanently stop receiving video traffic, the TEARDOWN request is issued
TEARDOWN Request
Real-Time Transport Protocol (RTP)

RTP is a transport-layer protocol that defines the set of conventions used to provide end -to-end network
transport capabilities for transmission of real-time data, such as voice and video. RTP utilizes either
UDP or TCP for transporting video data across the network.
RTP always selects even ports at the transport layer for both servers and clients. As described in the
previous section, during set up of the RTSP session the client first indicates its destination ports for
receiving video and then the server acknowledges and responds with the UDP ports that it will be using
to send the RTP data. Note that all RTP traffic is unidirectional from source to receiver only.
The RTP packet contains three important fields:
Timestamp used for ordering of incoming video packets for correct timing during playback
Sequence number used to uniquely identify each packet in a flow for packet loss detection
Source Synchronization used to uniquely identify the source of a media stream
illustrates the composition of the RTP packet:
Real Time Control Protocol (RTCP)

RTCP is a protocol used in conjunction with RTP for reporting on stream-quality information to the
server. RTCP is bidirectional and uses UDP as the transport protocol.
RTCP always selects an odd-numbered port, and is always one port higher than the UDP port used for
RTP. In general, RTCP accounts for less than 5% of stream traffic.
Flow Characterization
RTP media flows could either use UDP or TCP as the transport protocol of choice. This section
describes the considerations for both approaches.
Video Endpoint-to-Media Server Flow
Media delivery between video endpoints and the media server by RTP could either be accomplished
using UDP or TCP as the transport protocol.
It is important to note that the availability either or both protocols for use when defining the stream
profile in the media server is entirely dependent on the capabilities of the camera driver built for a
particular device model. These capabilities are in turn influenced by the API provided by the device
manufacturer. Therefore, the sockets used for session establishment and media streaming are device
specific
The following sections examine the protocol mechanics of both methods, as well as techniques for
determining sockets that are being used by the VSM server to connect to IP video and client endpoints.
RTP over UDP

When a camera is configured in VSM to stream over UDP, the traffic patterns illustrated in Figure are
initiated:
UDP Traffic Patterns
The management plane is a logical path in the network communication architecture that handles all
device management traffic between the endpoints and the VSM server, and between VSM servers. In
addition, this plane coordinates the function of the other planes. Traffic is transferred and encrypted over
Secure HTTP. The Openwire protocol is used by the ActiveMQ broker for real -time messaging between
VSM servers and between VSM servers and the SASD client. Stomp protocol is a simpler, lightwei ght
alternative to Openwire and is used between the VSOM server and the web client.
At the control plane, RTSP is used to provide signalling for the media streams. RTSP is implemented at
the segments between both endpoints. The source port at the sender is always TCP 554; the destination
port on the VSM server and at the client endpoint is negotiated during the TCP connection establishment
process.
At the data plane, the source and destination ports are both negotiated during the RTSP SETUP process.
The source ranges are defined and are configurable at the video endpoint web interface and at the media
server console, respectively. The media server UDP destination port range is statically defined to be in
the 16000 19999 range and is not configurable. Note that since RTP always transmits on even ports, at
any point in time an implied maximum of 2000 camera streams can be supported per media server.
However, this value is beyond the supported threshold at the time of this writing (250 Mbps stream IO).
Consult the current datasheets for up to date information on configuration maximums.
The implication of streaming RTP over UDP is that if the video traffic needs to traverse a firewall, all
ports in the range must be allowed for all video endpoints if the flow is in the outside-to-inside direction.
If the flow is inside-to-outside, a stateful firewall can be used to allow back returning control and
management traffic to the endpoint.
Client endpoints behind a firewall pose an even greater challenge since the UDP ports are assigned
dynamically so its difficult to determine which ports to open. In such a case, it would be recommended
to create a VPN tunnel to exchange traffic between the VSMs server network and the client endpoint.
Illustrates the session establishment and video streaming over UDP:
UDP Session Establishment and Video Streaming

In the figure above, the VSM server (10.103.0.8) logs into the camera (10.200.42.12) over a HTTPS
(TCP/443) connection and completes the handshake. The stream negotiation process over RTSP
(TCP/554) is initiated and then subsequently RTP streaming is initiated over UDP/16102 on the Media
Server and UDP/5002 on the video endpoint.
In order to find out which ports have been opened for a particular camera stream on the Media Server,
first obtain the associated process ID and then retrieve the open sockets a shown below (note: applies to
VSM 7.x releases):
media-server:~# lsof c umsdevice i@10.200.42.12 a | awk

{print $2} PID
24160
media-server:~# lsof p 24160 i a n P

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
umsdevice 24160 nobody 13u IPv4 44305817 TCP 10.103.0.8:57824-
>10.200.42.12:554 (ESTABLISHED)
umsdevice 24160 nobody 14u IPv4 44305818 UDP *:16102
umsdevice 24160 nobody 15u IPv4 44305819 UDP *:16103
RTP over TCP

When a camera is configured in VSM to stream over TCP, the traffic patterns illustrated in Figure are
initiated:
TCP Streaming Traffic Patterns
The management and control plane are identical when transporting data over UDP and TCP.
At the data plane, RTP is interleaved onto the existing RTSP connection, which means that the RTP
stream is encapsulated and now transmitted over the same TCP connection that is being used for RTSP.
As a result, only one port is utilized to transport all media flows. This property is useful in environments
where the media flow needs to traverse a firewall only one deterministic port is required to be opened
for the RTP traffic to go through. The server also interleaves RTCP messages over the TCP connection.
Interleaving is enabled whenever a camera stream is configured for TCP. Cisco recommends that the
TCP option should only be used in the case where firewalls exist in the end-to-end path between servers
and endpoints; in all other instances, UDP should be used to allow for faster delivery of real-time video
traffic.
The following packet capture illustrates the session establishment and video streaming over TCP
TCP Session Establishment and Video Streaming
The figure above (Figure) shows the connection establishment to the IP camera, this time over HTTP
(TCP/80). The RTSP (TCP/554) connection is established and the RTP video stream is interleaved over
the same RTSP connection; that is, over TCP 554.
Note: That in some instances, some camera models may establish the management and data plane over
HTTP as opposed to over RTSP. In effect, the video stream is transmitted over TCP/80. In particular,
this behavior is true for Cisco 29xx series cameras, as illustrated in the output below of a Cisco 2911
PTZ camera with IP 10.101.0.10:
media-server:~ # lsof -i@10.101.0.10 -n -P

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
umsdevice 24160 nobody 9u IPv4 44302980 UDP
10.100.21.20:59429->10.101.0.10:30001
umsdevice 24160 nobody 11u IPv4 44304849 TCP
10.100.21.20:41422->10.101.0.10:80 (ESTABLISHED)
Media Server-to-Client Endpoint Flow
Media delivery between the media server and the client endpoint, regardless of the connectivity profile
between the video endpoint and media server, is accomplished by interleaving the RTP stream over the
RTSP session on TCP/554. Consequently, for each client connection to the server, a single media stream
session is initiated.
Illustrates the flow pattern:
Media Server-to-Client Flow Pattern
Ilustrates the protocol mechanics in session establishment between the client and the server:
Media Server-to-Client Session Establishment

The first three packets illustrate the TCP three-way handshake, then RTSP protocol messages describing
and establishing connectivity. Note that once the stream starts flowing after the PLAY command, the
dynamic RTP connection is streamed over the RTSP port TCP/554 on the server to the client at
TCP/62143.
All outbound streaming from the media server is handled by the MediaOut subsystem. To examine
which ports have been opened for a particular streaming request from the client to the server, the
following commands can be executed:
media-server:~ # lsof -c MediaOut -i -a -n -P | grep EST

MediaOut 23519 root 7u IPv4 44957697 TCP
10.100.21.20:554->10.1.99.3:62143 (ESTABLISHED)
Lesson 4
Network Services
Considerations
Overview
The IP In designing the IP Video Surveillance network, there are various
essential IP services that are integral in supporting the solution.
.
Network Time Protocol
NTP is an internet standard protocol that is used to synchronize time on network machines to a defined
authoritative reference clock. Clock sources are organized in a hierarchical system of levels, where each
level is referred to as a stratum. The stratum number determines how many NTP hops the machine is
away from the authoritative time source.
Time synchronization is very important in an IP Video Surveillance environment because activities such
as recording, grooming, event correlation and troubleshooting are dependent on having correct time
across all participating servers and endpoints.
Among nodes on the network, time synchronization is also important in validating that predetermined
Service Level Agreements (SLAs) for the solution are being met. Without c orrect time synchronization,
network latency and jitter cannot be accurately determined.
Cisco recommends that all client endpoints, video endpoints, network nodes, media servers and
operations manager servers be configured to synchronize to a common NTP master server.
The NTP master could be configured on a Layer 3 IOS device on the network that is used for
management, or on an external time server that is reachable by all devices in the subnetwork.
Layer 3 IOS devices can be configured to act as an NTP master as follows:
! Set the time zone information in global configuration mode

!
clock timezone PST -8
clock summer-time PDT recurring
!
! Set the hardware calendar configuration
!
clock calendar-valid ntp update-calendar
!
! Ensure the correct time is set in privilege exec mode
!
sh clock
!
! If not, then set the clock time, for example to 1:35pm 10th October 2012
!
clock set 13:35:00 10 OCT 2012
!
! Define the master time server
!
ntp master
!
! Set the interface from which NTP packets are sourced to the loopback address; note
that the loopback address needs to have been previously defined
!
ntp source loopback0
!
NTP authentication can also be configured but one would need to ensure that all devices that will
synchronize to this time server can support authentication, otherwise the synchronization will fail.
It is also important to take into account that if the current system time on a device that is not
synchronized differs significantly from the time server, NTP synchronization will not succeed . As a
precaution, it is advisable to manually set the system time on the client device, and then enable NTP
synchronization.
Dynamic Host Control Protocol
DHCP is an internet protocol that provides a framework for the automatic assignment of reusable IP
addresses, as well as passing other network configuration attributes, to a client on a network. For the IP
Video Surveillance solution, these additional attributes include:
Default gateway address

DNS server address(es)
VSM media server address(es)
DHCP is important in the IP Video Surveillance environment because it cuts down deployment times for
IP video endpoints. Instead of having to manually configure each camera with required IP parameters,
they are automatically discovered and assigned.
The Medianet architecture, implemented in IP video endpoints through the embedded Media Services
Interface (MSI), allows for discovery of preconfigured media servers on the network for subsequent
auto-registration to VSM. The list of media servers is supplied to the IP video client through the DHCP
option 125.
As previously discussed, Cisco recommends the use of local VLANs as opposed to spanning VLANs
across the network domain. For ease of management, most organizations typically configure one DHCP
server to service multiple subnets. Since initial DHCP messages are broadcast on the subnet, and Layer
3 devices do not forward broadcasts as they form the boundary of the broadcast domain, DHCP relay
agents will need to be configured in order to forward the messages to the DHCP server on a different
subnet.
The following illustration shows the sequence of events when a DHCP client connects to the network:
DHCP Client Connection
1. The video endpoint sends a DHCPDISCOVER message as a broadcast to all subnets (source IP
0.0.0.0, destination IP 255.255.255.255) on UDP/67 (BootP server) to try reach a DHCP server
on the network.
2. The Layer 3 device that acts as the DHCP relay agent (in this case a distribution node)
intercepts the broadcast message and generates a new unicast DHCP message, inserting the IP
address of the interface on which the relay agent is configured in the gateway address (giaddr)
field of the DHCP packet, and then forwards the request to the designated DHCP server on the
network
3. Upon receiving the request, the DHCP server takes note of the giaddress field and examines the
configured DHCP pools to determine which subnet to allocate IP addresses from. The server
then responds with a DHCPOFFER as a UDP/67 packet that contains the configuration
parameters, or options. These options include:
a. IP address (Option 50)

b. Subnet mask (Option 1)
c. Default gateway (Option 3)
d. Lease duration (Option 51)
e. DNS server (Option 6)
f. Vendor-identifying vendor-specific (Option 125)
4. The DHCP relay agent receives the offer and forwards it to the DHCP client as a unicast
message on UDP/68. The DHCPOFFER is not a guarantee that the specified address will be
allocated, but the server will typically reserve the assignment until the client responds
5. Upon receiving the DHCPOFFER, the IP video endpoint sends a formal request for the offered
address in a DHCPREQUEST message. This is a broadcast request to notify any other DHCP
servers that received the initial DHCPDISCOVER message and may have responded so that
they can reclaim their assigned offers.
6. Finally the DHCP server upon receiving the formal request, allocates the IP address and sends a
DHCPACK message back to the client
The DHCP relay agent can be configured as shown below:

!
! Configure a device as a relay agent to forward DHCP messages to the 10.102.0.100
DHCP server
!
interface vlan42
ip address 10.200.42.1 255.255.255.0 ip helper-address 10.102.0.100
!
The IOS DHCP server can be configured as shown below:

!
! In global configuration mode, exclude the IP address of the default router
! and any other static hosts, then configure the address pools
! If multiple address ranges will be required, configure a top-level pool
! from which common attributes will be inherited
! The IP address of the media server can also be passed in Option 125
! Option is in hex format: 0000.0009.0b14.0901.<vsm-ip-in-hex>.0050.0001
! In this example, the VSM servers IP is 0a64.1516 (10.100.21.22)
!
ip excluded-address 10.200.42.1
!
ip dhcp pool 0
network 10.0.0.0 255.0.0.0 dns-server 10.102.0.50 domain-name cisco.com
!
ip dhcp pool 1
network 10.200.42.0 255.255.255.0 default-router 10.200.42.1
option 125 hex 0000.0009.0b14.0901.0a64.1516.0050.0001
!
The following is sample output of the DHCP packet and event exchange between an IP camera and IOS
DHCP server:
17w1d: DHCPD: DHCPDISCOVER received from client 0100.22bd.dc78.19 on interface Vlan101.

17w1d: DHCPD: using received relay info.
17w1d: DHCPD: Sending notification of DISCOVER:
17w1d: DHCPD: htype 1 chaddr 0022.bddc.7819
17w1d: DHCPD: interface = Vlan101
17w1d: DHCPD: class id 436973636f2049502043616d657261
17w1d: DHCPD: out_vlan_id 0
17w1d: DHCPD: DHCPOFFER notify setup address 10.101.0.21 mask 255.255.255.0
17w1d: DHCPD: Sending DHCPOFFER to client 0100.22bd.dc78.19 (10.101.0.21).
17w1d: DHCPD: no option 125
17w1d: DHCPD: Check for IPe on Vlan101
17w1d: DHCPD: creating ARP entry (10.101.0.21, 0022.bddc.7819).
17w1d: DHCPD: unicasting BOOTREPLY to client 0022.bddc.7819 (10.101.0.21).
17w1d: DHCPD: Reload workspace interface Vlan101 tableid 0.
17w1d: DHCPD: tableid for 10.101.0.1 on Vlan101 is 0
17w1d: DHCPD: client's VPN is.
17w1d: DHCPD: DHCPREQUEST received from client 0100.22bd.dc78.19.
17w1d: DHCPD: Sending notification of ASSIGNMENT:
17w1d: DHCPD: address 10.101.0.21 mask 255.255.255.0
17w1d: DHCPD: htype 1 chaddr 0022.bddc.7819
17w1d: DHCPD: lease time remaining (secs) = 604800
17w1d: DHCPD: interface = Vlan101
17w1d: DHCPD: out_vlan_id 0
17w1d: DHCPD: Sending DHCPACK to client 0100.22bd.dc78.19 (10.101.0.21).
17w1d: DHCPD: no option 125
17w1d: DHCPD: Check for IPe on Vlan101
17w1d: DHCPD: creating ARP entry (10.101.0.21, 0022.bddc.7819).
17w1d: DHCPD: Reload workspace interface Vlan101 tableid 0.
17w1d: DHCPD: tableid for 10.101.0.1 on Vlan101 is 0
17w1d: DHCPD: client's VPN is.
17w1d: DHCPD: DHCPINFORM received from client 0022.bddc.7819 (10.101.0.21).
17w1d: DHCPD: Sending DHCPACK to client 0022.bddc.7819 (10.101.0.21).
17w1d: DHCPD: option 125 already at end
Simple Network Management Protocol

SNMP is an application-layer protocol used for controlling and managing devices in a client-server
architecture on an IP network. The SNMP framework consists of the following components:
SNMP manager the network management system (NMS) that monitors and controls the
activities of the network host using GET/SET operations and by use of notifications received
from the managed device
SNMP agent the software component on the managed device that maintains and reports device
information to the NMS
Management Information Base (MIB) the virtual information storage area for network
management information consisting of collections of managed objects and related objects
(modules)
The SNMP agent can generate unsolicited notifications to alert the NMS of device status and activities.
There are two types of notifications:
Informs alert messages sent reliably, that is, requiring an acknowledgement from the NMS of
receipt
Traps alert messages sent to the NMS but do not expect any acknowledgements. Less reliable
than informs but do not consume as much device resources.
We recommend configuring VSM server and IP camera endpoints to send traps to an NMS on the
network to provide higher visibility into device and network conditions for fault, administrative and
performance management. The VSM server only provides support for sending SNMPv2c traps. Most
Cisco IP cameras support both SNMPv2c and SNMPv3.
Network devices along the network path should also be configured for SNMP since they form an integral
part of the IP Video Surveillance solution. If the health of any of the network nodes along the path is
negatively affected, the quality of experience could be degraded.
Cisco IOS devices can be configured as SNMP agents as shown below:
!
! Traps will be sent to the NMS as 10.100.21.110
! with the set community strings
!
snmp-server host 10.100.21.110 traps version 2c public
snmp-server community public RO
snmp-server community cisco RW
snmp-server ifindex persist
snmp-server enable traps
!
Note that Cisco IP cameras by default use a read-only community string of public, while Cisco VSM
servers use a read-only community string of broadware-snmp in VSM 6.x and 7.0 versions. This in
effect means that MIB variables cannot the changed using GET/SET operations.
Lesson 5
Network Performance
Considerations
Overview
Service Level Agreement (SLA) refers to the minimum performance guarantees
that need to be met in order to ensure that the performance and quality of the IP
Video Surveillance solution is assured. The following sections describe the
main SLA considerations that need to be taken into account when designing the
solution.
Bandwidth
Bandwidth refers to the raw capacity available on a particular transport medium, and is dependent on its
physical characteristics and the technology used to detect and transmit signals.
The amount of available bandwidth on a network segment directly impacts the quality and performance
of the IP Video Surveillance solution and as such should be carefully considered. High -bandwidth, low-
delay networks typically do not encounter much performance degradation over time.
Low-bandwidth, low-delay networks on the other hand typically experience packet loss due to
congestion. High-bandwidth, high-delay networks (so-called Long Fat Networks), such as satellite links,
would typically experience significant performance degradation due to the latency.
Cisco recommends the following minimum network path bandwidth requirements:
100 Mbps between IP cameras and access switches

1000 Mbps between encoders and access switches
1000 Mbps between access switches and media servers
1000 Mbps between media servers and client endpoints
It is important to note, however, that raw interface bandwidth is not synonymous with the actual data
transfer capacity that is realized on the network. In other words, video traffic wi ll not be transferred end-
to-end at the stated raw capacity; rather, the actual transfer capacity is measured as a function of the time
it takes for traffic to traverse the network end-to-end. This metric is known as throughput.
Throughput signifies the amount of data that could be transported along a network path over a given
time period. The time period refers to the network latency.
When TCP is selected as the transport protocol of choice for a media flow, the size of the sender and
receiver windows are a limiting factor to network performance. TCP windows reflect the amount of
buffer space available at the sender and receiver to process incoming packets.
During TCP connection establishment, the receiver notifies the sender of the size of its receive w indow,
also known as the advertised window (awnd). After connection establishment, the sender transmits data
conservatively setting its sender window, also known as congestion window (cwnd), initially to twice its
Maximum Segment Size (MSS) which is 536 bytes by default. As the data is received an acknowledged
back to the sender, the cwnd grows, first exponentially in slow-start mode then linearly in congestion
avoidance mode, until either packet loss is encountered or the awnd threshold is reached.
If packet loss is encountered, then the transmission rate is throttled back to slow -start mode where the
cwnd is set to 1MSS. Packet loss can be detected on the network either by reception of duplicate ACK
packets from the receiver, or expiration of the retransmission timeout (RTO).
If the awnd threshold is reached, it signifies that the receiver cannot accept any new packets because its
buffers are full. The receiver sends a window update indicating a window size of zero. The sender at this
point stops transmitting, but continuously probes for any new window updates.
At any point in time there can only be a finite amount of data in flight, whose value does not exceed the
receive window size (in bytes). This value is known as the bandwidth-delay product (BDP) and is
defined as:
Bandwidth-delay Product
()
() = ( ) (sec)

8

The design and optimization goal is to ensure that the BDP is as close to the size of the receive window
in order to maximize the data transfer rate, that is, throughput. Throughput can be calculated as follows:
Throughput
()
() =
()
The receive window size is 64KB by default. Since the RTT is guided by laws of physics and cannot be
changed, the throughput is almost always lower than the link bandwidth. The maximum bandwidth
available along the network path that video traffic traverses is equal to the bandwidth of the smallest
link.
The window size can be increased in order to approach the raw bandwidth; however, the following
caveats should be taken into account:
Unless Selective Acknowledgements (SACK) is implemented in the client TCP/IP stack, if any
packet loss occurs, the entire window will need to be retransmitted. The SACK option causes
the client to only retransmit the missing packets, but its typically not enabled by default
To contain the entire widow of unacknowledged data in memory, more buffer space will be
required on network routers
Video surveillance traffic encoded with variants of the MPEG standard (H.264 and MPEG4) is bursty in
nature and as such this characteristic needs to be accounted for in network provisioning.
Packet Loss
Packet loss refers to the dropping of packets between a defined network ingress po int and a defined
network egress point. Loss is detected by the reception of non-contiguous sequence numbers at the
receiver. Both TCP and RTP packets have a sequence number field in their respective packet headers for
this purpose.
In general, packet loss is caused by three main factors:
Congestion due to queue build-up and exhaustion of buffer space
Lower-layer errors bit errors, which might occur due to noise or attenuation in the
transmission medium
Network element failure link and device failures
When RTP data is transported over UDP, the sender is not notified of the packet loss because the
connection is on-way, sender to receiver, and theres no concept of state. TCP, on the other hand,
notifies the sender through use of duplicate acknowledgements. The duplicate ACKs contain the
sequence number of the last contiguous packet received. If the lost packet did not make it to the receiver,
the sender discovers the packet loss when the retransmission timeout expires before the expected ACK is
received.
Therefore, TCP is more reliable than UDP as a transport protocol; however, UDP is more efficient
because of lower protocol overhead. For high packet loss and high latency networks, TCP should not be
used as the transport protocol as it will only exacerbate a bad situation, further inhibiting real-time
delivery of data. Whenever congestion is detected, TCP slows the transmission rate to adapt to the
change and mitigate packet loss; however, when loss does occur, then the throughput is significantly
impacted as slow-start mode is invoked.
Note that since a single Ethernet frame (1500 bytes) can carry more than one IP video packet as payload,
the loss of a frame can have significant effects on the quality of the decoded stream, typically manifested
as pixelated video streams and gaps in recordings.
In order to effectively measure packet loss, the IP Video Surveillance network needs to be preconfigured
to monitor and report on the status of all media flows from video endpoints to media servers, and media
servers to client endpoints. This method can be characterized as the passive approach, in that
performance measurements are taken without disturbing the data operation, and are achieved through the
deployment of Cisco performance monitor.
Performance monitoring allows network administrators to detect video degradation due to packet loss,
before it significantly impacts the performance of VSM. Whenever a predefined threshold is crossed, a
user can be immediately notified either through a syslog message or SNMP traps, allowing for quick
fault isolation and resolution.
Mediatrace can also be used to measure packet loss along a network path, and on an on -demand basis.
When degradation in the stream quality is visually observed, or reported by the performance m onitor, the
end-to-end path and the specific flow can be examined to determine which node along the network is
causing the loss. This is done by calculating metrics from values in the TCP, UDP and RTP headers at
each node. All nodes need to be configured as mediatrace responders.
More details on performance monitoring and mediatrace are discussed in the chapter on network
management.
Alternatively, packet loss along a network path can be measured on-demand through the use of synthetic
video traffic generated by IP SLA Video Operations probes. This is the active approach, since the IP
SLA VO probes emulate video endpoints by generating and sending realistic video traffic to receivers,
along the same network path that normal video traffic would take. As a re sult, the synthetic traffic is
exposed to the same path characteristics that real traffic would experience and therefore the packet loss
metrics collected are representative of the state of the network path
Typically, this tool is used for conducting pre-deployment assessments but can also be used to generate
synthetic traffic simulated endpoints. This is the advantage this tool has over mediatrace the fact that
the flow does not need to already exist in order to determine path characteristics; the path characteristics
are determined using synthetic traffic which generate results that are statistically very close to the real
observed values.
Lastly, one other method of detecting packet loss is by manually collecting packet captures of a network
stream and analyzing sequence numbers of RTP and TCP packets to determine gaps in continuity. Data
will need to be carefully captured using Switch Port Analyzer (SPAN) feature of IOS Catalyst switches
and loaded into a packet analysis tool, such as Wireshark. This approach is much more tedious but
provides a wealth of information for deep packet inspection using raw captured data.
Cisco recommends that in order to provide an acceptable quality of experience, the following mean
thresholds should not be exceeded:
Standard definition video: 0.5%
High definition video: 0.05%
Latency
One-way network delay, or latency, is characterized by the time difference between when an IP packet is
received at a defined network ingress point and it when its transmitted at a defi ned egress point.
There are four main factors that contribute to network delay:
Propagation refers to the time it takes for a packet to transit along the end -to-end network
path, from source to sink. The propagation speed depends on the medium that the electric
current travels on; data in fiber channel media travel at the speed of light while data in
unshielded copper travels at about 60% the speed of light.
Switching refers to the time it takes to forward packets from an ingress interface to the
respective egress interface of a network device. In general, these lookup operations take a very
short amount of time especially since modern routing protocols converge quickly and switching
is implemented in hardware.
Queuing refers to the time a packet spends in the output interface queue of a switch or router
awaiting to be de-queued. If the FIFO queue in the tx-ring begins to get full, software queuing
tools such as CBWFQ are required to manage packets and provide differentiated service.
Congestion on these queues can exacerbate network delay.
Serialization refers to the time it takes to send all bits of a frame to the physical medium for
transmission. Any bit errors that occur could impact the time it takes to place data on the wire.
It is also important to distinguish between image latency from command latency. Whereas image latency
defines the time difference for a scene change in a video stream, command latency measures the time it
takes a PTZ camera to respond to commands issued from the VSM server. However, command latency is
affected by image latency, since PTZ control movements can only be perceived on a scene change on
screen.
Cisco recommends that the one-way network latency, both image and command, should not exceed
150ms when UDP is the transport protocol in order to provide an acceptable quality of experience to
viewing clients. For TCP, the round-trip time (RTT) should not exceed 50ms.
Jitter
Jitter refers to the variation in one-way network delay between two consecutive packets, caused by
factors such as fluctuations in queuing, scheduling delays at network elements or configuration errors.
An appropriately sized de-jitter buffer can accommodate the maximum value of the network jitter so that
it does not play-out beyond the worst-case end-to-end network delay. The VSM media server serves this
purpose as both a proxy and a de-jitter buffer; however, excessive jitter can overwhelm the ability of the
media server to compensate for the delay variation, thus impacting the VSM server applicatio n.
Cisco recommends that the mean jitter threshold should not exceed 2ms, in order to ensure an acceptable
quality of experience.
Lesson 6
Quality of Service
Considerations
Overview
Quality of Service (QoS) refers to the ability of the network to provide special
or preferential service to a set of users or applications or both to the detriment
of other users or applications or both. Proper design of QoS in an IP Video
Surveillance environment is crucial as video transport places unique deman ds
on the network infrastructure to ensure that it is usable, reliable and available
to media servers and end-users.
The following sections describe the various considerations to take into account
when designing to provision QoS on the network.
.
QoS Processing
QoS processing of packets follows a specific set of steps, in an orderly fashion. The QoS tools available,
depends on the direction of the traffic flow.
On ingress on an interface:
Classification the packet is inspected to determine the QoS label to apply based on the
matching criteria defined, for example ACL, NBAR.
Policing the traffic rate is compared with the configured policer to determine whether the
packets conform or exceed the defined profile
Marking the packets are marked with a defined descriptor, based on whether policing is
configured and whether the packet is deemed conformant or non-conformant
Queuing and scheduling based on the QoS label, the packet is placed into one of the ingress
queues, and the queue is serviced based on the configured weights
On egress on an interface:
Queuing and scheduling this is the only set of QoS tools and actions available on egress
interfaces.
Classification and Marking

In order to provide preferential treatment for any traffic types through a switch, the interesting traffic
must first be classified and marked.
Traffic can be classified based on the following descriptors:
Destination MAC addresses
Source and destination IP addresses
Network-based Application Recognition (NBAR) matches a wide range of network protocols,

including stateful protocols, peer-to-peer applications, and hosts, URLs, or MIME types for
HTTP requests, by carrying out deep packet inspection
IP Precedence (IPP) the high-order 3 bits in the IP Type of Service field
Differentiated Services Code Point (DSCP) the 6-bit (high-order 6 bits) in the Differentiated
Services (DS) field that replaced the ToS byte
Class of Service (802.1p) the 3 high-order bits of the Tag Control field when 802.1q trunking
is used, and the 3 low-order bits of the User field when ISL is in use.
Traffic can be marked based on the following descriptors:
IP Precedence
DSCP
CoS
QoS group ID
ATM CLP bit
FR DE bit
MPLS EXP
To facilitate end-to-end QoS for any given packet, the IETF defined the IntServ and DiffServ models.
The IntServ model relies on Resource Reservation Protocol (RSVP) to signal and reserve the desired
QoS per network flow. A flow is defined as an individual, unidirectional data stream between two
applications, uniquely identified by the five-tuple: source IP, source port, destination IP, destination
port, transport protocol. However, per-flow QoS is difficult to achieve in an end-to-end network without
requiring introduction of significant complexity, in addition to scalability issues.
DiffServ, on the other hand, provides for grouping of network flows into aggregates (traffic classes),
then applying appropriate QoS for each aggregate. With this approach, the need for signaling is negated;
complexity is reduced and thus provides for a highly-scalable, end-to-end QoS solution.
As noted above, the DS field can be used for both traffic classification and marking. Each DSCP value
(codepoint) is expected to cause nodes (network devices) along an IP packet s path to apply a specific
QoS treatment and forwarding behavior, i.e. Per-Hop Behavior (PHB), to the traffic. Packets traveling in
the same direction, with the same DSCP values assigned, are referred to as a Behavior Aggregate (BA).
Nodes that are DS-compliant must conform and implement the specifications of the PHB.
There are four defined PHBs in the DiffServ model:
Default PHB defines the codepoint 000000 and provides Best Effort service from a DS-
compliant node
Class Selector (CS) PHB defines codepoints in the form xyz000 corresponding to the classes
CS0 (000000 or 0) CS7 (111000 or 57); higher classes provide increasingly better service
treatment. Also provides backward compatibility with IP Precedence.
Assured Forwarding (AF) PHB provides four traffic queues with bandwidth reservations.
Codepoints are defined in the form xyzab0 where xyz is 001/010/011/100, and ab is ei ther
1 or 0 and corresponds to the drop probability
Expedited Forwarding (EF) PHB provides for low-loss, low-latency, and guaranteed, but
policed, bandwidth service treatment of traffic. Recommended DSCP value is 101110 or 46.
We recommend marking IP video packets with DSCP values, not CoS for two main reasons:
DSCP values are persistent end-to-end. Since CoS markings reside in the Layer 2 headers, they
are only preserved in the LAN; when a layer-3 device is encountered, the LAN header is
discarded and so this marking is lost
DSCP offers more granular and scalable marking with up to 64 classes of traffic; C oS only
allows for 8 traffic classes
Cisco recommends marking all traffic from IP video endpoints with DSCP 40 (which corresponds to
CS5) since a disproportionate amount of the traffic composition (video, voice and signaling), is video
traffic. However, users can also elect to differentiate these three traffic types through the use of
Network-Based Application Recognition (NBAR) protocol discovery.
When using NBAR, we recommend marking interactive voice bearer traffic (VoIP) with DSCP 46
(which corresponds to EF) and any signaling traffic (e.g. RTSP, SIP, and H.323) should be marked with
DSCP 24 (which corresponds to CS3). Note that if any video streams are using RTSP interleaving, then
RTSP streams should be marked with CS5.
IP Video Surveillance traffic can be classified and marked as shown below:

!
! Identify interesting traffic based on source IP and use to classify traffic from
cameras
! Set the DSCP marking and apply the policy outbound on the ingress interface
!
mls qos
!
ip access-list standard ACL-IPVS
permit any
!
class-map match-all CMAP-IPVS
match access-group ACL-IPVS
!
policy-map PMAP-IPVS
class CMAP-IPVS
set dscp cs5
!
interface gig0/0
service-policy input PMAP-IPVS
!
The access-list for identifying video traffic could be configured more re strictively, such as matching the
camera subnet, or security could be enforced by applying the service policy to the ingress interface along
with a smart-port macro that uses device identification mechanisms, such as CDP to identify camera
endpoints.
For Catalyst 2960, 2970, 3560 and 3750 devices, switching is handled in hardware and since QoS tools
are software based, the command show policy-map interface gig0/0 does not show any hits on matched
packets. To gauge whether QoS marking is working correctly, the command show mls qos interface g0/0
statistics should be issued on the egress interface to the upstream device.
Congestion Management and Avoidance

Congestion occurs when the rate of ingress traffic exceeds that of egress traffic. This congestion may be
due to a speed mismatch (traffic incoming on a higher-speed interface exits on a lower-speed interface)
or an aggregation issue (traffic incoming on multiple interfaces aggregated on a single egress interface).
While these two concepts are related, each serves different purposes. Congestion management involves
the use of interface queues to regulate the flow of packets out an interface through scheduling to prevent
congestion; congestion avoidance involves identification and early dropping of traffic (i .e. tail drop) in
the queue to prevent the queue from filling up.
Each network interface consists of two queues:
Software queue are associated with physical interfaces and created by software queuing tools
(e.g. CBWFQ) that implement various algorithms for scheduling and de-queuing packets
Hardware queue exists on the hardware NIC and implements strict First-In-First-Out (FIFO)
scheduling and also provide configurable queue lengths. Also referred to as transmit queue (Tx
queue) or transmit ring (Tx ring).
Cisco IOS provides congestion management and avoidance tools for both routers and switches as
discussed below.
Routers
There are three main queuing disciplines available on IOS routers:
First-In-First-Out (FIFO) provides a single queue with no scheduling or dropping algorithm,

which can have adverse effects such as bandwidth starvation. The only configurable option is
the queue length. Its the default queuing discipline on interfaces 2.048Mbps and higher
(inversely proportional to decreasing congestion probability), and also on the hardware queue.
Class-based Weighted Fair Queuing (CBWFQ) defines traffic classes to be assigned to each
queue with minimum bandwidth guarantees provided to prevent starvation. Up to 64 classes,
and therefore 64 queues, can be defined in addition to the default class-default queue that has
no bandwidth reservation; it uses any remaining bandwidth. By default, 75% of the total
interface bandwidth can be reserved by the various queues it is not recommended to change
this value.
Low-latency Queuing (LLQ) similar to CBWFQ but provides low-delay guarantees as well to
certain traffic types (e.g. VoIP) through the use of a strict priority queue. That is, it provides a
minimum bandwidth but does not exceed that if theres congestion (policing) priority traffic
will be dropped. LLQs can also have multiple priority queues, policed at different rates for
different traffic types.
So after routing decisions have been made on a router and there is no congestion on the egr ess interface
to the next-hop, the packet is placed directly on the hardware queue and immediately exits the interface.
However, if there is congestion, the packet is placed in the classified into a software queue based on its
marked traffic descriptor (e.g. DSCP), using either CBWFQ or LLQ. Packets are then scheduled and
de-queued to the hardware queue based on bandwidth resource assigned or priority, and based on the
congestion level of the hardware queue.
If the software queue fills up, packets are tail-dropped indiscriminately. This phenomenon can have
adverse effects on network traffic, particularly for TCP-based flows.
One of the ways that TCP provides reliability is through acknowledging data sent by a host or device.
However, data segments and acknowledgements can get lost, for instance due to being tail-dropped when
theres congestion. Congestion can be detected either by time-outs occurring or reception of duplicate
ACKs. A time-out occurs when the TCP retransmission timer expires (RTO) before an expected ACK is
received and TCP sends duplicate ACKs when expected packets are lost or received out -of-order.
When a segment is not acknowledged, TCP resends based on a binary exponential back -off algorithm,
i.e., the interval between retransmissions increases exponentially to a limit. Also, the current window
size (the smaller of the congestion and advertised window) is cut in half. If an ACK is later received,
slow start is engaged the congestion window is initially set to one segment, then doubles each time an
ACK for sent data is received. Multiple flows getting tail-dropped and going into slow-start
simultaneously could lead to wave-like congestion recurrence the TCP global synchronization
phenomenon. If no ACK is received, it gives up and sends a segment with the reset (RST) bit checked
that abruptly closes the session. Also, as TCP traffic gets throttled back, other non -TCP traffic types, e.g.
UDP and ICMP, fill up the queues leading to TCP starvation.
These behaviors affect IP video streams sent from the VSM media server to viewing clients as the stream
is based on TCP. To mitigate these effects, as the software queues begin to fill up, packets can be
dropped based on Weighted Random Early Detection (WRED).
WRED is a technique designed to monitor queue depth and discard a percentage of packets in the
software queue to reduce the offered load and thus alleviate congestion and prevent tail drop. WRED is
governed by three parameters:
Minimum threshold when the queue length is below this integer value, no packets are
dropped. Minimum value is 0.
Maximum threshold when the queue length is above this integer value, all new packets are
dropped (full-drop). Maximum output queue length is 40 packets.
Mark Probability Denominator (MPD) an integer value between the minimum and maximum
threshold values that indicates the probability of a packet being randomly dropped. The
relationship is characterized as being 1 of MPD (1/MPD), for example an MPD of 10 means 1
of every 10 packets is randomly dropped from the queue.
The packet drop probability is based on the minimum threshold, maximum threshold, and mark
probability denominator. When the average queue depth is above the minimum threshold, RED starts
dropping packets.
The rate of packet drops increases linearly as the average queue size increases until the average queue
size reaches the maximum threshold. The mark probability denominator is the fraction of packets
dropped when the average queue depth is at the maximum threshold.
Packet Discard Possibility Thresholds
WRED allows for packets to be characterized into a profile based on either IP Precedence or DSCP
markings. In this way, high-latency traffic and highly-aggressive (high-volume) traffic can be
differentiated.
It is not recommended to apply WRED to IP Video Surveillance or VoIP traffic as this could lead to
packet loss, delay or jitter which lowers the quality of experience for end users. It is however
recommended to apply WRED to lower traffic aggregates in order to lower t he chances of queues filling
up and therefore tail-drops.
If at all WRED must be applied, the IP Video Surveillance traffic aggregate should have a very high
MPD (35+) so that they are in fact the last traffic types to be considered for random drops. Such a
scenario should only occur as a temporal measure as the network architecture of the segment in question
is evaluated for opportunities for better design.
Cisco recommends that IP Video Surveillance traffic should be placed in the Low Latency Queue (LLQ )
to allow the delay-sensitive video traffic to be de-queued before other traffic types. Queuing for IP
Video Surveillance traffic could be implemented as shown below:
!
! Match all IPVS traffic and place in LLQ with 30% of interface bandwidth
! All other traffic is placed in the Weighted Fair Queue
!
match dscp cs5
!
policy-map PMAP-IPVS class CMAP-IPVS priority percent 30 class class-default
fair-queue
!
interface gig0/0
service-policy out PMAP-IPVS
!
LAN Switches
Multilayer IOS LAN switches (e.g. Catalyst 3560) implement both ingress and egress queuing based on
either CoS or DSCP markings.
The switch packet scheduler operates in one of two modes:
Shared Round Robin mode bandwidth is shared between the queues according to the weights
configured; however, any queue can take up unused capacity in the other queue in order to
service packets if its own assigned bandwidth is depleted. This mode allows for maximum use
of available interface bandwidth and increases queue efficiency. This is the default mode, and
only mode available to ingress queues.
Shaped Round Robin mode fixed bandwidth is assigned to each queue and packets are sent at
an even rate (rate-limiting). This mode is useful in preventing some forms of denial-of-service
attacks that attempt to overwhelm an interface with traffic, denying other legit services access.
Also allows for configuring subrate packet speeds to prevent exceeding a configured percentage
of an interfaces bandwidth. This mode is only available for egress queues.
Ingress interfaces allow for up to 2 queues to be configured and only shared -mode dequeuing is possible.
One of the queues can be configured as a priority queue (by default this is queue 2) and will
subsequently be assigned traffic aggregates marked with CoS 5 and 10% of the interface bandwidth.
Egress interfaces allow for up to 4 queues and either shared or shaped mode to be configured. One of the
four queues can also be configured as the priority queue (this must be queue 1).
Cisco recommends the use of Shared Round Robin mode in order to allow the IP Video Surveillance
solution to make full use of all available interface bandwidth on the egress queue.
Traffic Shaping and Policing
Shaping is a type of traffic conditioning that addresses two problems:
Packets being dropped by a service provider because they exceed a predetermined bit rate, that
is, the Committed Information Rate (CIR) of the virtual circuit
Packets being marked-down or dropped due to a mismatch of ingress and egress interface
speeds or egress and far-side line rates. For example, 1Gbs ingress traffic exiting via 256Kbps
circuits.
Shapers will buffer traffic that is in excess of a prearranged policy (SLA) and transmit evenly at the
desired rate.
Policing also monitors the rate of traffic flow and takes action against non-conforming traffic either
marking down the packets QoS descriptor and then transmits (later, the packet can be dropped more
easily) or, more aggressively, discarding right away.
For both these traffic conditioning mechanisms, traffic rates are measured based on the token bucket
model. For a packet to be transmitted out an interface, a token needs to exist. At each time interval (Tc),
a certain number of tokens can be sent (Bc the committed burst size) according to policy or contract
with the service provider. On occasion when there are periods of little or no activity, more traffic that
typical (that is, higher than the Bc) can be sent the excess burst (Be).
In cases of networks with constrained bandwidth, policing of IP Video Surveillance traffic can cause
increased packet loss observed on the network. Traffic shaping can also lead to increased latency in the
delivery of video packets from the endpoints to the server.
In general, Cisco recommends as much as possible IP Video Surveillance and VoIP traffic be confined to
the LAN and that in the event this traffic needs to traverse the WAN, adequate bandwidth is available to
lessen the need to implement traffic conditioning, due to the adverse effects that these measures can have
on the user experience.
Lesson 7
Network Management
Considerations
Overview
In order to have an effective IP Video Surveillance solution that meet expectations,
the video endpoints, server applications and client endpoints need to be managed
on a common network framework, to allow for device and platform health
monitoring, fault isolation and resolution.
This section describes considerations for managed provisioning of video endpoints,

establishing baselines for network capacity to transport video traffic, as well as
monitoring and troubleshooting of video networks leveraging IOS embedded
instrumentation of the Medianet architecture.
Endpoint Provisioning
Cisco Video Surveillance Manager 7 supports the automated provisioning of video endpoints in IP Video
Surveillance architectures.
Auto-provisioning of video endpoints is enabled by the following key features:
IOS Device Sensor

The Cisco IOS device sensor provides device identification and classification services for endpoints that
are attached to network devices.
The device sensor infrastructure uses the following mechanisms for endpoint discovery:
Cisco Discovery Protocol (CDP)
Link-Layer Discovery Protocol (LLDP)
Dynamic Host Control Protocol (DHCP)
Media Access Control (MAC) address
When an endpoint is attached to an IOS switch, an event trigger is generated based on the discovery
mechanism. The device classifier then responds and gleans metadata from the dev ice to establish a
profile for the endpoint based on the type, model and class of the device.
For endpoint devices to be identified, they need to provide native support for these protocols. All Cisco
IP cameras, with the exception of the 2900 series, provide native support for CDP.
Auto Smartport (ASP) Macros

ASP macros provide a convenient method for dynamic configuration of network switchport attributes for
video endpoints. Once a video endpoint is attached to an IOS switch, a LINK -UP event is received
which subsequently triggers a CDP event, for endpoints that support this protocol. The ASP then uses
this event trigger to map the macro the respective switchport.
Macros require global activation on the IOS device before use. By default, ASP is globally disabled, but
is enabled on each interface. Since this feature may not be required for all switchports on the device, and
to avoid unintended consequences, it is recommended to first disable macro processing on all interfaces,
then manually enable only on the required interfaces, as shown below:
!
! First disable macro processing per interface, then enable globally
! Next, enable only on the interfaces where necessary
!
interface g0/1 24
no macro auto processing
!
macro auto global processing
!
interface range g0/1 10 macro auto processing
!
By default, a built-in shell function is defined in access switches for Cisco IP video endpoints, named
CISCO_IPVSC_AUTO_SMARTPORT. This macro automatically configures the following features:
Auto QoS automatically configures QoS on the switchport by establishing the DSCP trust
boundary, creates an egress priority queue, and modifies the SRR bandwidth and queue set. This
configuration option assumes that the appropriate QoS marking is performed upstream and is
suitable for classification purposes
Port security enables port security on the interface, allowing only one secure MAC address on
the switchport. Defaults to setting error-disable state if a security violation occurs, in addition to
sending SNMP traps and syslog messages to recipients, as configured on the network device.
Spanning-tree optimizations applies PortFast and BPDU guard STP optimizations to allow for
endpoints to quickly transition to the forwarding state and to guard against the transmission of
bridge protocol data units which should not be received on an access port, respectively
The only user configurable option is the access VLAN the switchport is a member of and is set when the
macro is applied with the command:
!
C3560(config)# macro auto device ip-camera ACCESS-VLAN=100
!
The default ASP for Cisco video endpoints, CISCO_IPVSC_AUTO_SMARTPORT, applies the
following configuration settings:
!
interface GigabitEthernet0/1
switchport block unicast
switchport port-security
srr-queue bandwidth share 1 30 35 5
queue-set 2
priority-queue out
mls qos trust device ip-camera
mls qos trust dscp
macro description CISCO_IPVSC_EVENT
auto qos video ip-camera
spanning-tree portfast
spanning-tree bpduguard enable
!
Some of the QoS changes applied by the built-in ASP affect the switch global configuration, and as such
may lead to unintended consequences. In addition, some of the features, for example port security, may
not be required in all environments. To meet specific requirements, custom ASPs can be created.
The following ASP is executed whenever a CISCO_IPVSC_EVENT is triggered due to CDP after a
LINKUP event is detected:
!
macro auto execute CISCO_IPVSC_EVENT {
if [[$LINKUP -eq YES]]; then
conf t
interface $INTERFACE
macro description Custom IPC ASP
switchport block unicast
spanning-tree portfast
spanning-tree bpduguard enable
service-policy PMAP-IPVS-IN in
exit
end
fi
if [[$LINKUP -eq NO]]; then
conf t
interface $INTERFACE
no macro description
no switchport access vlan 42
no switchport block unicast
no spanning-tree portfast
no spanning-tree bpduguard enable
no service-policy PMAP-IPVS-IN in
if [[$AUTH_ENABLED -eq NO]]; then
no switchport mode access
fi
exit
end
fi
}
!
The switchport is placed in access VLAN 42, port mode is set to access, unicast storms are blocked,
PortFast and BPDU guard STP optimizations are enabled and a policy map that is used for device
classification and DSCP marking is applied.
Whenever the video endpoint is detached from the switch, the macro removes the configuration. It is
important to be aware that ASPs replace existing interface configuration, therefore careful consideration
should be taken when enabling the macros.
Once the interface configuration is applied, the device can now begin data transmission over the network
segment to obtain an IP address.
Dynamic Host Control Protocol (DHCP)

DHCP is an important protocol in the auto provisioning process as it allows endpoints to automatically
query and receive an IP address and other network attributes from a DHCP server.
A single DHCP server can be used to serve multiple endpoints across layer -3 boundaries. Once these
attributes have been learned by the endpoint, transmission of video traffic over the network can now
begin.
Media Services Interface (MSI)

MSI is a software development kit that Cisco rich-media applications leverage to take advantage of
Medianet services in the network efficiently and consistently. The MSI is embedded within several Cisco
video endpoints as well as a daemon running on the VSM server.
The MSI embedded within video endpoints facilitates the discovery of the IP address of the VSM media
server by inspecting the DHCP server response carried in Option 150, as described in the DHCP section
of this document.
Once the camera has this information, the MSI enables camera-based discovery which allows for
contacting a media server or list of media servers, if there are multipl e discovered and the first on the list
does not respond.
Network Validation
When planning and designing the IP Video Surveillance network, it is important to consider the effect
that IP video will have on existing infrastructure. IP Video Surveillance tr affic is similar to voice traffic
in the sense that it has high SLA requirements; unlike voice though, video traffic is bandwidth intensive.
Cisco recommends that a network readiness assessment is carried out to ascertain the capacity of the
network to transport video prior to any new IP Video Surveillance deployment or expansion of the
existing environment.
Establishing a traffic baseline should be the first step in the planning process. The IP Service Level
Agreement Video Operations (IPSLA-VO) probe can be used for generating synthetic media flows that
when injected into the network can be used to realistically stress the network and gather information
about the path between the two endpoints.
IPSLA-VO provides statistics on:
Round-trip time
Packet loss (missing, out-of-sequence, tail dropped and duplicate packets)
One-way latency
Inter-packet delay variation (jitter)
Synthetic traffic can be generated on a number of platforms, most commonly on the ISR G2 and the
Catalyst 3000 series switches. For more information on supported platforms view the datasheet at
http://www.cisco.com/en/US/prod/collateral/routers/ps10536/data_sheet_c78-612429.html.
On the Catalyst 3000 platform, traffic can be generated either using a standard profile or a custom
profile. The standard, pre-packaged profile for IP Video Surveillance traffic generates a video stream at
a maximum bitrate of 2.2Mbps. Custom profiles for use with IP SLA VO can only be generated using a
client application that extracts header and payload information from packet capture files. M ore
information can be found at
http://www.cisco.com/web/solutions/medianet/docs/User_Guide_IPSLAVO_Profile_Generator_Tool.pdf.
Also note that the Catalyst 3000 platform can only generate up to a maximum of 20Mbps of traffic in all
sessions from the sender.
The preferred and more scalable method of video traffic generation is by using the ISR G2. Video
surveillance traffic can only be generated using custom profiles; however, these custom profiles can be
created on-demand using the IOS CLI. The ISR G2 generates traffic in hardware using DSP resources on
the high-density Packet Voice DSP Module 3 (PVDM3).
Performance of the hardware-accelerated video generation on the ISR is platform-specific; sizing

guidelines are tabulated below:
ISR Sizing Guidelines
The capacity for traffic generation by the DSP is based on the number of total credits available and the
stream bitrate, and is measured by the number of channels available. Each DSP has a fixed number of
credits based on the number of cores available.
For example, if a custom video profile specifies a 4Mbps bitrate when using a PVDM3 module, then the
IP SLA sender can create a maximum of 60 sessions. Note that this operation does have a variable CPU
cost which can impact the total number of sessions that can be created by the ISR based on the aggregate
utilization by other processes. If the CPU is experiencing high utilization due to other running processes,
performance may be impacted.
When measuring network performance of particular flows using IP SLA VO, it is important to replicate
as much of the network characteristics of a normal media flow as possible, to ensure the validity of the
results gathered. This includes ensuring that
Synthetic traffic flows in the same direction as the normal traffic would as pol icy maps could be
applies in either input or output direction on upstream switches
QoS markings are identical to provide the same differentiated services to the synthetic flows
Synthetic media profiles match normal media profiles generated by the video e ndpoints. Note
that IP SLA VO can only emulate media flows encoded in H.264; MJPEG is not supported.
SAMPLE
Consider the following sample network:
Sample Network
In this example, we are interested in measuring the performance metrics (packet loss, l atency and jitter)
of the flows between:
Video endpoint and media server
Media server and client endpoint
R1 and R2 are ISR G2 routers while the rest are Catalyst 3000 switches. R1 and R2 will need to be
configured as IP SLA senders and the switches as responders. Both routers are equipped with PVDM3
modules for on-demand traffic generation.
The sender and responder both need to be synchronized to the same NTP clock so that the time stamps
can be accurate. This can be verified by issuing the command:
!
R4-C2911#sh ntp status
Clock is synchronized, stratum 9, reference is 10.250.1.1
nominal frequency is 250.0000 Hz, actual frequency is 249.9998 Hz, precision is 2**21
reference time is D4625434.17554952 (13:37:56.091 PST Thu Nov 29 2012)
clock offset is 26.8172 msec, root delay is 1.00 msec
root dispersion is 43.03 msec, peer dispersion is 3.05 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000811 s/s system poll
interval is 64, last update was 115 sec ago.
!
The following configuration is applied to the sample network to measure SLAs:
!
! Configure switches as responders
!
ip sla responder
!
!
! On the routers, reserve 90% of DSP resources for video traffic
!
voice-card 0
voice-service dsp-reservation 10
!
!
! Create custom profile for video traffic
!
ip sla profile video IPVS-H264-1080P-30F-4M
endpoint custom
codec h.264 profile baseline
resolution 1080P
frame rate 30
bitrate maximum 4000
bitrate window-size 167
frame intra size maximum 100
frame intra refresh interval 1
rtp size average 1300
rtp buffer output shaped
content news-broadcast
no shutdown
!
! Define SLA probes initiated from R1 to SW3
!
ip sla 1
video 10.100.30.3 8888 source-ip 10.100.21.100 source-port 9999 profile
IPVS-H264-1080P-30F-4M
reserve dsp
dscp cs5
duration 60
frequency 80
history hours-of-statistics-kept 24
!
!
! Schedule the SLA operation to start immediately and run for an hour
!
ip sla schedule 1 start-time now life 3600
!
Synthetic video can be generated to simulate varying levels of scene activity:
single-person approximates slow scene motion
conference-room approximates slow to medium scene motion
news-broadcast approximates medium scene motion
street-view approximates medium to fast scene motion for a busy street
sports approximates fast scene motion
The statistics can be viewed on-demand as they are being gathered by the router. The following figure
illustrates the SLA metrics collected using the Medianet visualizer by LiveAction:
SLA Metrics by LiveAction
Additional flow metrics can be gathered by executing a performance monitor mediatrace poll against the
synthetic media flow. The configuration and considerations are described in the Reactive Monitoring
section below.
The following is sample output collected from a mediatrace responder along the end-to-end path of the
traffic flow showing the additional data points that can be gathered to supplement the information
provided by IP SLA VO:
!
Hop Number: 1 (Mediatrace, host=SW9-C3560G, ttl=255)
Metrics Collection Status: Success
Reachability Address: 10.102.0.24
Ingress Interface: Gi0/3
Egress Interface: Gi0/48
Metrics Collected:
Flow Sampling Start Timestamp: 13:54:54
Loss of measurement confidence: FALSE
Media Stop Event Occurred: FALSE
IP Packet Drop Count (pkts): 0
IP Byte Count (KB): 7867.899
IP Packet Count (pkts): 7819
IP Byte Rate (Bps): 262263
Routing Forwarding Status: Unknown
IP DSCP: 40
IP TTL: 254
Flow Counter: 0
Flow Direction: Input
IP Protocol: 17
Media Byte Rate Average (Bps): 257050
Media Byte Count (KB): 7711.519
Media Packet Count (pkts): 7819
RTP Interarrival Jitter Average (usec): 2382
RTP Packets Lost (pkts): 0
RTP Packets Expected (pkts): 7814
RTP Packet Lost Event Count: 0
RTP Loss Percent (%): 0.00
Traceroute data:
Address List: NA
Round Trip Time List (msec): NA
!
Proactive Monitoring
Proactive monitoring of network health is implemented using Cisco Performance Monitor. Performance
monitor is a feature of the Medianet architecture that measures the hop -by-hop performance of Real-
Time Protocol (RTP), Transmission Control Protocol (TCP) and IP Constant Bit Rate (CBR) traffic.
The granular performance data gathered at each hop enhances the speed of fault isolation and resolution.
Analysis is also carried out per-flow and both SNMP and Syslog alerts can be generated based on
thresholds.
Performance monitor maintains historical records of statistics gathered and these can be sent to a
network management system using NetFlow v9 or SNMP.
SAMPLE
Sample Network
Performance monitor is typically deployed at strategic points in the network where traffic converges and
are useful for fault isolation, for example at the network edge router. In this example, perf ormance
monitor is deployed on SW2 since all media flows traverse this device.
The following configuration is applied to SW2:
!
! Classify all traffic based on the DSCP value. This assumes that marking was implemented
! at the access edge
!
match dscp cs5
!
!
! Create a flow export destination. This is where flow records will be sent e.g. syslog
server
! In this example the syslog server is listening at the default port UDP/514.
!
flow exporter FLOW-EXPORT
destination 10.100.21.112
transport udp 514
!
!
! Create a custom flow record. This specifies what fields are of interest to gather
statistics on
!
flow record type performance-monitor FLOW-REC
match ipv4 protocol
match ipv4 source address
match ipv4 destination address match transport source-port
match transport destination-port
match transport rtp ssrc
collect routing forwarding-status collect ipv4 dscp
collect ipv4 ttl
collect transport packets expected counter
collect transport packets lost counter collect transport packets lost rate
collect transport event packet-loss counter collect transport rtp jitter mean
collect transport rtp jitter minimum
collect transport rtp jitter maximum collect interface input
collect interface output
collect counter bytes collect counter packets collect counter bytes rate
collect counter packets dropped collect timestamp interval
collect application media bytes counter
collect application media bytes rate collect application media packets counter collect
application media packets rate collect application media event
collect monitor event
collect transport round-trip-time
!
!
! Define a flow monitor. This ties together the flow record and flow export
! and is used to define policy
! The default-rtp flow record can also be used; it only omits the RTT field from the
statistics.
!
flow monitor type performance-monitor FLOW-MON
record FLOW-REC
exporter FLOW-EXPORT
!
!
! Apply the flexible netflow policy to the interesting traffic
!
policy-map type performance-mon PMAP-IPVS
class CMAP-IPVS
flow monitor FLOW-MON
monitor metric rtp
min-sequential 2
max-dropout 2
max-reorder 4
monitor metric ip-cbr
rate layer3 packet 1
react 1 transport-packets-lost-rate
threshold value ge 1.00
alarm severity critical
action syslog
!
!
! Apply the policy map to an interface. The service policy can be applied in both
directions.
!
interface gig0/0
service-policy type performance-monitor input PMAP-IPVS
service-policy type performance-monitor output PMAP-IPVS
!
The status of the performance data can be validated using the command:
!
R6-C2851# show performance monitor status
The following is sample output observed:

!
Match: ipv4 src addr = 10.101.0.2, ipv4 dst addr = 10.100.21.67, ipv4 prot = udp, trns
src port = 1024, trns dst port = 16874, SSRC = 1916670251
Policy: PMAP-FLOW-IPVS, Class: CMAP-IPVS, Interface: GigabitEthernet0/0, Direction:
input
*counter flow : 10
counter bytes : 5227454
counter bytes rate (Bps) : 17424
*counter bytes rate per flow (Bps) : 17424
*counter bytes rate per flow min (Bps) : 16009
*counter bytes rate per flow max (Bps) : 19126
counter packets : 4206
*counter packets rate per flow : 14
counter packets dropped : 0
routing forwarding-status reason : Unknown
interface input : Gi0/0
interface output : Gi0/1
monitor event : false
ipv4 dscp : 40
ipv4 ttl : 62
application media bytes counter : 5143334
application media packets counter : 4206
application media bytes rate (Bps): 17144
*application media bytes rate per flow (Bps) : 17144
*application media bytes rate per flow min (Bps) : 15751
*application media bytes rate per flow max (Bps) :: 18821
application media packets rate (pps): 14
application media event : Normal
*transport rtp flow count : 10
transport rtp jitter mean (usec) : 2766
transport rtp jitter minimum (usec): 2
transport rtp jitter maximum (usec) : 50098
*transport rtp payload type : 96
transport event packet-loss counter : 141
*transport event packet-loss counter min : 6
*transport event packet-loss counter max : 21
transport packets expected counter : 4347
transport packets lost counter : 141
*transport packets lost counter minimum : 6
*transport packets lost counter maximum : 21
transport packets lost rate ( % ) : 3.77
*transport packets lost rate min ( % ) : 1.35
*transport packets lost rate max ( % ) : 4.45
*transport tcp flow count : 0
*transport round-trip-time sum (msec) : NA
*transport round-trip-time samples : NA
transport round-trip-time (msec) : NA
*transport round-trip-time min (msec) : NA
*transport round-trip-time max (msec) : NA
!
Each media flow has a Source Synchronization ID (SSRC) which is used to uniquely identify each flow
from a particular source. In this example we see that jitter is at a mean of 2.7ms and packet loss is
occurring at a 3.77% rate.
Since the packet loss rate exceeds the 1% threshold set, a Threshold Crossing Alarm (TCA) is triggered
and sent to the syslog server as shown below:
Threshold Crossing Alarm (TCA) Triggered
Reactive Monitoring
Reactive monitoring of IP Video Surveillance networks is implemented using mediatrace. Mediatrace is
a technology feature of the Medianet architecture that dynamically enables monitoring capabilities on
network devices along a flows end-to-end path, collecting statistics on a hop-by-hop basis. Mediatrace
can collect metrics on TCP profiles, RTP profiles, interface profiles, CPU profiles, memory profiles and
application health. These statistics gathered assist in fault isolatio n and troubleshooting.
Each participating network node to be monitored must be configured as a mediatrace responder. Each
participating network node that will be used to initiate mediatrace polls or sessions must be configured
as an initiator. In addition, all switches in Layer-2 mode need to have Resource Reservation Protocol
(RSVP) snooping enabled for hop discovery.
This configuration is shown below:
!
! Configure mediatrace initiators
!
Mediatrace initiator source-interface gig0/1
!
! Configure mediatrace responders
!
Mediatrace responder
!
! Configure RSVP snooping
!
ip rsvp snooping
!
There are two main frameworks for launching mediatrace:
Mediatrace Poll
A, mediatrace poll is an on-demand collection of system and network data from network nodes on a
specific path. The mediatrace runs on a hop-by-hop basis and reports on Layer 3 network devices along
the end-to-end path.
Devices with compatible IOS images and configured in Layer 2 mode support mediatrace with RSVP
snooping option enabled. The TTL field in the received mediatrace results remains unchanged because
the Time To Live (TTL) field is not decremented when an IP packet traverses the Layer 2 node.
There are three main types of mediatrace polls as described below:
Hops Poll
This one-time poll trace is useful for identifying what access edge node a video endpoint is attached to
as well as the network path that a media flow takes from one end -to-end, for instance taking a
mediatrace of a VSM server from the access switch that a video endpoint or client endpoint is located.
Consider the following sample topology:
Sample Topology
A reverse mediatrace is run from the initiator, SW9, to the VSM server attached to SW13. The output is
as shown below:
!
SW9-C3560G#mediatrace poll path dest 10.100.21.20 hops
Started the data fetch operation.
Waiting for data from hops.
This may take several seconds to complete...
Data received for hop 1
Data fetch complete.
Results:
Data Collection Summary:
Request Timestamp: 20:20:56.822 PST Wed Nov 28 2012
Request Status: Completed
Number of hops responded (includes success/error/no-record): 5
Number of hops with valid data report: 5
Number of hops with error report: 0
Number of hops with no data record: 0
Detailed Report of collected data:
Number of Mediatrace hops in the path: 5
Mediatrace Hop Number: 1 (host=R9-C3845, ttl=254)

Ingress Interface: Gi0/1.102
Mediatrace Hop Number: 2 (host=SW8-C3560E, ttl=254)



Mediatrace Hop Number: 5 (host=pss-sj-vsm-1, ttl=251)

Ingress Interface: eth0
Egress Interface: None!
A source interface can optionally be specified. Notice that the TTL did not change at R8 this is
because the switch is configured to operate in Layer-2 mode, not as a routing device. The switch still
shows up in the mediatrace results anyway since the IOS image installed supports mediatrace.
Currently, the 6500 series with Supervisor 720 engine IOS images do not support mediatrace, therefore
do not show up in the results. The TTL, however, does get decremented as IP packets traverse both 6500
appliances since they are operating as Layer-3 nodes.
System Poll
The system poll is used to fetch data on a system profile, including interface statistics. The following
output shows results from a system poll:
!
SW9-C3560G#mediatrace poll path sou 10.102.0.24 dest 10.100.21.20 system
This may take several seconds to complete...
Results:

Metrics Collected:
Collection timestamp: 20:27:56.089 PST Wed Nov 28 2012
Octet input at Ingress (MB): 3293.025335
Octet output at Egress (MB): 1424.502512
Pkts rcvd with err at Ingress (pkts): 0
Pkts errored at Egress (pkts): 0
Pkts discarded at Ingress (pkts): 0
Pkts discarded at Egress (pkts): 0
Ingress i/f speed (mbps): 1000.000000
Egress i/f speed (mbps): 1000.000000

Metrics Collected:
Octet input at Ingress (KB): 113485.264

Metrics Collected:
Octet input at Ingress (MB): 3554.028490
Octet output at Egress (KB): 947749.978

Metrics Collected:
Mediatrace Hop Number: 5 (host=pss-sj-vsm-1, ttl=251)

Ingress Interface: eth0
Egress Interface: None
Metrics Collected:
Octet output at Egress (Bytes):
NOT COLLECTED Pkts rcvd with err at Ingress (pkts): 0
Pkts errored at Egress (pkts): NOT COLLECTED
Pkts discarded at Egress (pkts): NOT COLLECTED
Ingress i/f speed (bps): 0
Egress i/f speed (bps): NOT COLLECTED
!
Performance Monitor Poll
A performance monitor poll can be used to collect network performance statistics between two endpoints
on-demand. In the IP Video Surveillance environment, if a network-related problem is suspected
between an IP camera and the VSM server, a perf-mon poll can be run from the access switch onto
which the IP camera is attached.
The five-tuple used in the path-specifier has to be exactly the same as the existing media flow. The
parameters can be retrieved either from the syslog notification or SNMP trap received, or on -demand
from the monitoring device.
Below is an example of how to gather the required parameters on-demand from a monitoring device:
!
! Identify the existing media flows using the SSRC as the unique search field
!
R9-C3845#show performance monitor status | include SSRC
!
The mediatrace will now need to be run from the initiator closest to the source (ideally the access switch
the endpoint is connected to), to the responder closest to the destination (ideally the access switch the
server is connected to).
The following example shows statistics collected when a perf-mon poll is run between an IP camera and
a VSM server:
SW10-C3560E#mediatrace poll path dest 10.100.21.30 perf-monitor source-ip 10.101.0.10

source-port 6840 destination-ip 10.100.21.20 dest-port 18814 ip-protocol udp
This may take several seconds to complete... Data received for hop 1
Results:
Mediatrace Hop Number: 1 (host=SW9-C3560G, ttl=255)

Metrics Collected:
Loss of measurement confidence: FALSE Media Stop Event Occurred: FALSE
IP Byte Count (Bytes): 725691
Packet Drop Reason: 0
IP DSCP: 40
IP TTL: 64
IP Protocol: 17
Media Byte Count (Bytes): 710131

Metrics Collection Status: Fail (19, No statistic data available for reporting)
Metrics Collected:

Metrics Collected:
IP DSCP: 40
IP TTL: 63
IP Protocol: 17

Metrics Collected:
IP DSCP: 40
IP TTL: 62
IP Protocol: 17

Metrics Collection Status: Fail (19, No statistic data available for reporting)
Egress Interface: NOT COLLECTED
Metrics Collected:
A performance monitor poll can also be executed against a synthetic media flow. In the previous section
that discussed network validation, synthetic but realistic media flows were generated using IP SLA VO.
Once the probes have been initiated, the mediatrace poll can be set up as described in this section.
Mediatrace Session
A mediatrace session is a recurring monitoring session that can be scheduled to start at a particu lar time
and run for a particular duration. Specific metrics to be collected can be defined and hops along the
network path are automatically discovered.
A session would be configured in order to allow a network administrator gather statistics on a regula r
basis on the state of the IP Video Surveillance network health. The endpoints need to be predefined
meaning that each mediatrace session will correspond to a single source and single receiver. The
mediatrace session is typically defined on an initiator that is closest to the monitored source.
Configuring a mediatrace session is useful as a time-saving measure, to quickly gather monitoring
statistics from commonly used endpoints. For example, running a mediatrace session from an access
switch onto which a set of video endpoints are attached to the VSM server, or from the access switch
onto which the VSM server is attached to a client endpoint. Later, when in the process of
troubleshooting, instead of entering the entire session monitoring details (flow an d path information), the
mediatrace session number can be quickly invoked.
The following example shows how to configure a mediatrace session between a VSM server (10.0.100.5)
and a client endpoint (10.30.0.1):
!
! Create the path-specifier. This defines the parameters used by RSVP to discover hops
!
!mediatrace path-specifier IPVS-PATHSPEC-VSM-PC disc-proto rsvp destination ip
10.30.0.1 source ip 10.0.100.5
!
!
! Create the flow-specifier. This defines the media flow five-tuple
!
mediatrace flow-specifier IPVS-FLOWSPEC-VSM-PC
source-ip 10.0.100.5 source-port 1024
destination-ip 10.30.0.1
dest-port 26602
ip-protocol udp
!
!
! Create session profile. This defines attributes for the performance monitoring profile.
!
mediatrace profile perf-monitor IPVS-PROF-VSM-PC
metric-list rtp
clock-rate 96 35000
admin-params
sampling-interval 60
!
! Create the session parameters.
!
mediatrace session-params IPVS-PARAMS-VSM-PC
response-timeout 20
history data-sets-kept
10 frequency on-demand
!
!
! Define and schedule the mediatrace session
!
Mediatrace 1
path-specifier IPVS-PATHSPEC-VSM-PC
session-param IPVS-PARAMS-VSM-PC
profile perf-mon IPVS-PROF-VSM-PC flow-specifier IPVS-FLOWSPEC-VSM-PC
!
mediatrace schedule 1 start-time now
!
Module 2
VMS
Overview
The Cisco VSM Operations Manager is a browser-based configuration and
administration tool used to manage the devices, video streams, archives, and
policies in a Cisco Video Surveillance deployment.
Lesson 1
VMS
Overview
The Cisco Video Surveillance Manager (Cisco VSM) is an advanced security
solution for enterprise organizations at a centralized location, or who have
offices and sites at diverse geographical locations
VSM Components
Cisco VSM is a comprehensive video surveillance system that enables your network and security teams
to collaborate effectively in a highly scalable environment combining both video and network
techniques to optimize the experience. Cisco Video Surveillance Manager comprises several
components that combine to create a flexible, highly scalable system for the enterprise.
Cisco Video Surveillance Operations Manager allows a user to quickly and effectively configure and
manage video throughout the enterprise. It provides a highly secure web portal to configure, manage,
display, and control video in an IP network, and allows you to easily manage a large number of
security assets and users, including media servers, cameras, encoders, and event sources.
Understanding Cisco VSM Servers and Server Services
A Cisco VSM deployment includes one or more Cisco VSM servers that provide video processing,
storage, analytics, configuration interface, monitoring, and other features.
Using Physical vs. Virtual Media Servers

All servers can be deployed as physical appliances pre-installed with Cisco VSM, or a virtual machines
(VMs) running on the Cisco Connected Safety and Security UCS series servers
Server appliance
Cisco VSM is pre-installed on physical Cisco Connected Safety and Security UCS Platform
Series servers CPS-UCS-1RU-K9 and CPS-UCS-2RU-K9 (when ordered with the Cisco VSM
software installed).
Virtual Machine (VM)
An .OVA template file is installed on a supported Cisco UCS blade to create a new virtual
machine (VM) instance of the server.
The server functionality is the same in either format, although some performance differences and
considerations apply. You can also combine physical and VMs in a deployment.
Virtual machines are often used in a centralized deployment where multiple servers are
installed in a central NOC. Although VM deployment requires some additional configuration
during the initial setup, and additional maintenance of the VM platform, you can more easily
manage multiple servers or add additional VMs as the needs of your deployment changes.
Physical servers are frequently deployed at the edge, where only one or two servers are
required to support the cameras in a location or LAN. Physical servers are pre -installed with
the Cisco Video Surveillance Manager software.
Understanding Server Services
Each server can run one or more services that provide features and functions for the Cisco Video
Surveillance system. For example, the Operations Manager provides the configuration interface and
management features for the entire deployment, while the Media Server service manages cameras and
encoders and plays and records video.
At a minimum, every Cisco VSM must include a Cisco VSM Operations Manager server and a Cisco
Media Server. These services can be co-located on a single physical or virtual server, or installed on
stand-alone servers.
Operations Manager
The browser-based Cisco VSM Operations Manager administration and configuration tool. The
Operations Manager be added as a stand-alone server, or co-located with other services (such as a
Media Server and/or Maps Server).
Media Server
The Media Server service provides video streaming, recording and storage for the cameras and
encoders associated with that server. Media Servers can also be configured for high availability, and
provide Redundant, Failover, and Long Term Storage. Media Servers can be added as a stand-alone
server, or co-located with the Operations Manager, or co-located with the Operations Manager and the
Maps service.
Map Server
Allows Image Layers to be added to location maps using the Operations Manager.
Image layers are viewed by operators using the Cisco Video Surveillance Safety and Security Desktop
application. Cameras, locations and alerts are displayed on dynamic maps, and map images that
represent the real-world location of devices and events.
This service is supported as a stand-alone server on a server running the RHEL 6.4 64 bit OS, or co-
located on a Operations Manager server. In co-located deployments, use the Operations Manager to
activate the service.
Metadata Server
Allows metadata to be added to recorded video, which enables features such as Video Motion Search
in the Cisco SASD desktop application.
Metadata can also be accessed by 3rd party integrators for advanced analytics analysis. Use the
Operations Manager to activate the service.
Note
This service is supported as a stand-alone server only, on a server running the RHEL 6.4 64 bit
OS.
VSF
Enables the Federator service used to monitor video and system health for the cameras and resources of
multiple Operations Managers. The Federator service can only be enabled on a stand -alone server in
this release. Other server services cannot be enabled on the same server as the Federator service. The
Federator interface is accessed using a web browser or the Cisco SASD. Federator.
Activated using the Management Console only. Cannot be activated using the Operations Manager.
Note
This service is supported as a stand-alone server only, on a server running the RHEL 6.4 64 bit
OS.
Understanding Co-Located and Stand-Alone Servers
Stand-alone servers are servers that run only a single server service. A stand -alone server can be a
physical or virtual machine.
Co-located servers are physical or virtual servers enabled with multiple server services, such as the
Operations Manager and a single Media Server.
Some system configurations require stand-alone servers. For example, the Cisco Video Surveillance
Federator and Metadata services can only be run as stand-alone servers. In addition, Operations
Manager HA requires that both servers in the redundant pair be stand -alone servers. Additional server
services cannot be enabled.
Required
Operations Manager
Stand-alone server or co-located with one Media Server and/or one Maps server.
Each deployment requires one Operations Manager to manage the system.
Operations Manager HA configuration requires two stand-alone Operations Manager servers.
A co-located Operations Manager does not support the same number of Media Servers as a
stand-alone
Media Server(s)
Each deployment requires at least one Media Server to enable video streaming and recording.
One Media Server can be co-located with the Operations Manager service.
All additional Media Servers can be stand-alone servers or co-located servers with the Maps Server
service.
The following rules apply to co-located Media Servers:
Co-located Media Server can only be a primary Media Server (co-located Media Servers do
not support other HA roles such as Standby or Redundant).
Failover or Redundant Media Servers cannot be associated with a co-located primary Media
Server.
Only a long term storage (LTS) server can be associated with a co-located primary Media
Server.
Co-located Media Servers do not support the same number of cameras as a stand-alone server.
Optional
Metadata Server
Stand-alone server only.

Select the Service Type when adding the server to the Operations Manager configuration.
Maps Server
Stand-alone server or co-located with the Operations Manager or a Media Server.

Select theService Type when adding the server to the Operations Manager configuration
Federator
Stand-alone server only. Select the VSF service using the Management Console Initial Setup
Wizard.
Other server services cannot be enabled on the same server as the Federator service.
Video Viewing Options
Live and recorded Cisco Video Surveillance video can be viewed using a Cisco -provided application.
Desktop monitoring application

Cisco Video Surveillance Safety and Security Desktop (Cisco SASD)
Allows simultaneous viewing of up to
25 cameras per Workspace, and up to
48 cameras per workstation.
Create Video Matrix windows for display in separate monitors.
View Video Walls.
Create unattended workstations.
View and manage alerts.
View cameras, video, and alerts based on a graphical map.
Cisco SASD Federator

Allows users to monitor video from multiple Operations Managers
Mobile device
Cisco VSM Mobile Viewer
Allows access to surveillance cameras using a phone or tablet to remotely monitor live s treams and
recorded video streams.
Web-based configuration and monitoring tools

Operations Manager
Allows simultaneous viewing of multiple video panes:

View up to 4 cameras with the 32-bit version of Internet Explorer.
View up to 25 cameras with the 64-bit version of Internet Explorer.
Create the Views and Video Walls available in the desktop Cisco SASD application.
Configure the camera, streams and recording schedules.
Cisco VSM Federator

Cisco VSM Federator
Desktop video clip player

Cisco Video Surveillance Review Player (Cisco Review Player)
Simple player used to view video clip files.

Lesson 2
Deployment Scenarios
Overview
The fundamental factor when designing a Cisco VSM deployment is determining
where the Cisco Video Surveillance Manager (Cisco VSM) servers will be located.
This determination is based on the bandwidth requirements of your surveillance
video, and the performance of your network.
VMS Architecture
A Cisco Video Surveillance Manager deployment starts with the location of your video cameras and the
servers that support them. Specifically, you must determine where the Cisco VSM Operations Manager
server and Cisco Media Servers will be located.
This lesson describes the basic server deployment scenarios, including the following:
Centralized Data Center Architecture.

In the simplest deployment, all Cisco VSM servers are located in a central location, such as a rack in a
network operations center (NOC). Cameras at various buildings or sites send all video traffic to the
NOC servers. This scenario can be used if you have only a few cameras at each site, or plentiful
network bandwidth.
Centralized Management, Distributed Architecture.

In this scenario, Cisco Media Servers are deployed in the same location (LAN) as the cameras. This can
be used if you have cameras at remote sites that generate large amounts of video traffic, or if the
network connection to the remote site has limited or expensive bandwidth. Installing the Media
Server(s) at the camera location reduces network traffic between the remote site and the NOC (since
cameras continuously stream video to their Media Servers).
Distributed Management, Distributed Architecture.

If multiple Operations Managers are deployed, you can install a Cisco Video Surveillance Federator
(Federator) server to monitor video and events from all Operations Managers.
Centralized Data Center Architecture.
In a centralized deployment (Figure), all Cisco VSM servers are located in a single network operations
center (NOC) or rack. This includes the Operations Manager, Media Servers, and any optional Long
Term Storage (LTS) , Federator, Dynamic Proxy (DP), Metadata, or Maps servers. Servers can be
installed as physical appliances, or as virtual machines (VMs) running on Cisco UCS blades.
The cameras for a centralized deployment can be installed in a multiple networks (NATs), and securely
communicate with the central servers over a WAN or public Internet. Users who monitor the video can
also be at different locations and networks.
Centralized Data Center Architecture
This scenario is typically used by school districts or businesses where cameras are at various locations
but the server infrastructure is in a central administrative location
Centralized Management and Distributed Architecture.
Video surveillance cameras continuously stream video to their associated Media Servers, even if video
is not being recording or monitored. This provides on-demand video access to users, and for recordings
if an event occurs.
This on-demand video requires sufficient bandwidth between the network where the cameras are
installed and their associated Media Servers that manage and record that video. If network bandwidth is
limited, slow, or expensive, performance, quality, or cost issues can occur.
To address these issues, a distributed deployment can be used. In this deployment architecture, the
management servers (such as the Operations Manager, Long Term Storage, and Dynamic Proxy
servers) are still located in a central NOC, but the Media Servers are installed in the networks where
cameras and encoders are located. Since video is streamed from the cameras to the Media Servers, this
distributed deployment greatly reduces the amount of video traffic sent between networks since video
is only sent from the Media Server to users (or a Long Term Storage server) when requested.
In the example, the Operations Manager is centrally-located in a NOC, along with optional LTS storage
servers and a Dynamic Proxy server. The Media Servers are installed in the same locations as the
cameras and encoders they support.
Centralized Management, Distributed Architecture

Distributed Management and Architecture
Some enterprises, such as school districts, install multiple Cisco VSM deployments, each with an
independent Operations Manager server. In this scenario, a Cisco VSM Federator server can be
installed to allow central office personnel to monitor video from all Cisco VSM deployments
Cisco Video Surveillance Federator
The Cisco Video Surveillance Federator provides the following benefits:
Easily connect and monitor up to 5 million cameras

Provides for an operational integration for up to 500 VSOMs
Single pane of glass to monitor live and archive video from all end points globally
Configurable level of alerts to consolidate and display to Federator user
Minimal configuration through use of regions and sites to represent VSOM systems
For example, a city-wide deployment may include a Cisco VSM system for each independent agency,
such as the county court, schools, police, post office and fire department. Each of these deployments
includes an Operations Manager server that is used to configure the cameras, users, and features for
that agency or department.
To allow central employees or security personnel to monitor the video from all Cisco VSM
deployments, a Cisco VSM Federator server is installed in a central location. The Federator provides
video monitoring without giving them direct access to the administrative and configuration features.
Hybrid Deployment Scenarios
Each of the deployment scenarios described in this document can be combined with other server and
storage options, such as on-camera recording (Connected Edge Storage), Dynamic Proxy, high
availability, long term storage, Maps server, Metadata servers, and other features. Use of these options
depend on the on your organizations need and the network resources available from the various
locations in your deployment.
Lesson 3
Determining the Required

Resources
Overview
A successful Cisco VSM deployment includes sufficient server processing,
network bandwidth, and video storage to reliably transmit video to end users,
archive video data, and manage system policies.
Refer to the following topics to determine the devices, resources and
deployment scenario required by your organization.
Factors That Determine Your Server Deployment Scenario
A successful Cisco VSM deployment depends on the ability of your Cisco VSM servers to process,
deliver, and store video data, and the networks ability to transport that video data between cameras,
servers, end users, and long term storage devices. The four main factors used to determine the number
and location of Cisco VSM servers required by your deployment
Server performance
The number of cameras, amount of video data, and storage supported by each Cisco Media Server.
Performance numbers vary depending on the server model and configuration, and factors such as if the
device is a physical or virtual machine.
Server storage.
The amount of storage supported by, and installed in each server. This is the amount of video and other
data that can be stored before automatic pruning occurs.
Deployments with greater recording needs or longer video archive retention times will require greater
amounts of storage space.
You can also install external storage arrays to increase the available storage.
Sizing servers to upgrade storage later.
When selecting a server for Media Servers with the intention to be able to increase the servers internal
storage later, it is recommended to select a server with of maximum number of hard drives (e.g. 12)
so that an equal number of hard drives can be added later.
Adding internal storage will require configuring an additional RAID -5/RAID-6 array with the new hard
drives to create a new RAID volume (LUN); adding an equal number of drives will allow for a roughly
equal size storage volume for recording additional cameras, and maximize the additional storage
capacity. Adding a new RAID-5/RAID-6 array with only a few hard drives (e.g. 2-4) is less efficient
use of the additional capacity.
For example, a CPS-UCS-2RU-K9 server with a (12) drive capacity could be deployed with (6) 4TB
hard drives, and later add an additional (6) 4TB hard drives, for an approximately 16TB capacity
initially, and later add approximately 16TB more.
Network conditions.
The network policies, performance, and bandwidth required to support your deployment.
For example:
Cameras in locations that have unlimited or inexpensive bandwidth communication to the

central network operations center (NOC) can use a centralized deployment.
Cameras in locations where bandwidth is limited or expensive can use a distributed server
deployment, on-camera recording, or a Dynamic Proxy server.
Determine Bandwidth and Storage Estimates for Media
Servers and Cameras
The network in a Cisco VSM deployment must be able to continuously stream video from the cameras
to the Cisco Media Servers, and from the Media Servers to the monitoring workstations in your
deployment. The bandwidth requirements for each Media Serer includes all of the video streams
configured for its cameras, the bandwidth of the video streams from t he Media Servers to other
applications and to monitoring workstations. Depending on the location of the cameras, Media Servers
and monitoring workstations, different segments of the networks will also have different bandwidth
requirements
For example, if cameras are installed in different network segments (NATs) than the Media Servers,
then the network must have sufficient bandwidth between those segments for the video streams from all
cameras. The bandwidth requirement is the aggregate data rate for all cameras assigned to a server.
You must include all camera streams from each camera, and the different bit rates for each stream. For
example, if a camera has dual video streams, you must include both streams in your bandwidth
requirement calculations.
Camera bandwidth
Calculate per-camera bandwidth estimates based on the expected video stream, media type, resolution,
and frame/bit rate.
Media Server bandwidth
Calculate bandwidth requirement estimates for each Media Server based on expected number of vid eo
streams to the Media Server.
Storage requirements
Calculate storage requirement estimates per Media Server based on expected number of archives in the
Media Server, their expected duration, and video stream information. Include 7 -minute loop archives in
motion detection event setups.
Recommended
Consider disk space requirements for clips stored on the server. Even if the clip duration is (for
example, 15 seconds), it occupies 5 to 10 minutes worth of disk space.
Consider disk space requirements for archive backups.
Consider future expansion plans and disk space requirements for new feeds and archives.
Cisco Media Server performance
Based on the bandwidth and storage estimates, determine if the Cisco Media Server hardware can
handle the expected configuration. Consider future expansion plans, if any.
Using the Guided System Selling Tool
Use the Cisco Commerce Workspace Guided System Selling tool to determine the resources required
by your deployment, the prices for those components, and to order the devices and resources.
The resources include the total number of cameras, the total camera bit rate (Mbps), the number of
required physical or virtual servers, licenses, network switches, and other resources required in your
deployment.
Procedure:
Step 1 Log in to the Cisco Commerce Workspace.
Step 2 Under Solutions, click Guided System Selling (lower right).

Step 3 Under Available Solutions, select Connected Safety and Security and then Video
Surveillance
Step 4 Complete the on-screen forms to determine the cameras, servers, licenses, network
switches, and other resources required in your deployment
Methods to Reduce Video Bandwidth Usage
If bandwidth is limited between the video cameras and supporting Media Server, use one or more of the
following methods to reduce the bandwidth created by the video streams, or reduce the traffic sent
between network segments.
Reduce the video stream framerate

Reduce the video stream framerate by configuring a lower bit rate. Although this reduces the video
quality, it also reduces the amount of data sent over the network and stored in the archives.
To reduce the video framerate, use one or more of the following methods:
Select low or medium video quality for the camera template.

Create a custom template.
Use the Recording Options to reduce the recording framerate or record only one stream to save
storage.
Position servers closer to the cameras

Install the physical or virtual Media Servers in the same network segment (LAN). Most cameras stream
video continuously so that it is instantly available for viewing or recordings. Installing the cameras in
the same LAN prevents that traffic from being sent between network segments, such as over the Internet,
where bandwidth can be more limited or expensive.
Use Dynamic Proxy

If a Media Server is located in a low-bandwidth location, Dynamic Proxy (DP) can be configured to
minimize the bandwidth used when video is requested from other locations.
Economical Streaming
By default, video cameras continuously stream video over the network to the Media Server. This allows
users to instantly access live video, and recordings to being immediately when an e vent occurs.
Economical Streaming is a camera feature that delivers video only when requested by a user, or when an
event occurs.
When selected:
Video playback will be delayed while the request is being processed.
When Economical Streaming is enabled, motion event alerts and other Advanced Event
processing is disabled since video is only sent when requested by a user.
Connected Edge Storage
Video cameras can use this feature to save video on the cameras storage device (such as an SD card).
This can be used with Economical Streaming (above) to eliminate the need for a local Media Server, and
send video over the network only when requested.
For example, if a camera with on-device storage is installed in a remote sub-station, video can
be streamed continuously to the cameras SD card. That video is not sent across the network to
the Media Server unless requested by a user.
If the camera is mobile, such as a camera installed on a bus, video can be saved to the cameras
storage when the bus in in service, and transferred to the Media Server when the bus (and
camera) are back in network range.
Using Dynamic Proxy to Monitor Video From Low-
Bandwidth Sites
Dynamic Proxy.
When cameras and their associated Media Servers are located in Site with limit ed outgoing connectivity
(such as an offshore oil platform), the Dynamic Proxy (DP) feature can be used to reduce the amount
video data going out from that remote Site.
The Dynamic Proxy (DP) feature provides this service by retrieving video from the remo te Media
Servers and delivering it to the end users. The DP minimizes the amount of bandwidth used to deliver
video data from the remote Site while allowing multiple users to access that video data.
Dynamic Proxy
For example, an offshore oil platform has a set of IP cameras and Media Servers. Any requests coming
from users within that Site can be serviced by those on-Site Media Servers. Since the internal network is
robust, the video is delivered at high resolution.
However, since this offshore oil platform has limited bandwidth to send data to on-shore monitoring
Sites, requests from off-Site users would quickly consume the available outgoing bandwidth.
When the Dynamic Proxy feature is enabled, however, requests for video from off -Site (onshore) clients
can be intercepted and services by the Dynamic Proxy. This Dynamic Proxy can collect a single video
stream from the off-shore Site and deliver it to multiple users onshore.
For example:
The Dynamic Proxy establishes secure communication with the source Media Server, retrieves
the video, and displays it to the off-Site user(s) who requested it.
The Dynamic Proxy service scales down the audio/video quality to accommodate small network
pipe between the Media Server and the Dynamic Proxy server.
The Dynamic Proxy service is only available for live video streams.
The Dynamic Proxy servers do not support Failover. If a Dynamic Proxy server goes down or is
unavailable, the user must re-request the video stream. The video will be served by a different
Dynamic Proxy server, if configured.
PTZ commands can be used by users inside and outside a Site since PTZ commands use a small
amount of bandwidth and are sent directly to the Media Server.
Dynamic Proxy Design Considerations

When using Dynamic Proxy, observe the following:
The maximum number of viewers per Dynamic Proxy stream is 20 viewers.
The maximum latency between a Media Server and Dynamic Proxy Server is 4 seconds. This is
long enough to allow the use of a satellite link between a central site and remote location.
The Dynamic Proxy server supports only live video. Access to recorded video goes directly to
the Media Server where the recorded video is stored. This doesnt benefit from bandwidth
savings through the proxy server.
Camera Controls like PTZ are not supported through the Dynamic Proxy server. These
commands go directly to the Media Server that is hosting the camera that is the intended target
of the command.
Proximity based DP Server selection is not supported. This means if a user logs in from the
Milpitas Site and is accessing a camera in San Jose and if there are Dynamic Proxy servers in
North Carolina and one in San Jose, the Operations Manager will randomly pick one of the DP
Servers.
A camera can only be proxied by a single Dynamic Proxy Server at a time.

Dynamic Proxy Frames to Skip
Observe the following guidelines to define the number of frames to skip when configuring a Dynamic
Proxy server.
Frames To Skip (Site Settings)
Setting Description
MJPEG Max Framerate (Optional) Stream thinning to be carried out for MJPEG streams. Must be set based on
To Skip bandwidth availability.
All MJPEG frames are IFrames. Depending on the frame rate of the original stream, skip
values are supported when the cumulative frame rate is greater than or equal to 0.1 fps.
Therefore, the maximum value is 10 times the MJPEG stream's framerate.
The supported values are from 1 - 300.
For example, if the original frame rate of the MJPEG stream is o_fr, then the MJPEG Max
Framerate To Skip can be any value, x, where o_fr/x >= 0.1 fps.
For example, for 10fps, it is 100, for 30 fps, it is 300, for 0.1fps, it is 10, etc.
Note
This setting is enabled only if the Dynamic Proxy service is enabled .
Max I Frames To Skip
(Optional) The number of IFrames to skip for a video feed.
The minimum and maximum skip rates vary depending on the video stream format:
MPEG4/H.264 Streams
The minimum and maximum values are 1 9 (true only for cameras sending 1IFrame per
second).
MPEG4 and H264, setting skip results in a stream with only IFrames. Most cameras send 1
IFrame per second. If the stream (regardless of frame rate) is sending 1 IFrame per second,
the maximum skip is 9.
Note
This setting is enabled only if the Dynamic Proxy service is enabled.
Lesson 4
Securing VMS
Overview
This lesson provides the best practices and recommendations to ensure the
security of Cisco Video Surveillance (Cisco VSM) components, including the
Cisco VSM Operations Manager, Cisco Media Servers, Cisco Video
Surveillance Safety and Security Desktop (Cisco SASD) application, video
devices, and client PCs.
A video surveillance system typically captures valuable, confidential, and sensitive information. This
information also is often required for command and control, and for critical decisions. It is important
that you secure your video surveillance deployment to protect your information, thwart bad actors and
disruptive actions, and prevent accidental or intentional destruction of data. By following the
guidelines in this document, you can help to protect your video surveillance system against physical
threats and unauthorized access or configuration changes. You can also establish audit trails to assist
with resolution if issues do occur
Controlling Physical Access

It is important to prevent unauthorized physical access to hardware components in a video surveillance
network. Such access could lead to disruption of your live video or recording operation by someone
disconnecting or powering down a component. It could also lead to loss of data by someone removing a
video storage device.
To control physical access to video surveillance components, consider the following guidelines:
If possible, place components in areas where you can control who can access the areas. For
example, consider placing servers in locked cages or rooms.
Lock components in racks.
Lock cameras in their locations or use vandal-resistant devices.
Protect network cables and other infrastructure components.
Establishing a Secure Network Topology

A secure network topology helps prevent the risk of unauthorized access to your video data and helps
to prevent malicious network attacks.
To establish a secure network topology, deploy Cisco VSM software, clients, servers, and video
devices in the same secure network, which is a network that is physically or logically separated from
general access networks.
If necessary, you can allow clients from outside the network access to Cisco VSM serves. However, its
is a best practice to use standard network methodologies to limit or control such access to the
maximum extent possible.
In addition, it is a best practice to isolate video devices from general users and viewers on a network.
To do so, follow these guidelines:
Create one or more separate VLANs for video devices. Make sure that each VLAN limits
access to monitoring and administrative users only.
On network switches, configure access lists to allow Cisco Media Servers to access these
VLANs.
Changing Default Passwords
Before you begin to operate a VSM system, change all default passwords. Use passwords that are not
easy to guess, and control who has access to the passwords. A strong password prevents someone who
knows a default password from accessing your system.
Passwords to change include the following:
Cisco VSM Management Console password
Operations Manager admin Password
Camera and Encoder passwords
Session and Password Timeouts

In the Operations Manager, set the session timeout to the shortest period that is appropriate for your
operation. This approach helps reduce the risk of unauthorized access unattended systems. Also define
the password and username rules to help ensure users use a string password.
Procedure
Step 1 Log in the the Operations Manager.
Step 2 Choose System Settings > Settings.
Step 3 In the General settings, define the User Timeout:
Enter the number of minutes before a user is automatically logged out due to inactivity.
After this period, users must reenter their username and password to log back in.
The maximum value is 10080 minutes (168 hours / 7 days).
Step 4 In addition, define the password settings to ensure password security:
Step 5 Click Save.

Password Settings
Setting Description
Password Expiry Months The number of months before a user password automatically expires. At the end of this
period, users are required to enter a new password.
Minimum Password Length The minimum number of characters for a valid password. Passwords with less
characters than the entered value are rejected.
Maximum Password Length The maximum number of characters for a valid password. Passwords with more
characters that the entered value are rejected.
Identical Password/Username If selected, user passwords can be the same as their username.
Allowed
If de-selected, user passwords must be different than their username.
3 Password Groups Required If selected, user passwords must include characters from at least three different
types of characters, including:
lower case letters
upper case letters
symbols
numbers
If de-selected, user passwords can include only one type of character
(for example, all lower case letters).
Repeat Characters If selected, user passwords can repeat the same 3 characters.
If de-selected, user passwords can not repeat the same 3 characters.
Configuring Port Access for Cisco VSM

Cisco VSM servers include a firewall that is configured to allow services that might be needed for
Cisco VSM applications to pass through. As a best practice, open only ports in the firewall that are
required for your Cisco VSM deployment. This approach prevents the risk of disruption to your system
through unauthorized access to services that your system runs.
Using Secure Remote Access

Network communication between the browser (client) and the Operations Manager or the Management
Console is encrypted using SSL and HTTPS. Each server includes a default self-signed SSL certificate,
or you can upload a custom .PEM certificate file issued by a Certificate Authori ty.
The self-signed or custom certificate is also used for back-end communication between Cisco Video
Surveillance components, such as between the Operations Manager, Media Server and/or Management
Console.
Configuring User Roles and Access
As a best practice, create users that have access to the locations, cameras, and video that they require.
Cisco VSM users can monitor video or configure the system based on the fo llowing:
The user group(s) to which the user is assigned: user groups are associates with a user Role,
which defines the access permissions for the group.
The location assigned to the user group(s).
Users can be assigned to multiple user groups, and gain the combined access permissions for
all groups.
Tip
User accounts provide access to both the browser-based Operations Manager and the Cisco Safety and Security
desktop application.
Logging Out from Management Console and Operations

Manager
As a best practice, always log out and close the browser when you leave a Cisco VSM session. Logging
out and closing the browser or application helps reduce the risk of unauthorized access t o unattended
systems.
Securing Client Systems

On each client system in a video surveillance network, follow these guidelines:
Make sure that the current Microsoft Windows update is installed. These updates typically
provide increased security features.
Make sure that an industry-standard anti-virus program is running.

Lesson 5
Video Recording Options
Overview
Video can be recorded using a variety of automatic methods, or manually
triggered by a user.
Video can be recorded continuously, when an event occurs, or be manually triggered by a user.
Recording Type
Continuous recording, scheduled recordings, and/or motion event
recordings
The recordings can occur continuously in a loop (for example, the past 30 minutes), or according to a
schedule (such as Monday-Friday, 8 a.m. to 11 a.m.).
In either case, recording can occur for the entire time, or only when triggered by a motion event.
Video is recorded at different quality on Stream A and Stream B.

Can record continuous video throughout the night at a lower quality, but also record higher -quality
video whenever an event occurs. You can also merge the recordings from Stream A and Stream B into
a single timeline.
Recording is triggered when an event occurs.

Recordings can be triggered when an event occurs. For example, recording can occur when a door
contact is opened or closed, when a camera app event occurs, or when a soft trigger is received.
You can define how long to record when the event occurs, and whether to record the primary or
secondary stream.
User-initiated recording
Describes how to enable the On Demand Recording option when a user right-clicks a cameras live
image.
Save recordings on the camera (and optionally transfer them to the

Cisco Media Server).
Cameras that support on-device storage of video recordings can be used to record video even if the
camera does not have communication with the Cisco Video Surveillance system. Once network
communication is re-established, the
on-camera recordings can be copied to a Media Server.
Best Practices for Recording on Motion

When using motion recording in Cisco VSM, there are several important considerations that should be
followed to properly control the recording of video with motion detection.
Cisco VSM supports configuration for default motion detection settings to allow quick setup of camera
motion detection. The motion detection inclusion window is set to the full frame and sensitivity is set
to a default value. These settings may or may not be optimal for detecting video in all situations
depending on many factors such as lighting, the camera placement and if there is extraneous motion in
the scene. For example, if there is an area in the frame where there is always motion, the camera may
continuously detect motion and motion recording will continuously record video. Prior to Cisco VSM
7.6, recording would stop by default after 2 hours of continuous motion activity. In Cisco VSM 7.6,
that behavior has been changed and motion based recording will continue as long as there is motion
activity. This may negatively affect video retention for all came ras on the same Media Server, if this
motion recording behavior s not expected.
Review the following best practices and recommendations when

using motion recording.
Do not rely solely on the default motion detection settings for motion recording for outd oor
cameras without assessing the results. Outdoor scenes are more complex with changes in
lighting (day/night), clouds, people, cars, trees, and leaves moving in the wind. For outdoor
cameras, it is very common to have extraneous motion that should be ignored because that
activity is not of interest. First, adjust the zoom and focus so the cameras field of view and
focus so that the detection settings are optimal for all moving objects in that field of view.
Second, the motion detection inclusion and/or exclusion windows should to be set, not just the
sensitivity settings. This helps to accurately trigger recording for the important motion activity
while ignoring undesired activity. Roads and trees in the background are common causes of
unexpected motion activity where motion only in the foreground is desired for controlling
recording.
When configuring motion recording, make sure that the camera is detecting motion as
expected. Use the Operation Managers motion detection configuration page to observe the
cameras motion activity, and ensure the field of view is correct. Make sure that motion is
being detected as expected and adjust the inclusion and exclusion windows and settings as
needed.
When configuring motion detection for a camera using Operation Ma nager, always click the
Save Motion Config button to save changes before closing the browser or leaving the motion
configuration page. If you do not save the motion settings, the motion detection recording will
not operate as intended.
On-Camera Recording (Connected Edge Storage)

Connected Edge Storage allows video recordings to be saved on the camera (typically an SD card
installed in the camera). These recordings can be automatically or manually copied to the Cisco Media
Server.
Deployment Scenarios
Connected Edge Storage is typically used when the camera is off network, or to save network
bandwidth. Refer to the following use cases for more information:
Network Bandwidth Savings.
Off-Network Cameras
Network Bandwidth Savings

If cameras are installed at a location where video is only required on demand, Connected Edge Storage
can be used to dramatically reduce the required bandwidth and server storage. Video is saved on the
camera storage device, such as an SD card, and delivered to the Media Serve r and end user only on
demand. This eliminates the need for a locally-installed Media Server.
Instead of streaming video continuously, like most cameras, video is only sent when an event and/or
request occurs.
On-Camera Recording: Connected Edge Storage
This deployment scenario is useful when it is not critical to continuously monitor or record video.
Off-Network Cameras
Cameras that support on-device video storage can save recordings on the camera, and copy them to the
Cisco VSM system at a later time. This feature is typically used when the camera is out of network
range while recording.
For example, a bus equipped with an IP (network) camera can save video recordings to the camera
even when the bus is transporting passengers. When the bus returns to the depot, and is again in
network range, the recordings can be copied to the Media Server that supports the camera. The copy
action can be performed automatically when the bus camera rejoins the network, or an operator can
manually trigger the copy action using the Operations Manager interface.
Connected Edge Storage: Camera Recording on Device and Copy to a Media Server
Copy Options
Video that is saved to the cameras SD card must be copied to the Cisco Media Server so it can be
viewed and analyzed using the Cisco Video Surveillance Safety and Security Desktop (Cisco SASD)
application.
The video can be copied manually based on a start and end time, or automatically copied when an
event occurs. Video can also be merged based on the camera template recording schedule
Manual Copy Camera Recordings

A Cisco VSM operator can manually copy video for a specific time-range. Any available video within
that range is copied from the camera to the Media Server
Automatic merge
Automatically copies a continuous recording to the Media Server based on the camera templates
recording schedule.
After configuration, no user interaction is required. The recordings are copied to the Media Server
when camera network communication is established (or re-established).
Automatic when an event occurs

Automatically copes the video for an event when the event occurs.
When the action for an event is Record for some time, video for each event is automatically saved to
the camera storage (such as an SD card) and to the Media Server.
Important Performance Considerations with Connected Edge Storage
Number of Supported Cameras

Due to bandwidth considerations, the number of cameras that can be supported by a Media Server will
drop in half when all of the cameras on that server are configured with the Auto-Merge recordings
option. We recommended a maximum of 10 cameras on a single Media Server be configured with
Auto-Merge recordings.
Note
Cisco VSM Release 7.5 and highervcan support up to 100 cameras configured with Auto-Merge recordings on a single Media
Server depending on the model of server and video data rate.
See the Auto-Merge Calculator tool for guidance on using Auto-Merge recordings with more than 10 cameras on a single
Media Server (to download the tool, go to the Cisco Video Surveillance Manager download page, select Video Surveillance
Manager Stand-alone Tools, and download the Auto-Merge Calculator tool).
For cameras with camera storage configured with Manual Copy, there is no limit to the number of cameras on a single Media
Server imposed by camera storage. The normal limits of 250 cameras and limits on recording bandwidth depending on video
configurations of the cameras and server type still apply.
Example
For example, when a camera configured with Auto-Merge recordings reconnects to the Media Server
after a network outage, live video recording will resume and the camera will begin copying locally-
stored video to the Media Server (to fill the recording gaps on the Media Server). Video is also copied
from the camera at a rate that is at least 25% faster than real-time so that all of the video from an
outage is copied from the camera before it is overwritten. This means that after an outage, the total
bandwidth from the camera to the Media Sever is more than 2X the video data rate until all of the
video from the outage has been copied from the camera. Since the Media Server has a limit on total
recording bandwidth, the use of Auto-Merge recordings will reduce the total number of cameras that
can be supported on a Media Server. If all of the cameras on the Media Server are c onfigured with
Auto-Merge recordings, the number of supported cameras will drop by more than half.
Example Video and SD Card Configurations
The following tables show examples of video configurations and SD card sizes for 1RU and 2RU
servers, and the maximum outage that can be supported by the Auto-Merge Recordings feature. If
the outage exceeds the maximum, recorded video in the camera from the outage period will be lost.
Video Configurations and SD Card Sizes: 1RU Servers
CPS-UCS-1RU and CPS-MSP-1RU Servers
Video and SD Card Configuration Standard Auto-Merge Max Outage Duration
6 Mbps 30 FPS 32GB SD Card Cameras

0 Cameras
4 (Hours)
11.00
6 Mbps 30 FPS 16GB SD Card 0 4 5.00
4Mbps 30 FPS 32GB SD Card 0 6 16.50


1Mbps 15FPS 32GB SD Card 20 10 23.50

Video Configurations and SD Card Sizes: 2RU Servers
CPS-UCS-2RU, CPS-MSP-2RU, UCS B,C Series Servers
Standard Auto-merge Max Outage

Video
6 Mbpsand
30SDFPS
Card Configuration
16GB SD Card 10
Cameras 10
Cameras 5.00
Duration (Hours)



Additional Limitations
MJPEG streams are not supported with the Connected Edge Storage feature.
The maximum supported video bit rate for camera storage is 6Mbps.
For Auto-Merge recordings, only video recorded in the last 24 hours can be auto -merged.
When camera storage is used, the camera reserves 1GB of space on the SD card for buffering
and it is not available for video recording. For example, only 15 GB is available on a 16GB SD
card
Lesson 6
Server and Camera

Network Configuration
Overview
The Cisco Video Surveillance Manager (Cisco VSM) deployments typically
include servers, cameras, encoders, and users located in different networks.
Network configuration for each of these devices must be correct or system
errors will occur.
.
Network NAT Support
A typical Cisco VSM deployment includes servers, cameras, encoders, and users located in differen t
networks, which requires video traffic and other data to be sent across network NAT boundaries.
Although this is supported in Release 7.6 and higher, some configurations, such Operations Manager HA
server pairs, require devices to be in the same network NAT.
Network Port Requirements

The following ports must be open in your network firewall to enable video and audio dat a
communication between cameras, Cisco Media Servers and the Operations Manager servers (Table 8 -2).
Required Network Ports

Protocol Required Ports
TCP HTTP (80), HTTPS (443), and SSH (22)
Ports 161, 2755, 61613, 61614, 61615, 61616, and 9090
RTSP (554)
UDP 161, 16000:19999, and 5353
BOOTPC (68)
NTP (123)
For example, Cisco Media Server streams all audio and video data to monitoring clients (PC
workstations) from RTSP port 554. Cameras stream data to Media Servers using UDP port 16000:1 9999.
Default Ethernet Interface Settings

The default Ethernet port configuration for each Cisco VSM server is:
Nic Port 0 configured with a private static IP address (http://192.168.0.200/)
Nic Port 1 configured for DHCP (the IP address and other settings are received from a DHCP
server, if available).
These settings are applied in new servers, or servers that have been restored using the USB recovery
drive. Use either of these addresses to access the Cisco VSM Management Console and complete the
Setup Wizard. At least one of these interfaces must reachable from the network where the workstation is
installed.
Rules for Server Reachability

Dual-homed/NAT Configurations.
Server Reachability.
Dual-homed/NAT Configurations
Dual-homed/NAT server configurations are not supported on any server running the Operations
Manager service (including co-located servers). The Operations Manager server hostname can
resolve to only one (correct) address. All users must be able to access that IP address.
Dual-homed/NAT server configuration is supported only for stand-alone Maps, Metadata, and
Media Servers.
Server Reachability
Stand-alone Maps, Metadata, or Media Servers must be added to Operations Manager using an IP
address or hostname that can be accessed by all users.
For example, add the server using a hostname to ensure user requests resolve to the correct IP address if
there is a NAT between users and the server.
Note
The hostname is usually resolved via DNS, but can also be resolved by configuring the users computer to resolve
each server hostname).
If a stand-alone Maps, Metadata, or Media Server is added to Operations Manager using an IP

address, then every user must be able to access that specific IP address (for example, they must
be in the same NAT).
If a stand-alone Maps, Metadata, or Media Server is added to Operations Manager using a

hostname, then every user must be able to resolve the hostname to an IP address that can be
reached by the user
Supported Ethernet Port Configuration Combinations

Cisco VSM servers support two Ethernet ports that can use a static IP address, receive network settings
from a DHCP server, or be disabled. The supported port configuration depends on the services enabled
on the server (Table 8-3).
Supported Ethernet Port Configurations

Server Services Ethernet Port Configuration
Co-located system Only one interface can be enabled (static or DHCP).
(Operations Manager and additional The other interface must be disabled.

services hosted on the same server)
Verify that the Operations Manager server hostname resolves to only one
(correct) address. Dual-homed/NAT server configurations are not supported
on any server running the Operations Manager service.
Operations Manager-only system Only one interface can be enabled (static or DHCP). The other interface must
be disabled.
Verify that the Operations Manager server hostname resolves to only one
(correct) address. Dual-homed/NAT server configurations are not supported
on any server running the Operations Manager service.
Stand-alone Maps, Metadata, or Media At least one Ethernet port must be enabled. The following combinations are
Servers supported:
Both interfaces configured static.
One interface static and the other disabled.
One interface configured static and the other DHCP.
Notes:
Dual-homed/NAT server configuration is supported only for stand -alone Media
Servers.
A hostname must be configured on all servers. The hostname does not have to be
accessible through DNS, but all servers must have a hostname configured (a
hostname is required for some services such as ActiveMQ).
Notes
At least one static interface must be configured.
A servers network settings can be modified using either the Cisco VSM Management Console or
browser-based Operations Manager tool.
Changing network settings can cause the server to restart system services. Restarting services
can take up to 90 minutes or more depending on number of devices managed by the Operations
Manager and Media Server. Installed products will be offline during this time.
Using Dynamic Host Configuration Protocol (DHCP)
A DHCP server can be used to automatically assign network settings for a server, camera, or encoder.
Server DHCP
A DHCP server can be used to automatically assign the IP address, default gateway and the DNS server
for a server Ethernet port. If DHCP is enabled, then the other network fields are disabled and the
required settings must be provided by the DHCP server.
To manually assign the IP address, default gateway, or DNS server, de-select DHCP by selecting the
Static IP option.
Note
If the Media Server interface used in the Operations Manager configuration is set to DHCP, the connection can be lost when th e
Media Server reboots and receives a different IP address. To restore communication, update the Operations Manager
configuration in with the new Media Server IP address. To avoid this situation, we recommend using a DNS hostname for the
DHCP interface, or using a static IP address.
Configuring an interface as DHCP may cause connectivity issues if no DHCP server is present in the network. For example, if an
interface is configured for DHCP, and a DHCP server is not available in the network, then the network settings (such as the I P
address and default gateway) will fail to populate and network communication cannot occur.
Camera DHCP
DHCP also offers a convenient way to assign IP addresses to many cameras at once.
When using DHCP, it is important to configure the DHCP server properly. DHCP servers s upport
assigning addresses to devices in these ways:
Dynamic assignmentAn IP address is assigned temporarily for the duration of a lease time. At
the end of this time, the address expires and a new address is assigned.
Automatic assignmentA camera is assigned a permanent IP address that is based on its MAC
address.
Static assignmentA system administrator must assign IP addresses based on MAC addresses
of devices and enter the IP addresses into the DHCP server.
With dynamic assignment, an IP address can change when the lease expires. In general, this event causes
a short loss in video while the IP address changes and streaming resumes. However, in some cases, such
as if the IP address changes during certain administrative operations or during a failove r, VSM is not
informed of the address change and loses connectivity with the camera until the camera is reset. To
avoid this situation, Cisco recommends that the DHCP server be configured with automatic assignment.
If dynamic assignment must be used, Cisco recommends that a long lease time be configured.
Note
DHCP is required for using Medianet camera discovery in Cisco VSM 7.x
DNS Server Support

We recommend configuring all VSM servers in DNS. Up to three DNS servers can be configured (th e
Linux OS supports up to three DNS servers).
Co-located VSOM/Media Servers must be in DNS to allow users to stream video from that server.
Network Settings in a Virtual Machine (OVA File) Installation
The default network settings, including the server address, can be changed during the installation of a
virtual machine (VM) on the Cisco Unified Computing System (UCS) platform. This is done if you
cannot access either of the default addresses with a web browser.
If necessary, see you system administrator for the address assigned to the server using the guest OS
console.
Understanding Device Conflicts

If a server, camera or encoder is added to Cisco VSM with duplicate settings, such as a duplicate IP
address, an error can occur. Review the following information to understand how to avoid, resolve, or
allow such conflicts:
Devices with Duplicate IP Addresses.
Conflicts During Camera Discovery.
Allowing Duplicate Camera IP Addresses.
Devices with Duplicate IP Addresses

By default, servers, encoders, or cameras with duplicate IP addresses are not allowed.
If an server or device is added with a duplicate IP address (the address is the same as an existing device),
the new entry will display an ID collision issue. For example:
Devices manually added with a duplicate IP address will be placed in the Enabled: Critical state.
Discovered cameras will be placed in the Pending Approval list.
To resolve the issue, do one of the following:
Use the Operations Manager to configure the server or device with an unused IP addr ess.
Directly connect to the device or server interface and enter a unique IP address, or ensure that
the device can receive a reachable address from a DHCP server. The camera IP address must be
reachable by the Media Server to which it is assigned.
Use the Replace Camera or Replace Server option to transfer the old settings to the new
device.
Delete the camera, encoder, or server and re-add it with a unique IP address.
Enable the Allow Duplicate IP Address system setting to allow servers and devices to be added
with duplicate IP addresses. For example, Media Servers that are installed in NATs that use th e
same Access IP (NAT) address.
Conflicts During Camera Discovery
Cameras are identified in Cisco VSM discovery by the device IP Address, and serial number, mac
address/hardware ID. If a camera is discovered with values in these fields that already exist in the Cisco
VSM configuration, the camera records will either be merged, or placed in a collision state.
If some identity fields in a discovered camera and existing camera are a perfect match, but some
fields are empty, then the records are merged. For example, if a camera in Cisco VSM includes
only a name and MAC address, and a discovered camera has the same MAC address plus
additional fields for serial number and IP address, then the two records are merged into a single
camera entry.
If both the Cisco VSM camera and a discovered camera include identity fields that do not
match, both cameras are placed in a collision state. You must replace or delet e one of the
cameras to remove the conflict.
Open the camera Status tab on the configuration page to view more information.
o The device overall status is Enabled: Critical.
o Click the link next to the Hardware category to open a pop-up that details the collision.
o An Alert is generated for identity collision.
If the discovered camera uses DHCP settings, and only the IP address is in conflict, then the IP
address of the discovered camera is used. If the discovered camera uses a static IP address,
however, then the camera entries are in conflict.
Open the camera Status tab on the configuration page to view more information.
Note
Settings such as name, template, location, media-server associations are configurations in the Operations Manager
and are not merged or overwritten by discovered settings.
Allowing Duplicate Camera IP Addresses
By default, servers, encoders, or cameras with duplicate IP addresses are not allowed and will result in
an error.
If your network configuration requires that devices be added with duplicate IP addresses, you can enable
the Allow Duplicate IP Address system setting. This setting allows multiple cameras with the same
access IP address to be added to the Operations Manager configuration. For example, cameras with the
same IP address can be added to different Media Servers in different locations.
Resolving ID Mismatch Errors When Changing Camera IP

Addresses
If cameras are configured with IP addresses (and not hostnames), and those IP addresses change, a
hardware id mismatch issue can occur and the camera will be placed in the Enabled: Critical state (red).
This occurs because the cameras hardware ID no longer matches the device IP address. To clear this
issue, correct the network configuration for each affected camera.
Note
Medianet cameras must be configured for DHCP. Cameras that do not support Medianet can only be
added using a static IP address.
The following scenarios can also occur for cameras configured with hostnames, if the DNS entry does not
update with the correct hostname to IP address mapping.
Scenario 1: Cameras Configured with DHCP IP Addresses

Cameras that revive a new DHCP-provided IP address after reboot will be placed in Enabled: Critical
state with a hardware ID mismatch issue. This is because the IP address no longer matches the hardware
address configured in the Operations Manager. This occurs for each camera where the IP address was
changed.
To resolve this issue:
Cisco Cameras
The new IP address is automatically updated in Operations Manager for Cisco cameras configured with
DHCP. To clear the error message, choose Repair Configuration from the Device Settings menu.
Step 1 Open the camera configuration page.

Step 2 Select the Status tab and verify the following:
The device overall status is Enabled: Critical.
Click the link next to the Hardware category to open a pop-up window.
Verify that a Hardware ID Mismatch issue occurred.
Step 3 Select Device Settings > Repair Configuration to clear the issue.
Step 4 Verify that the camera status changes to Enabled: OK (green).
Non-Cisco Cameras
You must manually enter the correct IP address in the camera configuration for non -Cisco cameras
configured with DHCP.
Step 1 Open the camera configuration page in Operations Manager.
Step 3 Select the General tab.
Step 4 Under Access Information, enter the correct IP address for the device.
This is the setting used by Operations Manager to communicate with the device,
The IP address stored in Operations Manager must be the same as the device configuration.
Scenario 2: Cameras Configured with a Static IP Addresses
If cameras are configured with a static IP address, and that address is changed in the cam eras device
user interface, the device is placed in Enabled: Critical state with a hardware ID mismatch issue. This is
because the IP address no longer matches the hardware address configured in the Operations Manager.
This occurs for each camera where the IP address was changed.
If another camera has the same IP address, an ID collision issue occurs.
If the cameras IP address is unique, but no longer matches the entry in the Operations Manager,
you must correct the entry on the camera configuration page.
Procedure
Step 1 Open the camera configuration page in Operations Manager.
Step 3 Select the General tab.
Step 4 Under Access Information, enter the correct IP address for the device.
This is the setting used by Operations Manager to communicate with the device,
The IP address stored in Operations Manager must be the same as the device
configuration.
Adding cameras from different networks (NATs).
This section describes how to add cameras that are installed in different network (NAT) than the Cisco
VSM Operations Manager.
Review the following topics to understand the two different IP addresses assigned to cameras, and how
the Cisco VSM Operations Manager determines if a duplicate entry exists when adding the new device.
Understanding Camera IP Addresses

Each surveillance camera has two IP addresses:
A Private (NIC) IP addressused for communication within the private network (NAT
boundaries).
An Access (NAT) IP addressused for communication between the camera and external
networks.
Note
If all cameras and servers are in the same network, then the Private (NIC) IP address and Access (NAT) IP address
are the same.
Private (NIC) and Access (NAT) IP Addresses
The network router uses network address translation (NAT) to route data from the private NIC address
of a device (camera) to and from external networks. For example, in Figure a request from the Cisco
VSM Operations Manager is sent to the cameras access (NAT) IP address. The network router forwards
that data to the cameras private (NIC) IP address.
To ensure data is sent to the correct device, the Operations Manager normally requires that each
cameras access (NAT) IP address be unique (by default). If a camera is added or discovered, and a
device entry with the same access (NAT) IP address already exists, the camera may be merged with an
existing record, or an error can occur.
This document describes the following scenarios to avoid camera IP address conflicts:
Understanding Camera IP Address Conflicts
A camera IP address conflict occurs if the device is assigned an IP address that is already configured on
another camera that was (previously) added to Cisco VSM.
If a camera is added or discovered with a duplicate access (NAT) IP address, the following rules apply:
Cameras added with a DHCP-provided IP address

If the discovered camera uses DHCP settings, and only the IP address is in conflict, then the IP address
of the discovered camera is used. The device status will be Critical with a Hardware ID mismatch
issue. To resolve this issue, select Repair Configuration from the Device Settings menu.
For example, if a Cisco camera is rebooted and receives a new DHCP IP address tha t is already used by
another camera in Cisco VSM, the camera will use that IP address, but the device status will be Critical
with a Hardware ID mismatch issue. Select Repair Configuration from the Device Settings menu to
change the device status to Enabled:OK (green).
Cameras added with a static IP address

If the discovered camera uses a static IP address, however, then the camera entries are in conflict.
If the Allow Duplicate IP Address system setting is enabled, the conflict is ignored and the
camera is added to Cisco VSM.
If the Allow Duplicate IP Address system setting not enabled (default), then both cameras are
placed in a collision state. You must replace or delete one of the cameras to remove the conflict,
or use the Operations Manager to reconfigure one of the cameras with a unique IP address.
For example, if you configure a static IP address on a camera using the device UI, and then add that
camera to Cisco VSM, the camera is be in the Critical state with a Hardware ID mismatch issue if t he
IP address is already used by another Cisco VSM camera.
To resolve this issue, use the Operations Manager to reconfigure the camera with a unique IP address.
The device status should change to Enabled:OK (green).
Viewing Camera Status

To view more information about the IP address conflict, use the camera Status page to view the identity
collision alert.
Step 1 Select Cameras.
Step 2 Select a location and select the camera in conflict.
Step 3 Select the Status tab.
Click the link next to the Hardware category to open a pop-up that details the collision.
An Alert is generated for identity collision.
Camera Discovery and IP Addresses Conflicts
Camera discovery occurs when an IP camera is discovered on the network and added to the Cisco VSM
configuration. Camera discovery can occur automatically when the camera is added to the network, or
manually triggered by an administrator. During camera discovery, Cisco VSM checks to see if a
duplicate camera configuration exists. Cameras are identified by the device IP Address, and serial
number/MAC address/hardware ID. If a camera is discovered with values in these fields that already
exist in the Cisco VSM configuration, the camera records will either be merged, or placed in a collision
state.
Camera discovery manages camera IP addresses using the following process:
1. The Media Server detects that a camera is behind a private network and uses an access (NAT)
IP address.
2. The Operations Manager determines if another camera already in the system uses the same
access (NAT) IP address.
a. If a duplicate access (NAT) IP address is found on a DHCP -enabled camera, then the
discovered camera is merged with the existing camera entry. The cameras priv ate
(NIC) IP address is included in the merged entry. Select Device Settings > Repair
Configuration to change the device status to Enabled:OK (green).
b. If the camera uses a static IP address that is not used by another Cisco VSM camera,
the camera is added normally (a collision does not occur).
c. If the camera uses a static IP address that is already used by another Cisco VSM
camera, a collision will occur.
i. If the Allow Duplicate IP Address system setting is not enabled (default),
both cameras are placed in a collision state and you must replace or delete one
of the cameras to remove the conflict.
ii. If the Allow Duplicate IP Address system setting is enabled, the new camera
with the duplicate access (NAT) IP address is added to Cisco VSM.
When a camera is successfully added to Cisco VSM, both the access (NAT) IP and private (NIC) IP are
added to the camera entry in the Operations Manager.
Tip
If auto-provisioning is enabled for the discovered camera model, the camera is also updated with settings for
template, user credential, etc.
Manually Adding Cameras

Cameras are manually added to Cisco VSM using the access (NAT) IP address. If duplicate access
(NAT) IP address is used, a collision will occur.
If the Allow Duplicate IP Address system setting is not enabled (default), both cameras are
placed in a collision state and you must replace or delete one of the cameras to remove the
conflict.
If the Allow Duplicate IP Address system setting is enabled, the new camera with the duplicate
access (NAT) IP address is added to Cisco VSM.
Both the access (NAT) IP and private (NIC) IP are added to the camera entry in the Operations Manager.
Camera Network Deployment Scenarios
Scenario 1:
All Devices Are In the Same Network (NAT)
In the most basic scenario, all cameras and servers are in the same network (NAT). This includes the
video surveillance cameras, Operations Manager, and Media Servers.
In this single-network scenario, the private (NIC) and access (NAT) IP addresses are the same for each
camera.
Note
Only the access (NAT) IP address is entered and displayed in the cameras configuration page.
Each camera should have a unique IP address, or a collision ID can occur
All Devices in the same Network (NAT)

Scenario 2:
Cameras in Different NATs Use Static Access IP Addresses
In this scenario, multiple groups of cameras are installed in different networks. The cameras in each
network are assigned the same set of private (NIC) IP address. Each camera, however, is also assigned a
unique static access (NAT) IP address
Cameras in Different Networks with Static Access (NAT) IP addresses
In this scenario:
The camera is added using the Access (NAT) IP addresses. The Access (NAT) appears in the
camera page of the Operations Manager UI.
Only Access (NAT) IP is checked for duplicate. The Private (NIC) address is ignored during the
duplicate check.
The Access (NAT) IP addresses is static and unique, so a collision ID will not occur.
The Private (NIC) address is taken from the IP header and added to the config.
Note
This scenario is supported when manually adding a camera, or for automatic discovery of Medianet -enabled
cameras.
User-initiated discovery of cameras (non-Medianet devices) is not supported since the Operations
Manager cannot determine that the cameras are behind a NAT (since DHCP is not used).
Scenario 3:
Cameras in Different NATs Have Duplicate Access IP Addresses

In this scenario, multiple groups of cameras are installed in different networks. The cameras in each
network are assigned the same set of private (NIC) IP address.
The access (NAT) IP address for each camera, however, may be a duplicate of another camera. By
default, can cause a collision ID error. To avoid this.
Cameras in Different Networks with Duplicate Access (NAT) IP addresses
In this scenario:
The Access (NAT) IP addresses is added or discovered.
Only Access (NAT) IP is checked for duplicates. If a duplicate exists, a collision ID can occur.
Select the Allow Duplicate IP Addresses system setting to allow duplicates. Duplicate camera
entries will be ignored and the camera will be added.
The Private (NIC) address is taken from the IP header and added to the camera config.
Lesson 7
Understanding NTP
Configuration.
Overview
The server time synchronizes server operations, defines recording timestamps
and backup schedules. To ensure correct playback and system operation, we
strongly recommend using a network time protocol (NTP) for all servers and
devices..
Recommended (and Default) NTP Configuration
In the default and recommended NTP configuration, the Operations Manager is configured with an NTP
server, and all other servers, cameras and encoders use the Operations Manager as their NTP se rver. This
ensures that all devices, recordings, timestamps, alerts, and other resources are synchronized.
In Figure the cameras use their Media Servers as the NTP server, and the Media Servers use the
Operations Manager as the NTP server. Since these are the default settings, no user configuration is
required except to (optionally) enter a custom NTP server address for the Operations Manager server.
Recommended (and Default) NTP Configuration
Recommended NTP Configuration

Server/Device Recommended Configuration
Operations Manager server Enter a User-Configured NTP server for the Operations Manager server,
including servers that are co-located with other services, such as a Media Server
and/or Maps server.
Stand-alone servers Use Automatic mode for all other servers. The Operations Manager is used as
the NTP server, ensuring that the date and time on all servers are in sync.
Cameras and encoders By default, cameras and encoders use the Media Server to which they are
assigned as the NTP server. This ensures that the recording timestamps and
schedules are in sync.
Note
The encoder NTP setting cannot be changed.
NTP Usage Notes
Enter NTP Server names or IP addresses separated by space or comma.
Automatic mode can only be used after NTP is configured on the Operations Manager server.
The server will reboot if any changes are made to the NTP settings using the Operations
Manager UI.
Changes to the server time can affect video recording schedules and timestamps.
A warning alert is generated if the time difference between the server and Operations Manager
is more than 2 minutes.
A warning message is also displayed to operators when logging in if the time difference
between their workstation and the server is more than 2 minutes.
You can modify the NTP information for up to 10,000 cameras at a time.
The NTP servers configured on a device are displayed in the device configuration page (under
NTP Information).
NTP settings can be configured on camera only if the camera model supports NTP
configuration.
The number of NTP servers configured on a camera are limited to the number supported by the
camera model. For example, if a camera model only supports a single NTP server setting, and
you attempt to add three NTP servers, the configuration will be rejected.
Never modify the time and NTP settings using the Linux CLI. Settings made using the Linux
CLI can result in inconsistent system performance and other issues.
Configuring Media Servers with a User-Defined NTP

Server
In some situations, you may need to use different NTP server settings than the default and recommended
version. This may be necessary based on proximity of the Media Servers. For example: if your
deployment spans numerous countries or timezones, the Media Servers may need to use local NTP
servers.
In Figure a Media Server in a distant location is assigned a user defined NTP server.
NTP Settings for Media Server in a Distant Location

Configuring Cameras with a User-Defined NTP Server
If your configuration requires that cameras use an NTP server that is not the Media Server, you can ente r
a custom NTP server address for a single camera, or for multiple cameras.
Figure shows cameras that are configured with a custom NTP server.
Cameras With an NTP Server Different than the Media Server

Defining the NTP Setting During Camera Auto-Discovery
By default, the Media Server is used as a cameras NTP server when the device is added to Cisco VSM.
When a camera is discovered on the network, the Media Server is also used as the cameras NTP server
by default. To override this option, and retain any NTP address(es) previously configured on the device,
deselect the Use Media Server as NTP option in the auto configuration settings
Device Auto Configuration
If an NTP server is not configured on the device, you must update the camera settings to either enter an
NTP server address or select Use Media Server as NTP.
This setting is displayed only for camera models that support NTP.
You must belong to a user group with Cameras permission.
Note
Auto-configuration applies a set of basic configurations to cameras that are discovered on the network. Auto-
configuration is disabled for all camera models by default..
Lesson 8
Server High Availability
Overview
Two Operations Manager servers can be configured as a redundant pair for
high availability (HA). Since the Operations Manager is responsible for
configuring and coordinating the entire Cisco Video Surveillance deployment,
this helps ensure uninterrupted system access for users and administrators.
Operations Manager (VSOM) HA
If an NTP server is not configured on the device, you must update the camera se ttings to either enter an
NTP server address or select Use Media Server as NTP.
Understanding Operations Manager HA

Operations Manager HA is achieved by installing two stand-alone Cisco VSM Operations Manager
servers, and configuring one as the Master server, and the other as the Peer server (Figure). A virtual IP
address is shared by both servers, and used by users (video monitors, administrators and other users) to
access the Cisco Video Surveillance system. This configuration provides full operations a nd
administrative function at all times
Operations Manager HA: Server 1 is the Master Server
In Figure, users enter the virtual hostname/IP address to connect to the Cisco VSM Operations Manager.
Server 1 acts as the Master server, receiving and managing all user and system requests. All data and
configuration changes are automatically synchronized with the Peer server (server 2) to ensure it is ready
to take over if a failover occurs.
The Peer polls the Master server regularly to verify connectivity. If the Peer does not receive a response,
the Master is assumed to be down or offline and the Peer assumes the Master role. The Peer server
immediately takes control of the system, and the virtual hostname/IP address is redirected to the new
Master server.
After Operations Manager Failover: Server 2 is the Master Server
User Interfaces
The following user interfaces (UIs) access Cisco VSM video using the shared virtual IP address:
Operations Manager (browser-based UI)enter the virtual hostname/IP address in a Internet
Explorer browser window.
Cisco SASD (desktop application)enter the virtual hostname/IP address at the login prompt.
Custom applicationsmonitoring applications that use the Cisco VSM APIs access the
Operations Manager using the virtual hostname/IP address.
Media Server Redundancy and Failover
Cisco Video Surveillance Media Servers can be configured in a high availability (HA) arrangement that
allows a primary server to be paired with additional Failover, Redundant, or Long Term Storage Media
Server. These HA servers provide the primary server with hot standby, redundant stream storage and
playback, and long term recording storage to help ensure that functionality and recordings are not lost if
the primary server goes offline.
Understanding Redundant and Failover Servers

Describes the different Media Server high availability types.
Redundant and Failover Servers

Media Server Type Example Description
Primary server Both streams are sent to the The Primary Media Server processes the camera video
Primary server only feeds, stores and plays back recorded video, among other
tasks.
Usage Notes
All Media Servers are assigned the Primary HA role
by default.
A co-located Media Server can only be a Primary
Media Server (co-located Media Servers do not
support other HA roles such as Standby or
Redundant).
A co-located Media Server is automatically added to
the Operations Manager and activated. The default
co-located server name is VsomServer.
Redundant server Stream A to Primary,
Stream B to Redundant: A Redundant Media Server provides additional computing
power for the cameras associated with a Primary server.
UnicastThe cameras video streams are sent to
different servers. For example, stream A is sent to
the Primary server, and stream B to the Redundant
server. If the Primary server goes down, the video
All Streams to Both from Stream B is still saved to the Redundant
Servers: server.
MulticastBoth camera video streams are
simultaneously sent to both servers.
Usage Notes
A Redundant Media Server can support multiple
Primary servers. You must ensure that the
Redundant server contains the disk and processing
capacity to support all cameras that send video
streams to the server.
The Record Now feature is not available on
redundant servers. The Record Now feature is
available on the Primary server, or on the failover
server if the Primary is down.
Failover server
A Failover Media Server is a hot standby server that
assumes system control if the Primary server fails or goes
offline.
Usage Notes
The Failover server does not provide hot-standby
functionality for the Redundant server.
Understanding Media Server Failover
When a Failover Media Server is associated with a Primary server, the Failover polls the Primary ev ery
two minutes to verify connectivity. If the failover does not receive a response after three successive tries,
the Primary is assumed to be down or offline and the Failover assumes the Primary role.
Note
A few minutes of recording may be lost between the loss of the Primary Media Server and the
Failover assuming control.

A Failover Media Server can only stand in for one Primary server at a time (if a Failover server is
already acting as the Primary for a Media Server that is down, the Failover cannot assume control for a
second Primary Media Server.
When the Primary Media Server is down and the Failover has taken over the role of the Primary server,
and a DHCP based Medianet discovered camera has a change of IP address, the Cisco VSM Operations
Manager will not reconfigure the camera to the new IP address until the Primary Media Server comes
back up. This is because Cisco VSM Operations Manager does not allow any configuration changes on
the cameras when the Primary server is down.
Failover status is indicated in the server Status page (Figure). The possible Failover Status values are:
In Failover
Not In Failover
Could Not Failover (this occurs if a different Primary server already failed over to the same
Failover server.)
For example, Figure displays a Primary Media Server with a critical configuration error that causes a
failover.
The Failover Server status is OK (green), indicating that the server is up and ready to assume
control.
The Failover Status is Failed Over, indicating that a failover occurred.
The Failover server Status page also displays Failed Over.
Primary and Failover Server Status (in Failover)
When a user attempts to access live or recorded video from a camera that is associated with the Primary
server, the request will time out and be forwarded to the Failover server, which completes the request
and sends the requested video.
Because the Failover server maintains the same configuration as the Primary server (in real time), users
will not encounter a change in network behavior other than a slight delay while communication is
established with the Failover server.
Once the Primary server comes back online, it will automatically resume control from the Failover
server. The Failover server will revert to hot standby status.
Note
Polling between the servers is coordinated based on the system time in each server. Use a NTP time
source to ensure server synchronization.
Requirements
Before adding HA Media Servers, verify that the following requirements are met.
You must belong to a User Group with permissions for Servers & Encoders.
At least two Media Servers must be enabled:
o 1 Primary Media Server

o 1 HA Media Server
Co-located ServersThe Operations Manager and a single Media Server are enabled on the
same server. The following rules apply:
o The co-located Media Server can only be a Primary Media Server (co-located Media
Servers do not support other HA roles such as Standby or Redundant).
o Co-located Media Server cannot be configured with Failover or Redundant Media
Servers. Only a long term storage (LTS) server can be associated with a co -located
Primary Media Server.
The time on all servers must be in sync. We recommend using the same network time protocol
(NTP) server on all Media Servers to ensure the time settings are accurate and identical.
Determining HA Server Scalability
Before installing and configuring HA Media Servers, determine the number of cameras supported by
each primary Media Server, and the number of cameras.
Note
Although there are no hard limits to the number of cameras that a Primary server or associated HA server can
support, the Cisco Video Surveillance Manager Release 7 Server Performance Guidelines provide the recommended
maximum number of cameras that can be assigned to a server. We highly recommend that your deployment not
exceed these numbers for any server in your deployment.
Failover Server Recommended Load and Limitations

Failover servers can support multiple Primary Media Servers, but can only stand in for one Primary
server at a time. Although there are no hard limits to the number of Primary servers that can be
associated with a single Failover server, we recommend a maximum of 5 Primary server be associated
with a single Failover server. This ratio can be more or less. Design your system so that the Failover
Media Servers can handle the potential load.
For example: if 10 Primary Media Server use the same Failover server, you must consider the impact if
multiple Primary servers fail. If all 10 Primary Media Servers are cirtical to your opertaion, for example,
a smaller ratio should be used.
Note
Determining the server loads, ratios and priority is part of the system design and should be planned
according to the equipment and needs in your deployment.
Use the following guidelines when determining Failover server deployment:
A Failover server can only stand in for one Primary server at a time (if a Failover server is
already acting as the primary for a Media Server that is down, the Failover cannot assume
control for a second Primary Media Server.
We recommend a maximum of 5 Primary server be associated with a single Failover server.
Associating more than 5 Primary servers with a Failover server is not recommended.
A few minutes of recording may be lost between the loss of the Primary server and the Failover
assuming control.
A co-located Media Server can only be a primary Media Server (co -located Media Servers do
not support other HA roles such as Standby or Redundant).
When the Primary Media Server is down and the Failover has taken over the role of the primary
server, and a DHCP based Medianet discovered camera has a change of IP address, the Cisco
VSM Operations Manager will not reconfigure the camera to the new IP address unt il the
Primary Media Server comes back up. This is because Cisco VSM Operations Manager does not
allow any configuration changes on the cameras when the primary server is down.
Configuration changes cannot be made to the Media Server or associated devices (such as
cameras) while the server is in Failover mode. This is because Failover mode is meant as a
temporary server to enable continued operations, not as a permanent replacement server.
Lesson 9
Bulk Camera Configuration

and Deployment
Overview
Although cameras can be added individually, you can also deploy multiple
cameras using one of the following methods.
Importing Cameras from a List
Multiple cameras or encoders can be imported using a comma separated value (CSV) file that includes
configuration details for each device. This same method can be used to update existing camera
configurations.
This figure summarizes the process to import devices from a CSV file. Devices can be added in Enabled
state if all required configurations are included or in Pre-Provisioned state if configurations are missing
or if the devices are not yet available on the network. If an error occurs, correct the CSV file and try
again.
Importing Cameras or Encoders from a CSV File
Best Practices
Cameras, encoders and servers can be pre-provisioned in Release 7.2 and higher.
Pre-provisioned devices are devices waiting to be added to Cisco VSM. You can make
additional configuration changes, but the device cannot stream or record video until t he
configuration and network issues are resolved. Choose Enable from the Device Settings menu to
enable the device video functions.
If the CSV file details are accurate and complete, the devices are added to Cisco VSM and video
from the cameras is available for viewing and recording.
If any required fields are left blank, or if any devices in the file are not available on the network,
then the devices are added to Cisco VSM in pre-provisioned state, even if the pre-provisioned
option is deselected. Complete the configuration to change the status to Enabled.
f any fields are inconsistent with the Cisco VSM configuration, the import action fails and an
error file is created that specifies the problem(s). For example, if the CSV file specifies a Media
Server or location that does not exist in your Cisco VSM configuration, an error occurs. Correct
the CSV file and try again.
You cannot mix device types in the import file. For example, the file can include servers,
encoders, IP cameras, or analog cameras only.
To update existing cameras, use the Camera Report to create a spreadsheet with camera details.
Then modify the sheet for your cameras.
Discovering Cameras on the Network
Cameras can be discovered when they are added to the network, and automatic ally added to the Cisco
VSM configuration. The camera configuration can include a camera template and additional camera
settings.
Camera Discovery Options

Cisco VSM can discover network cameras that are added to the network using one of the following
methods:
Discovery Method Description
Automatic Medianet-enabled cameras can be discovered automatically and added
Discovery to Cisco VSM (when added to the network).
Note
Medianet cameras must be configured with an admin user.
Manually Trigger Cameras that do not support Medianet can still be discovered on the
Discovery network, but the discovery must be manually triggered and the
cameras must support the Bonjour discovery feature.
Tip
Enable Bonjour on the cameras using the camera UI. For example,
Cisco 3xxx,6xxx, and 7xxx cameras.
Auto-Configuration Default Configuration

If the Auto-configuration default option is enabled for a camera model, then the basic configuration,
camera settings, and camera template is automatically applied to the camera, and the camera is added
directly to the enabled state. Auto-configuration default settings are accessed in the System Settings.
Cameras Pending Approval List

If the Auto-configuration default option is disabled for a camera model, then the cameras are added to
the Cameras Pending Approval list. This allows you to review the discovered cameras, add additional
configuration settings if necessary, and manually approve the camera so it can be added to Cisco VSM.
Supported Cameras
To view the camera models that support discovery, open the Auto Configuration Settings page and click
on a camera manufacturer.
Camera Discovery and AutoConfig Flow Chart
Tip
You can also move a discovered camera to the Blacklist to prevent it from being added to Cisco VSM or from being
discovered in future discovery actions
Discovering Medianet-Enabled Cameras

Network (IP) cameras that support Cisco Medianet can be automatically discovered when they are added
to the network. Cameras can also be discovered by a Media Server configured in a different subnet.
Medianet Requirements
For cameras to be automatically discovered on the network using Medianet, the following requirements
must be met:
The network (IP) camera must support Cisco Medianet
o Medianet cameras must be configured for DHCP (cameras that do not support Medianet
can only be added using a static IP address).
o See the Release Notes for Cisco Video Surveillance Manager, for a summary of
supported Cisco cameras and required firmware.
o
o See also the camera product information at http://www.cisco.com/go/physicalsecurity
(click View All Products, and select the camera model under Video Surveillance IP
Cameras). Examples of Medianet cameras include the Cisco models 4300, 4300E,
4500, 4500E and 26xx.
The camera must be able to discover an available Media Server using one of the following
methods:
o The cameras Preferred Media Server List is enabled using the camera UI. This list is
also configured with up to four Media Server IP addresses.
o A Cisco IOS DHCP server must be installed and configured with Option 125 to return a
list of Media Server IP addresses.
If both of these options are enabled, the manually-entered Preferred Media Server List is used
by the camera. If the list is disabled or empty, DHCP is used.
If neither of these options is enabled, auto-discovery will fail.
Medianet Overview
To enable Medianet discovery, you must install a Medianet-enabled IP camera on the network, as shown
in Figure. A Cisco IOS DHCP server must also be installed and configured with Option 125 to provide a
list of up to 16 Media Server IP addresses.
Medianet Camera Discovery Summary
Process
Event Description
Step 1 Media Server is The camera discovers a valid Media Server IP address using one of the
discovered following methods:
Cameras Preferred Media Server ListThe camera UI is
populated with up to 4 Media Server IP addresses.
or
DHCPA DHCP request returns the camera IP address and list of
up to 16 Media Server IP addresses.
In each method, the list of Media Server IP addresses are polled in order until
the request is accepted.
If both of these options are enabled, the manually-entered Preferred Media
Server
List is used by the camera.
If neither of these options is enabled, auto-discovery will fail.
Step 2 Camera added to VSM The camera is added to the Cisco VSM config:
Auto-configuration settings are applied, if enabled for that camera
model, and the camera is placed in Enabled state.
If Auto-Config is disabled for the camera model, the camera is added
to the Pending Approval list.
Step 3 Camera config is After the camera is added to Cisco VSM, use the Operations Manager to
applied complete the device configuration:
If the Auto-Config settings were applied (and camera is placed in
Enabled state), revise the camera settings if necessary.
If the camera was added to the Pending Approval list, complete the
required config and approve the camera.
Detailed Process
Note
When the camera is added to the network,it contacts the DHCP server, which returns the camera network settings
(including IP address).Medianet cameras are factory-configured for DHCP by default. If the camera IP address is
set to static, then the DHCP address is ignored (released).
Step 1 The IP camera attempts to connect to a Cisco VSM Media Server using one of the following
methods:
The camera UI is configured with up to four Media Server IP addresses (in the
Preferred Media Server List).
A DHCP server configured with Option 125 provides a list of MS IP addresses
.
The IP camera attempts to connect to the Cisco Media Servers (in order of the IP addresses)
If a Media Server does not reply, then the camera attempts to connect to the next server in
the list.
Note
The camera first tries to connect to any Media Server addresses that were manually entered on the
camera. If there are no manual entries, or if none of the manually-entered Media Servers accepts the
connection request, then the camera attempts to connect to the Media Server addresses sent by the
DHCP server. If neither of these options is enabled, auto-discovery will fail.
Step 2 When the camera connects to a Media Server, the camera is also added to the Operations
Manager configuration.
If Auto-Configuration is enabled for the camera model, the configuration settings
(including a static IP address) are applied and the camera is placed in Enabled state.
The configuration includes a camera template, Location, and permanent Media Server
assignment
If the Auto-Configuration is disabled (default), then the camera is placed in the
Cameras Pending
Note
When the camera configuration is applied, the IP address provided by the DHCP server is retained.
You can change the IP address using the camera configuration page, if necessary.
Step 3 Once the camera is added to the Operations Manager, you can apply additional configurations,
or approve the camera (if it was added to the Cameras Pending Approval list).
Configuring a DHCP Server with Option 125

Complete the following procedure to configure the DHCP Option 125 on a Cisco IOS device. This is
required to support Cisco VSM Medianet-enabled camera auto-discovery.
Note
Only Cisco IOS DHCP servers are supported for Option 125 to support Medianet camera discovery.
Procedure
Step 1 Convert the Media Server IP address to a HEX value.
The Media Server IP address is the server that the Medianet camera will register with.
The HEX value is used in the DHCP server Option 125 configuration.
a. Search for an online tool that can be used to convert the Media Server IP
address to HEX.
For example, search for IP to HEX Converter tools.
b. Convert the cameras IP address to HEX:
For example, covert the Media Server IP address 10.194.31.1 to the HEX value
0AC21F01.
Step 2 Add additional HEX values to the Media Server HEX value, as required by your DHCP server.
Note
Each DHCP server may require additional HEX strings to be added before and after the Media Server
HEX value. This entire HEX string is entered in the DHCP Option 125 configuration. Be sure to use
the correct HEX format, as defined in your DHCP server documentation.
For example, a Cisco IOS DHCP server requires that the following HEX values be added
before and after the Media Server HEX value:
a. Prefix the following value to the Media Server HEX:
0000.0009.0b14.0901.
b. Append the following value to the Media Server HEX:
.0050.0001
The complete HEX string used in the DHCP server Option 125 configuration (for Cisco IOS
devices) is:
0000.0009.0b14.0901. 0AC21F01.0050.0001
Step 3 Configure the Cisco IOS DHCP server to advertise Option 125 to the endpoints.
For example:
ip dhcp pool MYADDRESSPOOL
network 10.194.31.0 255.255.255.0
option 125 hex 0000.0009.0b14.0901. 0AC21F01.0050.0001
default-router 10.194.31.254
Note
0AC21F01 is the HEX value of the converted Media Server IP address. The entire required
HEX value is 0000.0009.0b14.0901. 0AC21F01.0050.0001.
Other DHCP servers may require a different format for the HEX value such as prefixing x to
the values or prefixing a \
Medianet Camera Discovery Procedure

Complete the following procedures to discover new Medianet cameras.
Steps: Camera Discovery

Task Description and more information
Step 1 Verify that the Medianet Medianet Requirements
Requirements are met.
You must have
A Medianet-enabled IP camera configured with DHCP.
At least one Media Server and Operations Manager.
A DHCP server configured with Option 125 to provide
Media Server IP addresses to the camera during
discovery.
Note
Cameras that do not support Medianet can only be added using a static
IP address.
Step 2 Review the overview sections to Review the following topics to understand the discovery and
understand the discovery process. auto-configuration process.
Discovering Medianet-Enabled Cameras
Step 3 Install a Medianet network camera

and use the camera configuration Cisco network cameras (such as the Cisco 26xx series)
UI to enable DHCP and add an have Medianet and DHCP enabled by default.
admin user (if necessary).
If a static IP addresses is configured on the camera, or if
a list of Media Server IP addresses is configured on the
camera, then those values configured on the camera are
used and the DHCP settings are ignored.
Step 4 (Optional) Enable auto- If auto-configuration is enabled for the camera model, the
configuration presets. camera will automatically be added to Cisco VSM.
Enabling the Auto Configuration Defaults for a Camera Model.
Step 5 Wait for the camera to be Discovery can take a few minutes based on the factors
discovered and be added to the such as the camera configuration, availability of the
Operations Manager. Media Servers, and other variables.
If a discovered camera has the same device ID fields as
an existing camera entry (IP Address, and serial
number, mac address/hardware ID), then the records are
either merged, or placed in conflict.
Task Description and more information
Step 6 Approve cameras that were added If auto-configuration is not enabled for the camera model, the
to the Cameras Pending Approval camera is added to the Cameras Pending Approval list, which
list. allows you to apply additional configurations and approve (add)
the camera.
Open the Cameras Pending Approval list to modify the camera
configuration and either approve the camera or move it to the
blacklist.
High Availability Impact on Medianet Cameras

When the Primary Media Server is down and the Failover has taken over the role of the Primary server,
and a DHCP based Medianet discovered camera has a change of IP address, the Cisco VSM Operations
Manager will not reconfigure the camera to the new IP address until the Primary Media Server comes
back up. This is because Cisco VSM Operations Manager does not allow any configuration changes on
the cameras when the Primary server is down.
Applying Camera Settings to Multiple Cameras

Camera settings can be applies to multiple cameras using the following methods:
Configuration Description When to Apply
Method
Camera Templates Templates simplify camera configuration by When the camera is added to
defining the image quality, recording schedule, Cisco VSM
event triggered actions, alerts, and other
attributes used by a set of cameras. To change the basic settings
for a group of cameras
Pre-Defined Camera Camera settings are the device-specific settings You can select the Camera Setting
Settings that are not included in the camera templates. when adding a camera manually,
For example, motion detection configuration, when the device is discovered on the
camera tamper settings, NTP and timezone network, or when adding multiple
settings are all configured on each individual devices using a CSV file. If the
device. cameras are already added to Cisco
VSM, use Bulk Actions to apply the
Camera Settings to multiple devices.
Camera Bilk Bulk Actions allows you to change the Click Bulk Actions (under the
Configuration configuration or take actions for multiple Cameras tab) to apply changes to
cameras. For example, you can enable, disable, multiple existing cameras
or delete the devices. You can also change the
template, repair the configurations, change the
location or change the password used to access
the device.
Importing changes Import a CSV file with existing cameras to Use the Camera Report to create a
from a CSV file update the configuration for those devices. spreadsheet with camera details.
Then modify the sheet for your
cameras.
Lesson 10
Controlling User Access

Permission
Overview
User access to Cisco VSM video is controlled by the user account ac cess
permissions , and the locations to which cameras and other resources are
assigned.
For example, a user account is assigned to one or more user groups. Those
user groups provide access to the cameras and resources for a location (and
its sub-locations), such as campus A, or Building 1. In addition, each user
group is associated with a user Role that defines access permissions for
viewing video and managing the system.
Cameras and other resources are also assigned to a location. Users can only
access the video, devices, and resources for the locations they belong to.
Understanding User Access Permissions
Add user accounts to Cisco Video Surveillance Operations Manager to provide access to both the
browser-based Operations Manager and the Cisco Video Surveillance Safety and Security Desktop
(Cisco SASD) application.
Video and system access is based on the following:
The user group(s) to which the user is assigned: user groups are associated with a user Role,
which defines the access permissions for the group.
The location assigned to the user group(s). User can only access the devices and video for
that location (and its sub-locations).
Users can be assigned to multiple user groups, and gain the combined access permissions for
all groups.
For example, the Figure summarizes the user Roles, groups and user accounts that must be configured
for user access.
Users, User Groups, and Roles
Roles define the access permissions for different types of users. For example, create an operator
Role that allows users to view live and recorded video, and an administrator Role that allows users
to configure cameras and add new users.
When the Roles are assigned to a user group, any user added to that group will inherit the Role
permissions. Users also gain access to different types of resources based on the user group location.
For example, create an Operator Role that allows users to view video, but does not allow
configuration of cameras or other system resources. When you add that Role to a user group, any
user added to the group will inherit the Role permissions. In addition, users can access the devices
at the group location (including sub-locations), and the templates, schedules and other resources for
any location in the same location tree.
Understanding the Impact of a Users Location
The access permissions for a user are determined by the user group(s) to which they belong, and
the location(s) of those groups. For example, a user assigned to a user group at the root location
will have access to all cameras and video. A user assigned to a user group at a sub -location, such as
a campus, will have access only to the cameras and video at that sub-location.
In the following example, an admin might have access to the root location, enabling him to access
all cameras and resources in the system. A guard might only have access to a specific region,
allowing him to view video only for that sub-location and its children.
Creating or Revising User Roles
1. Root location. User groups at the root location have access to all sub -locations.
Note
A super-admin is any user who has access to all access permissions at the root location.
2. Sub-location. A users access permissions apply only to this sub-location and its children.
Create a User Access Plan

Create a summary of the User permissions and locations for your deployment. Your summary
should include the User Groups and associated Roles and locations. Also include the user names
that will be assigned to each user group.
1. Before you begin, create the location hierarchy as described in Using Locations to Limit
User Access
2. Create the Roles that define access permissions for operators, administrators, and other
user types.
3. Create the user groups and assign a Role to each group.
4. Create the user accounts and assign each account to at least one user group. Users assigned
to multiple user groups inherit the permissions and locations for all groups.
5. (Optional) Require a second user (such as a manager) to enter their credentials when a user
logs in.
6. (Optional) Provide access to users on an LDAP server.
Sample Roles in a Cisco Video Surveillance Deployment
User Group Role Permissions Location User name
Guard View Live Video Building 1 John Smith
View Recordings
Listen to Audio
Export Recordings
Perform PTZ
Area Admin View Live Video Campus 1 Debbie Sanchez
View Recordings
Export Recordings
Perform PTZ
Manage Cameras
Manage Servers and
Encoders
Admin View Live Video System (root) Krishna Bangalore

View Recordings
Export Recordings
Perform PTZ
Manage Users & Roles
Manage Cameras
Manage Servers and
Encoders
Manage Templates
Manage Schedules
Manage Location and
Maps
Manage System Settings
Understanding the System-Defined User Roles, Groups
and Accounts
By default, Cisco VSM includes system-defined Roles, groups and users to aid in the initial
configuration. System-defined Roles, groups and users cannot be updated or deleted.
System-Defined User Roles, Groups and Accounts

Default Description
Roles super_admin_roleincludes all management and operation access
permissions.
local_admin_roleprovides all operator functions, but limited and
commonly used management tasks such as managing cameras, Media
Servers, encoders, Video Walls, locations & maps, views and alerts.
operator_roleprovides all operator permissions.
User Groups super_adminsassigned the super_admin_role.
operatorsassigned the operator_role.

Users adminassigned to the super_admins user group, which gives the
user super_admin_role permissions. The admin is a root system user
and cannot be modified or deleted. The default admin username and
password is admin/admin.
Note:
A super-admin is anybody that has all permissions at the root location.
operatorassigned to the operators user group, which gives the user

operator_role permissions. The default username and password is
operator/operator.
Note
A local-admin user account is not included by default. You must add a
user and add them to a user group associated with the
local_admin_role, if necessary.
LDAP Users Members of an external Lightweight Directory Access Protocol (LDAP)
Active Directory user database can be granted access to Cisco VSM.
Understanding Permissions
A users access permissions are defined by the user group that the user belongs to and the Role
associated with that user group. The user group also determines the location that a user has access to.
The users access permissions are for that location only.
User Roles define the permissions that are assigned to a user group. Click the Roles tab to view or
modify the permissions that can be assigned to a Role. Permissions are divided into two categories:
Manage and Operate. Select or de-select the check boxes to add or remove permissions.
Default Roles
The default Roles are read-only and cannot be revised or deleted.
For example:
operator_roleIncludes most Operator permissions.
super_admin_role Includes all operate and manage permissions (a super-adminuser is any
user that has access to all permissions and is assigned to the roo -level location).
local_admin_roleIncludes a combination of operate and manage permissions.
Tip
Select a Role to view the permissions assigned to that Role.
Permissions
Selecting a permission may automatically result in the selection of other dependent per missions if the
permissions overlap. For example, if you select the Manage Cameras permission, the View Live Video
and Perform PTZ permissions are automatically selected. The automatically selected dependent
permission(s) cannot be deselected unless the parent permission is deselected first.
Manage Permissions
Manage Permission Description
Users & Roles Create, update, or delete user accounts, groups and Roles.
Cameras Create, delete, or update Cisco VSM cameras.
Note
Only super-admins can perform camera auto-provisioning. See
Understanding the Super Admin, page 16-9.
Servers & Encoders Create, update, or delete Cisco VSM severs and analog camera encoders.
Video Walls Create, update, or delete Video Walls.
Templates Create, update, or delete camera templates.
Schedules Create, update, or delete schedules.
Locations & Maps Create, update, or delete Cisco VSM locations and associated map images.
Views Create, update, or delete pre-set video views used to monitor multiple video
cameras.
System Settings Update Cisco VSM system settings.
Images Allows the user to upload firmware images, define the recommended
firmware version, and upgrade devices.
Some permissions are mutually exclusive. For example, you can select either View Live Video or View
Secondary Stream Only but not both at the same time. If you select View Secondary Stream, the
mutually exclusive permission will be automatically deseleted.}
Operation Permissions Description

View Live Video View live video streams from Cisco VSM cameras.
Note
If selected, View Secondary Stream Only will be automatically deselected.
View Recordings View recorded video from Cisco VSM cameras.
Listen To Audio Play live or recorded audio from cameras that support audio.
Export Recordings Export a video clip to a file.
Perform PTZ Use the pan, tilt and zoom controls on cameras that support PTZ.
Push Video to Wall Enables the Publish to Wall feature in the Cisco Safety and Security
Desktop
(SASD) application.
This feature allows users to change the view shown by all other instances
of a selected video wall. The new view is displayed until the dwell time is
exceeded.
Note
If selected, View Secondary Stream Only will be automatically deselected.
Alerts Allows all operators to view the alerts for cameras they can access. Users
can acknowledge, clear, or comment on an alert
(ack/clear/add_user_comment).
View Analytics View the already generated meta data and perform video motion
Metadata searches (using the Cisco SASD desktop application). Users with only
View permissions cannot generate the metadata using Cisco SASD.
Operation Permissions Description
Post Analytics Generate the Metadata using Cisco SASD. Users with only Post permission
Metadata cannot perform searches.
Control Privacy Mask Allows operators to enable or disable the Privacy Mask on compatible
cameras. All live video from the camera is blocked and cannot be viewed
by any operator or monitor, or recorded by the Cisco Video Surveillance
system.
Download Software Allows users to download the available software installation packages,
such as the Review Player EX, Advanced Video Player, and MSI
Installation Package.
Copy From Edge Allows users to copy recording from a camera to the Media Server.
Storage
View Secondary Stream Members of user groups with this permission can only view the secondary
Only stream of cameras. If the secondary stream is not available, no video feed
is shown.
Note:
If selected, View Live Video and Push Video to Wall will be automatically
deselected.
Understanding the Super Admin

The following operations and functions can only be performed by a super -admin.
Note
A super-admin is any user that has access to all permissions at the root location.
Super-Admin Functions
Function Description
Operations Manager HA Create, update replace or delete, updating, replacing high availability
(HA) configuration for Operations Manager.
Active Users Get a list of the active user sessions. The super admin can also log out
any active user(s).
Change user passwords Change the password for another user.
Prune History Prune (delete) old alerts and events.
Notification policies Create, update and delete email notification policies.
Reports Create, download, and delete reports.
Custom Event Type Create, download, and delete custom event types.
Registration
Language Settings Update the language settings
Auto Provisioning Settings Update the auto provisioning settings for supported camera models.
LDAP user configuration Create, download, and delete the LDAP server configuration.
Understanding Dual Login
Dual Login requires that a second user (such as a manager) enter their credentials to approve a users
access. When the user logs in, a second prompt appears for the managers credentials. This optional
feature can be used when explicit approval is required whenever a user logs in.
To enable Dual Login, select the Approval Required checkbox in a User Group, and then select an
Approval Usergroup. All users assigned to the User Group can only gain access if a member of the
Approval Usergroup also enters their password.
Provide Access from an LDAP Server (Active Directory)

An LDAP (Lightweight Directory Access Protocol) server can provide Cisco VSM access to members of
an external user database. After the LDAP server is added, users from that system can log in to Cisco
VSM using the credentials configured on the LDAP server (the users do not need to be added
individually to the Operations Manager configuration).
Users select the LDAP domain when logging in to the Operations Manager or Cisco SASD UI.
Localhost login for LDAP Configuration Changes
Considerations
Operations Manager uses the LDAP server to authenticate and authorize the users username
and password.
LDAP users should be members of user groups in the LDAP configuration since the Operations
Manager determines user access privileges based on those LDAP groups. Search filters in the
Operations Manager LDAP configuration are used to map the user group(s).
The number of search filters determine the time it takes for users to log in. A large number or
search filters will cause longer wait times for LDAP users logging in. The maximum number of
filters is 500.
Use the Operations Manager Active Users page to view the user groups assigned to LDAP
users.
Users must be in an LDAP organizational unit (OU) that is at least 1 level above the root of the
LDAP tree.
LDAP Best Practices
LDAP users can be added or removed from the source database without affecting Cisco VSM. When the
LDAP user logs in to Cisco Video Surveillance, their credentials are authenticated with the LDAP
server, and access is granted or denied based on the LDAP response.
Use LDAP filters to limit the users who can access Cisco VSM.
To delete an LDAP server, you must un-associate the LDAP server from all Cisco VSM user groups.
LDAP Search Filter Settings

Filters restrict authentication to a subset of users (the filter represents a user group that is defined on the
LDAP server). Each filter can be associated with a different user group, whi ch grants LDAP users in that
filter the access permissions of the Cisco VSM user group. This allows you to grant different
permissions to different sets of users.
For example, a filter for the dept_eng users can be associated with an admin user group whil e rest
everyone in company_eng will be made an operator.
The maximum number of filters is 500.
DAP Filter Settings

Field Description
Name Enter a descriptive name for the filter. For example: Security users
User Search Path The directory path where user groups are stored on the LDAP hierarchy.
In some LDAP configurations, the user information and user group information are in
different locations. The User Search Base field specifies the hierarchy location below which
the user group information is located.
For example: ou=groups,dc=mycompany,dc=com
User Group Filter Enter the LDAP syntax that limits access to members of a specific group on the LDAP server.
For example, to match any user who is a member of the vsomadmin user group, the user
group search filter is:
(&(sAMAccountName=%USERID%)(memberOf=CN=vsomadmin, OU= Groups,DC=company,DC=com))
The variable %USERID% matches the user ID entered by the user at the login screen with an
Active Directory record with the same user ID (sAMAccountName), and that Active
Directory record must also be a member of the user group
CN=vsomadmin,OU=Groups,DC=company,DC=com).
To match an individual Active Directory user ID johndoe, the user group search filter is:
(&(sAMAccountName=%USERID%)(sAMAccountName=johndoe))
This example matches the user ID entered by the user at the login screen with an Active
Directory record with the same user ID (sAMAccountName), and the Active Directory record
must have the sANAccountName johndoe.
Lesson 11
Using Locations to Limit

User Access
Overview
User access to Cisco VSM video is controlled by the user account access
permissions , and the locations to which cameras and other resources are
assigned.
For example, a user account is assigned to one or more user groups. Those
user groups provide access to the cameras and resources for a location (and
its sub-locations), such as campus A, or Building 1. In addition, each user
group is associated with a user Role that defines access permissions for
viewing video and managing the system.
Cameras and other resources are also assigned to a location. Users can only
access the video, devices, and resources for the locations they belong to.
Understanding Permission-Based and Partition-Based
Locations define the physical location of devices, such as cameras, and the logical location of attributes,
such as camera templates. This allows system administrators to restrict user access to only the devices
and resources required by the different users in a deployment. For example, in a simple deployment,
users are assigned to the root level and gain access to all devices and resources. In larger deployments,
however, users can belong to user groups that are assigned to locations at lower levels. This restricts the
users access to the devices at that location (and sub-locations). The users also have access to system
resources (such as templates and schedules) that are assigned to other locations.
Resources
Locations assigned to Cisco VSM resources define the following:
The physical location of servers and encoders.
The installed (physical) and pointed at location of cameras.
The logical location of Cisco VSM attributes, such as camera templates, schedules, Video Walls
and preset Views.
The location of user groups and user roles.
In addition, the following rules apply:
Resources such as devices, user groups and view are permission-based, meaning that they can
only be accessed by users at that same location or lower (sub-location).
Partition-based resources (such as templates and schedules) can be accessed by users within the
same location hierarchy (locations higher or lower in the same location tree).
Global resources can be accessed by all users who have the required access permissions.
Super-admin resources (such as system settings and audit logs) can only be accessed by super -
admin users.
Resource Access Summary

Type Resources Description
Permission-Based Devices (cameras, Users can access permission-based resources that are
encoders, servers) assigned to their user group location or lower (sub-location).
User groups For example, in Figure a user assigned to a Dallas Campus
Views user group can access the cameras at the Building 1 sub-
location, but not at the Texas location. Dallas users also
cannot access any California locations.
Partition-Based User roles User groups can access partition-based resources that are in
Schedules the same location hierarchy (either higher or lower, but not
Camera templates in a different branch).
For example, in Figure a user assigned to a Dallas Campus

user group can access the templates or schedules at any
higher or lower level up to the U.S. (root) location. The user
cannot, however, access templates or schedules for the
Austin Campus or any of the California locations.
Global Resources Global resources can be For example, a user with manage users permissions access
accessed by all users who all the users in the system. The user object is not restricted
have the required access to a location.
permissions.
Super-admin System Settings Only users assigned to a super-admin user group can access
these system-wide resources.
Audit Logs
Simple Deployments (User Access to All Devices and

Resources)
In a simple deployment, all users are assigned to a user group at the root (System) location. Users can
access all cameras and resources at all sub-locations.
For example, in Figure, root (System) level users have access to the devices and resources in all sub-
locations, such as California, Texas, and the associated campus and building sub -locations. A users
ability to view or configure devices and resources is based on the role assigned to their user group.
Locations and User Permissions in a Simple Deployment
Tip
User access can still be restricted based on the assigned user group. For example, an operator user group can
provide access to only view video, but not configure system resources
Permission-Based Resources: Limiting User Access to
Devices
Users can access devices assigned to the same location, or lower. For example, if a user is assigned to a
user group at the San Jose Campus location, the user gains access to any cameras assigned to the San
Jose Campus location, and all sub-locations (such as SJ Building 1).
Note
Users cannot access cameras assigned to higher locations (such as California), or sub -locations in a different
hierarchical tree (such as the Milpitas Campus or Texas).
A users location includes all of the user groups to which the user is assigned. For example, if a user is
assigned to a user group for the San Jose Campus, and is also assigned to another user group for the
Dallas Campus, the user gains access to the devices at both locations.
Devices, user groups and Views are permission-based resources. All permission-based resources adhere
to these same rules.
Limiting User Access to Specific Locations
Tip
Servers should be assigned to a high-level location to provide support to services, devices and user groups at lower-
level locations. In the Figure the example, assign the servers to either the Root (System) location, or the California
and Texas locations.
Camera Views are also assigned to a location. Users can only access the Views assigned to their location and lower.
Partition-Based Resources: User Access to Templates,
Schedules and Other Resources
Partition-based resources include camera templates, schedules, and user roles. If the user belongs to a
user group with access to these resources, then the user can access any partition-based resource in the
same location hierarchy (locations that are higher or lower, but not in a different branch).
For example, a user assigned to a San Jose Campus user group can access the templates or schedules at
any higher level location (up to the U.S. root location). The user cannot, however, access templates or
schedules for the Milpitas Campus or any of the Texas locations.
Tip
The user must be assigned to a user groups that provides access to the resource.
Limiting User Access to Specific Locations

Examples:
Locations in Simple vs. Large Deployments
Simple Deployment
A simple Cisco VSM deployment typically places partition-based resources (templates, roles and
schedules) at the root level so they can be accessed by users at all of the sub-locations (Figure) Users
must still belong to a user group that provides access to view or manage those resources.
Permission-based resources (such as cameras) can also be placed at the root level, but only users in a
user group at the root level will be able to access them. You can assign both devices and users at a sub -
location to restrict user access to the permission-based resources at that location.
Example Locations for a Simple Deployment
1. Assign partition-based resources (templates,

roles and schedules) to a high-level or root location.
Partition-based resources (templates, roles and schedules) can be viewed and used by all
users at all sub-locations.
Users can only modify the templates, roles, and schedules that are assigned to their location
(or lower).
For example, in Figure a user assigned to Milpitas Buildings can view partition -based
resources assigned to the U.S. location, but only super-admin users can modify the
resources.
Tip
We recommend also assigning servers to a high-level location to provide support to devices and user
groups at lower-level locations
2. Assign permission-based resources (such as cameras) to sub-locations to restrict user access.

Users can only access permission-based resources (such as cameras) that are assigned to
the users location and lower.
For example, a user assigned to Milpitas Buildings can access cameras at that level and
lower (such as building 1 and building 2), but cannot access cameras at an equal level
(such as San Jose Buildings) or at higher locations (such as California or US).
Tip
Deployments with a small number of users can also assign user groups and permission -based
resources to the U.S. (root) location.
Large Deployment
Larger deployments support multiple campuses or geographically distant sites. Users at different regions
or campuses require a distinct set of schedules, roles and templates. For example, the deployment in
Figure includes sites in both the U.S. and India. Partition-based resources (templates, roles and
schedules) assigned to the India location can only be viewed by users in the India sub -locations, (not by
U.S. users). Resources assigned to the U.S location can only be viewed by U.S. users.
This configuration also allows India or U.S. user to modify the partition -based resources for their
region without impacting other regions.
Locations for a Large Deployment
1. Assign partition-based resources (templates, roles and schedules) to a high-level branch

location, such as U.S.
Partition-based resources (templates, roles and schedules) can be viewed and used by all
users within that location hierarchy (for example, from the San Jose Campus up to the
System users).
Users can only modify the templates, roles, and schedules that are assigned to their location
(or lower).
For example, a user assigned to California can view partition-based resources assigned to
the U.S. location, but not resources in the India locations.
2. Assign permission-based resources (such as cameras) to sub-locations to restrict user access.

Users can only access permission-based resources (such as cameras) at their location and
lower.
For example, in Figure a user assigned to Chennai can access cameras at that level and
lower (such as CH Bldg1), but cannot access cameras at an equal level (such as
Bangalore) or at higher level (such as India).
Tip
System users (such as super-admins) can view all resources at all sub-locations. Super-admins can also access
system settings and other resources.
Lesson 12
Using Using Events to

Trigger Actions
Overview
Events and alerts reflect changes to system and device health, or security
events that occur in the system. These events and alerts can be viewed in a
monitoring application (such as Cisco SASD), generate notifications, or trigger
Understanding Events and Alerts
Events represent incidents that occur in the system and devices. Alerts aggregate (group) those events
together for notification purposes. For example, if a camera goes offline and comes back online
repeatedly, the individual events for that issue are grouped under a single alert, which results in a single
notification. This prevents operators from being flooded with notifications for every event that occurs
for the same issue.
Note
The alert severity reflects the severity of the most recently generated event. For example, if a camera becomes
unreachable and the streaming status is Critical, the alert is Critical. When the camera becomes reachable again, and
the streaming status normal event occurs, and the alert severity is changed to INFO.
Health Events, Alerts, and Notifications
1. Events are generated by cameras, encoders and Media Servers.

2. The Cisco VSM Operations Manager aggregates the events into alerts:
3. The browser-based Operations Manager can be used to view events, send notifications, or
(optionally) perform actions that are triggered by security events (suc h as motion detection).
4. Additional monitoring applications can also be used to view events and alerts:
The Cisco Video Surveillance Safety and Security Desktop (Cisco SASD) application can
be used to view alerts, related events, and related video. You can also change the alert
state, add comments, close the alert, and perform other management options.
Custom applications can be written gather information, change the alert status, add
comments, or trigger actions when an event or alert occurs.
Note
Custom applications can also subscribe to ActiveMQ topics to receive notifications about device and system
changes. For example, the Alerts topic notifies subscribers when any alert occurs in the system. The custom
application can use the ActiveMQ message contents to optionally trigger additional notification or actions.
Health and Security Event Types

Cisco VSM generates two types of events: device health events and security events:
Health Events are generated when a device health change occurs, such as reachability, fan
speed, file system usage, or other device-related issues. Critical health events generate alerts by
default.
Security EventsEvents such as motion stop or start, analytics, contact closures, or soft triggers
from an external system can be configured to generate alerts, or perform other actions. Security
events do not generate alerts by default.
Triggering Actions Based on Alerts and Events

The Operations Manager includes the following built-in features to trigger notifications and other
actions:
Triggering Actions
Action Description
Critical health notifications Use the Health Notifications feature to send notifications when a critical
device error occurs. Critical errors are health events that impact the device
operation or render a component unusable. For example, a Media Server that
cannot be contacted on the network, or a camera that does not stream or
record video.
Motion event notifications Click Alert Notificatio in the camera template to enable or disable
the alerts that are generated when a motion event stops or starts.
Trigger actions when a Use the Advanced Events feature (in the camera template) to trigger a
security event occurs variety of actions when a security event occurs.
For example, you can send alerts only on motion start, on motion stop, stop
or start video recording, record video for a specified length of time, invoke
a URL, move a camera position to a specified PTZ preset, or display video
on a Video Wall.
Module 3
Configurations VMS
Overview
The Cisco VSM is a browser-based configuration and administration tool used
to manage the devices, video streams, archives, and policies in a Cisco Video
Surveillance deployment.
Lesson 1
User Interface VMOS
Overview
The Cisco VSM Operations Manager is a browser-based configuration and
administration tool used to manage the devices, video streams, archives, and
policies in a Cisco Video Surveillance deployment.
Main Elements of the User Interface
All windows include a basic set of links and features, as described in Figure.
Main User Interface Elements
1. Feature tabs:
Monitor VideoView live and recorded video from up to four panes.
CamerasAdd, configure and modify video surveillance cameras, templates and encoders..
UsersManage user accounts and access permissions, including access for LDAP users
System SettingsConfigure system attributes, including system settings, Media Servers,

locations, schedules, software licenses, Video Walls, and other attributes.
OperationsLinks to documentation, desktop monitoring software, logs, Reporting and Health

features, and the Cisco VSM Management Console.
Note
Only the features and functions that the user has access permissions for are displayed.
2. Additional feature
The buttons and options vary depending on the screen. For example, Thumbnail Search, Clip
Search or Health Dashboard
3. Find
Search for devices and attributes
4. Location Hierarchy
Allows you to organize devices, resources, and access permissions according to the locations in
your deployment
5. Panel selection
Devices, users, or other attributes available for the selected location
6. Video Monitoring panes or configuration window.

The fields and contents of the main window vary depending on the feature you are accessing.
7. Layouts and Views

Monitor Video window) Select a blank layout (set of video panes) and double -click cameras to
view in those panes. Create or select a pre-defined View (set of video panes)
8. Jobs
A user triggered Cisco VSM system task that is completed in the background. Click the icon to
view information about the job. The job icons are displayed only when a job is in progress
9. Connection
Define if the Operations Manager is receiving real time status updates (from the ActiveMQ
service).
10. Maintenance Mode

Read-only mode that allows user to access live and recorded video but locks most configuration
changes.
11. Help
Opens the online help system that contains this document.
12. Logout
Click to log out of the Cisco VSM Operations Manager.
13. Site
Displays the site where you are logged in. Click the site name to change the site.
14. Username
Displays the username for the currently logged in user.
Basic Configuration.
Complete the following steps to create a basic configuration. A basic configuration allows you to verify
that basic system components and devices are online, configured, and working properly.
Step 1 Log on to the Cisco VSM Operations Manager
Step 2 Install the system licenses
Step 3 Revise the system settings.
Step 4 Create at least one location.
Step 5 Create at least one user account
Step 6 Add at least one Media Server.
Step 7 Add at least one camera.
Step 8 View video from the camera to verify that the system is working properly
Step 9 Backup the Operations Manager configuration and other data, or create an automatic backup
schedule
Step 10 Troubleshoot problems or verify the system and device status
Log on.
Log in to the Cisco Video Surveillance Operations Manager
Procedure
Step 1 Launch the 32-bit or 64-bit version of Internet Explorer on your Windows computer.
Step 2 Enter the Operations Manager URL or IP address. Enter the virtual IP address or hostname
provided by your system administrator if redundant (HA) Operations Manager servers are
deployed.
Step 3 Enter your username and password.
The default credentials for a new or factory restored server are admin/admin.
The username and initial password for all other users is defined when the user account
is created
All users are prompted to reset the password at first login.
Step 4 Select a domain:
Choose the default localhost if your account was created using the Operations
Manager.
Select an alternative domain if instructed by your system administrator.
Step 5 Enter a new password, if prompted.You must enter a new password the first time you log in,
or when your password periodically expires.
Step 6 Select a Site, if prompted
Selecting a Site on First Login
Users with Site access are prompted for a Site on first login only, but not on subsequent
logins
Users with no Site access are not prompted for a Site.
Users can also change their Site after log in, if configured.
Step 7 If prompted; ask your manager or other administrator to enter their Approver Login
Approver Login
This second login is required only if configured.

If the approval is not successfully submitted within the time -out period, the login is
denied.
Step 8 If prompted, complete the on-screen instructions to install or upgrade the Cisco Multi-Pane
client software on your computer.
This application is an Active X client that enables video playback and other features.
Video will not play unless the Cisco Multi-Pane client software is correctly installed.
If using the 64-bit version of Internet Explorer, you will be prompted to install the 64 -
bit version of the Cisco Multi-Pane client, if necessary.
You must have administrative privileges on the PC workstation to install the software.
You will also be prompted to install the required Microsoft .Net 4.0 component, if
necessary. If your workstation does not have Internet access, the .Net 4.0 installer can
be downloaded from http://www.microsoft.com/en-us/download/details.aspx?id=17718.

Note
You must log in with a standard Windows user account. Logging in with a Guest account can prevent video
streaming and result in an error to be displayed in the video pane: Cannot create RTSP connection to server. Check
network connection and server health status.
Understanding Dual Login
Dual Login requires that a second user (such as a manager) enter their credentials to approve a users
access. When the user logs in, a second prompt appears for the managers credentials. This optional
feature can be used when explicit approval is required whenever a user logs in.
To enable Dual Login, select the Approval Required checkbox in a User Group, and then select an
Approval Usergroup. All users assigned to the User Group can only gain access if a member of the
Approval Usergroup also enters their password.
Procedure
Step 1 Select the User Groups tab .

Step 2 Click Add.
Step 3 Enter the settings for the group as described in the Adding User Groups.
Step 4 (Optional) Select Approval Required and select an Approval Usergroup to require a second
user to approve the user login
Creating a User Group That Requires Dual Login Approval Required
Step 5 Click Create.
Step 6 Assign users to the User Group, and to the Approver Usergroup.
Step 7 When the user logs in, a window appears requiring a second user to enter their username and
password
Note
If the approval is not successfully submitted within the time-out period displayed, the login is denied.
Default User Accounts and Passwords
The Operations Manager includes two default users: the super-admin account and an operator account.
Default User Accounts

Default Account Default Username and Password Access Privileges
admin username: admin Super-admin privileges with full rights to
configure, view and manage all system
password: admin settings and features.
operator username: operator Ability to view live and recorded video,
control PTZ movements, push views to a
password: operator Video Wall, and export recordings.
You are prompted to change the default passwords the first time you log in.
Changing Your Password

To change your password, click your username in the top right corner of the browser
Step 1 Log in to the Operations Manager.
Step 2 Click your username in the top right.
Step 3 Enter your current password.
Step 4 Enter and re-enter a new password.
Note
Users from external systems (LDAP servers) cannot change their password using th e Cisco VSM Operations
Manager. If you forgot your password, contact your system administrator and ask them to create a new password
(you will be prompted to change it when you log in).
Changing Another Users Password
Only super-admins can change another users password.
Procedure
Step 1 Log in to the Operations Manager with a super-admin account.

Step 2 Select Users, and then select the User tab .
Step 3 Highlight a username.
Step 4 Enter and re-enter a new password in the password fields. The user is required to change the
password the next time they log in.
Notes
This method can also be used by the super-admin to change their own password. All other users can change their
own password by clicking on their username in the top right corner of the browser
Understanding and Changing Your Site

Sites are designated location hierarchies (a location and its sub-locations) where network connectivity
between the cameras and servers is good. These Sites, however, may have low-bandwidth connectivity
to cameras, servers and users outside the Site.
If the system is configured with Sites, and you are a member of a User Group that is assigned to a Site
location, you will be prompted to select a Site the first time you log in .
Users with Site access are prompted for a Site on first login only, but not on subsequent logins.
Users with no Site access are not prompted for a Site.
Users who have access to multiple sites, but do not have the option to change sites, will default
toNot in any site when logging in.
If the Site is configured for Dynamic Proxy, users inside the Site are served by the Media Server
in that Site (when accessing cameras inside the Site). Users outside the Site will receive video
from a Dynamic Proxy server when accessing any camera inside the Site. .
Users who do not select a Site, are not assigned a Site, or select Not in Any Site will receive
video from a Dynamic Proxy server for cameras in any Site where Dynamic Proxy is enabled.
Changing Your Site While Logged In
Users can also change their Site while logged in to the system. Click the current Site name in the top
right corner and select a new Site
Changing Your Site After Login
Note
Users are allowed to change their Site after logging in only if the Allow Site Change option is selected in their user
configuration.
Install the system licenses
A license must be purchased and installed for each Media Server and non-Cisco camera added to your
deployment.
Consideration
You can add 1 Media Server and 10 non-Cisco cameras without a license for initial setup
purposes only. This feature is removed when you add any permanent license.
A permanent license is required for each Media Server and non-Cisco camera installed in your
deployment.
A license for 10,000 Cisco cameras is included by default (you do not need to purchase and
install any additional licenses for Cisco cameras).
Licenses are installed in the Operations Manager only (not on the individual servers).
o Licenses can only be installed on a single instance of Operations Manager.
o The same license file cannot be installed more than once on the same Operations
Manager.
o Do not rename the license file before installing it on the Operations Manager. Use the
original file name only.
License files can include licenses for a single device type, or for multiple device types, such as
non-Cisco cameras and Media Servers.
Licenses are cumulative: each additional license is added to the capacity of existing licenses.
For example, if you initially installed a license for 100 non-Cisco cameras, you can purchase an
additional license for 200 cameras to support a total of 300 non-Cisco cameras.
The maximum number of devices in a system is 200 Media Servers, 10,000 cameras (including
Cisco and non-Cisco devices), and 100 dynamic proxy servers.
Soft deleted cameras are included in the camera license count.
Installed licenses are included in the Operations Manager backup and restore archives. We
recommend backing up Operations Manager data after installing new licenses (or anytime major
changes are performed). If the license file is installed after the backup is performed, the license
file is not backed up and not available to be restored.
Note
Multiple camera and Media Server licenses can be included in a single license file. For example, a s ingle license
file might include support for 25 additional cameras and two additional Media Servers.
Obtaining and Installing Licenses

To install a license, purchase the license, download the license file, and then install file in Operations
Manager.
Tip
License files can include licenses for a single device type, or for multiple device types, such as non -Cisco cameras
and Media Servers.
Procedure
Step 1 Purchase additional licenses:

a. Determine the part number for the license you want to purchase.
b. Purchase the license by contacting your Cisco sales representative or any Cisco reseller. For
more information, visit http://www.cisco.com/en/US/ordering/index.shtml.
c. When the purchase is complete, you are issued a Product Authorization Key (PAK) in paper
form, or in an email message.
Step 2 Obtain the license file:
a. Locate the Product Authorization Key (PAK) created with the purchase.
b. In a Web browser, open the Cisco Product License Registration Web page.
http://www.cisco.com/go/license/.
c. Follow the onscreen instructions to complete the form and enter the Product Authorization Key
(PAK). When you are done, a license file with the extension .lic is sent to your email address.
d. Transfer the file to the drive of the PC used for the configuration.
Step 3 Install the license file in Cisco VSM:
a. Log in to the Operations Manager.

b. Select System Settings > Software Licensing
c. Click Add and select the license file located on your local drive.
d. Click Save to install the file and activate the additional capacity.
Tip
The additional capacity is available immediately. You do not need to restart the server or take additional steps.
Entries shown in red are invalid or expired.
Displaying License Information

Select System Settings > Software Licensing to view information about each installed license, and a
summary of all installed licenses (Figure).
Software Licensing
1. The License Summary displays the total number of Cisco cameras, non-Cisco cameras, and
servers that can be managed by the current Operations Manager. The total number of device
licenses used and available is also shown.
Note:
Up to 200 servers and 10,000 cameras can be managed by the system. Although you can install
more than the supported number of licenses, they will not be recognized.
2. The license for Cisco cameras (included).
3. Licenses for additional servers and non-Cisco cameras.
Note
Entries shown in red are invalid or expired.
4. Information about the selected license file, such as the upload date and the number of devices
enabled by the license.
Deleting Licenses
Deleting a license will reduce the number of cameras and Media Server supported in your Cisco Video
Surveillance deployment.
You cannot delete a license if the number of licenses devices will be less than the number added to the
Operations Manager. View the number of licenses Used to verify that the license can be removed.
To remove a license:
Step 1 Select System Settings > Software Licensing.
Step 2 Highlight a license entry and click Delete
Step 3 Click Yes to confirm.
Revising the System Settings
The default settings are sufficient for a basic setup, but you should review and revise the settings to meet
the needs of your deployment. System settings can only be modified by super -admin users.
Choose System Settings > Settings to define basic parameters for the Operations Manager and
Federator.
The Federator settings are a sub-set of the Operations Manager settings.
Beginning with release 7.2, retention of alerts, events and audit log entries is now managed
automatically by the Operations Manager, which can store up to 1 million alerts, 1 million events, and 1
million audit log entries.
General System Settings

Revise the default user password properties, record storage rules, backup file rules, and other settings.
The General settings define user sessions, backup storage rules, and other settings. Choose System
Settings > Settings, and the click the General tab.
The General settings define user sessions, backup storage rules, and other settings. Choose System
Settings > Settings, and the click the General tab.
Setting Description
User Timeout (Required) The number of minutes before a user is automatically logged out
due to inactivity. After this period, users must re-enter their username and
password to log back in.
Note
The maximum value is 10080 minutes (168 hours / 7 days). The default is 30
minutes.
On Demand Recording (Required, Operations Manager only) Enter the number of seconds
Duration that video will be recorded for user-generated recording requests.
The minimum value is 300 seconds (5 minutes).
Autocorrect (Operations Manager only) Device synchronization ensures that the
Synchronization Errors device configuration on the Media Server, camera or encoder is
identical to the Operations Manager settings. Synchronization is
automatically performed when certain events occur, such as when a
Media Server goes offline and comes back online.
Select Autocorrect Synchronization Errors to automatically correct

any configuration mismatches that are discovered during a
synchronization. If this option is disabled, the configuration mismatch
is not corrected and the device Configuration status displays a Critical
state. You can then manually correct the error by clicking either the
Repair or Replace Config button in the device configuration page.
Medianet (Operations Manager only) Allows Medianet-enabled cameras to be
discovery automatically discovered by Cisco VSM Operations Manager when the
cameras are added to the network.
Preserve MS IP Cameras can be configured with a Preferred Media Server List for
on camera delete use in camera discovery. You can chose to delete or retain this setting
if the camera is deleted from Cisco VSM:
Disabled (default)If a camera is deleted from the Operations

Manager, the Media Server IP address that is stored on the device
is deleted from the cameras Preferred Media Server list. If the
camera is re-added to Cisco VSM, the Media Server that managed
the camera must be reconfigured.
EnabledIf a camera is deleted from the Operations Manager,
the Media Server IP
addresses stored on the camera Preferred Media Server list are
retained (not deleted).
Low QOS (Operations Manager only) The QoS value used for video between
Medium QOS Media Server and client.
High QOS
Allow duplicate Allow duplicate IP addresses for IP cameras. This setting allows
IP address cameras to be installed in a private network, using network address
translation, (NAT), and still be added to the Operations Manager
without causing a device IP address conflict.
This setting is disabled by default (duplicate IP addresses are not
allowed and will cause a device id conflict).
Privacy Mask (Required, Operations Manager only) The number of minutes before
Timer the camera Privacy Mask camera expires (this setting applies to all
cameras that support the Privacy Mask feature).
When enabled, the Privacy Mask causes a camera to block all live
video from that camera. When the timer expires, the operator is
reminded to disable the Privacy Mask (which restores the live video
stream).
The default is 15 minutes. Enter a value between 1 and 120 minutes.
Auto Create Map Automatically creates a camera marker on the location map when a
Markers camera is manually added, updated, or imported from a CSV file. The
icon is added based on the cameras Install Location.
Auto Upgrade Automatically upgrade video walls when a new version is available.
Video Walls
Password Settings
The password settings define the rules for user passwords.
Choose System Settings > Settings, and the click the Password tab.
Password Settings
Setting Description
Password Expiry Months The number of months before a user password automatically expires. At the
end of this period, users are required to enter a new password.
Minimum Password Length Enter a value between 1 and 40 to define the minimum number of charact ers
for a valid password. Passwords with less characters than the entered value
are rejected.
Maximum Password Length Enter a value

The default is 8 between
characters.40 and 80 to define the maximum number of
characters for a valid password. Passwords with more characters that the
entered value are rejected.
The default is 40 characters.
Identical Password/Username If selected, user passwords can be the same as their username.
Allowed
If de-selected, user passwords must be different than their username.
3 Password Groups Required If selected, user passwords must include characters from at least three
different types of characters, including:
lower case letters

upper case letters
symbols
numbers
If de-selected, user passwords can include only one type of character (for
example, all lower case letters).
Repeat Characters If selected, user passwords can repeat the same 3 characters.
If de-selected, user passwords can not repeat the same 3 characters.

Language Settings
Language settings define the user interface language, the date and time formats, and the first day of the
week. Modify the following settings as needed and click Save.
Language Settings
Setting Description
System Language Select a supported language for the user interface text.
To upload new or revised language packs.

Date Format Select the date format displayed in system messages, alerts, and other generated
information. For example, MM/DD/YYYY means that dates will appear as month, day,
and year.
d = day
M = Month
y = year
Time Format Select the time format displayed in system messages, alerts, and other generated
information.
For example, hh:mm:ss tt means that the time will be displayed as hours, minutes, and
seconds, and include the AM/PM notation.
hh = hour
mm = minute
ss = second
tt = A.M. or P.M.
First day of week Select the day that should be considered the first day of the week.
For example, Monday.
Language Pack
Add language packages to display the Cisco Video Surveillance interface in additional languages. You
must upgrade the language packs on all servers in your deployment.
Procedure
Step 1 Download the language pack from the cisco.com

Step 2 Upload the language pack:
a. Log in to the Cisco VSM Operations Manager.
b. Go to System Settings > Language Settings > System Language.
c. Click and select the language pack from a local or network drive.
d. Click Upload.
Step 3 Select the language for the user interface:
a. After the system is restarted, login to the Operations Manager.
b. Go to System Settings > Language Settings > System Language.
c. Select the system language.
d. Click Save.
Using Find
Enter a term or name in the Find field to quickly locate cameras, Media Servers, users, or other Cisco
VSM attributes. The Find field is located at the top of the left column and dynamically locates any item
in the open window (not just for the location selected)
Find
For example, open Cameras and then enter a name of a camera. The results are displayed below the Find
field, and is dynamically updated to display even partial matches. The example in Figure shows the
results of a partial search: entering Lo returns the camera Lobby Door.
Find Results
Lesson 2
Creating the Location

Overview
Locations allow you to organize your deployment according to the real -world
location of equipment and users. Locations also allow administrators to restrict
user access to the specific cameras, policies, and data (such as alerts) re quired
by the users role within the organization. For example, while a super-admin
has full access to all locations and devices, a local campus administrator might
have access only to the devices and policies required to manage a specific site.
Locations
Define the physical location of devices, such as cameras, and the logical location of attributes, such as
camera templates. This allows system administrators to restrict user access to only the devices and
resources required by the different users in a deployment. For example, in a simple deployment, users
are assigned to the root level and gain access to all devices and resources. In larger deployments,
however, users can belong to user groups that are assigned to locations at lower levels. This re stricts the
users access to the devices at that location (and sub-locations). The users also have access to system
resources (such as templates and schedules) that are assigned to other locations
Understanding a Cameras Installed Location Vs. the

Pointed Location
A location can represent where the device is physically installed, or a logical location. For example,
camera configurations include settings for both the Installed Location and the Pointed Location (Figure).
In the following example, a camera is installed on Building 1 but is pointed at the Building 2 lobby
doors.
Sample Camera Location Entry
Tip
This distinction is used when viewing video alarms. If an alarm occurs at Building 1, the Cisco Safety and Security
desktop application will display the alarm (for Building 1) even if the cameras installed location is Building 2
(since the camera is pointed at Building 1).
To automatically add camera map icons to the location maps based on the cameras Installed Location,
select the Auto Create Map Markers setting
Creating and Editing the Location Hierarchy
To create or modify the locations in your deployment, do the following:
Procedure
Step 1 Log on to the Operations Manager.
You must belong to a User Group with permissions for Locations & Maps.
Step 2 Select System Settings > Locations.

Step 3 Select an existing location and click Add to add a new location or sub-location
Note
In a new system, only the System location appears.
Locations Menu
Add menu:
Choose Add Location (Shift-J) to add a location at the same level.
Choose Add Sub-Location (Shift-U) to add a sub-location to the existing location.
Enter the name and description.
Press Enter or click Save.
Update menu:
Choose Detent Location (Shift-<) to move the location one level higher in the hierarchy.
Choose Indent Location (Shift->) to move the location one level lower as a sub-location.
Choose Rename (Enter) to edit the location name. Press Enter or click Save.
Tip
Use the keyboard shortcuts (shown in parentheses) to quickly add or edit location entries.
You can also drag and drop location names within the location hierarchy.
Click Delete to remove an entry. You can only delete a location that does not have any resources assigne d to the
location, or any of its sub-locations. If the delete operation fails, remove or reassign any associated resources and
try again.
Step 4 (Optional) Select a map for the location.

Select a map to define the aerial map view that is displayed when a location is selected using the Cisco
Video Surveillance Safety and Security Desktop (Cisco SASD) application.
Click Set.
Use the Zoom In and Zoom Out buttons and drag the map image to locate the city,
region or other aerial view that should be displayed.
Click Set to select the map as displayed on the screen.
Note
The Longitude and Latitude of the visible map are automatically entered in t he location settings (Figure). The
second field displays the Zoom factor.
Setting the Base Map
Step 5 Press Enter or click Save to save the changes.

Importing the Location Hierarchy Using a CSV File
The location hierarchy can be imported using a comma separated value (CSV) file that includes
configuration details for each location required in your deployment (Figure). This same method can be
used to update the existing configuration.
Overview
Figure summarizes the process to import locations from a CSV file. All required fields must be included,
and all fields must have the correct syntax. If an error occurs, correct the CSV file and try again.
Importing Locations From a CSV File
Usage Notes
The Root location cant be updated using the import location feature.
Location names cannot be updated using a CSV import. New location names are added as new
locations.
The Location CSV file must maintain the hierarchy parent / children hierarchy order: The parent
location must come before the child location.
You cannot move a location using CSV the import.
Creating the CSV File
Create a file in plain text CSV format that can be opened and saved using Excel or OpenOffice Calc
Blank rows or rows beginning with // are ignored.
CSV Import File
Procedure
Step 1 Download a sample import file:
a. Navigate to the Locations configuration page.

b. Choose Add and choose Import locations from file.
c. Click the Download Sample button.
Step 2 Open the CSV file in a program such as Excel or OpenOffice Calc.
Step 3 Modify the file to include the location settings described in Table
Import File Field Descriptions

Required/
Content Optional Description
Location Name Required Enter the location name. For example: California
You can add location names. Existing names cannot be updated.

Parent location path Required The location hierarchy. Use a delimiter (such as .) between the parent location
and sub-locations.
In the following example, California is a sub-location of the System parent

location: System.California
If California also has a sub-location, the entry would be:

System.California.CampusA
Note
The Root location cant be updated using the import location feature.
Description Optional For example: This location includes all cameras and a servers in the San
Francisco campus location.
Latitude Optional Defines the physical location of the entry on a map. All three must be entered if a
map location is used.
Longitude
Zoom For example, if Latitude is entered, you must also include the Longitude and
Zoom. If Zoom is entered, you must also include the Latitude and Longitude.
Step 4 Save the revised file in CSV format.
For example, in Excel, create the file and then choose Save As > Other formats. Select CSV
(Comma delimited) for the Save as type.
Step 5 Continue to Importing the CSV File
Importing the CSV File

Complete the following procedure to import a CSV file. New location names will be added to the
configuration. Existing configuration names will be revised (for example, additional settings for Latitude
and Longitude can be added).
If the CSV file details are accurate and complete, the locations are added to Cisco VSM.
Cameras, Media Servers and other attributes can then be assigned to the locations.
If any required fields are left blank, or if any entry is invalid, the import action fails and an error
file is created that specifies the problems. Correct the CSV file and try again.
Procedure
Step 1 Log in to the Cisco VSM Operations Manager.
Step 2 Create the camera CSV file containing details for each location.
Step 3 Click System Settings > Location.
Step 4 Choose Add and choose Import locations from file.

Step 5 Complete each Import Step as described below:
a. Import Step 1 - Download Sample

(Optional) Click Download Sample to download a sample CSV import file. Use this sample to
create the import file as described in the Creating the CSV File section
b. Import Step 2 - File Upload:
Click Choose to select the CSV file from a local or network disk. Click Upload.
c. Import Step 3 - Processing:
Wait for the import process to complete.
d. Import Step 4 - Results:
If a success message appears, continue to Step 6.
If an error message appears, continue to Step 5 e.
e. If an error message appears, complete the following troubleshooting steps:
Click Download Annotated CSV, save the error file and open it in Excel or OpenOffice
Calc.
Correct the CSV file in the //Error rows.
Save the revised file in the .CSV format.
Return to Step 4 and re-import the corrected CSV file.
Example of an Annotated CSV Import File (with Errors)

Step 6 Click Close.
Step 7 View the location hierarchy to determine if additional changes are required.
Impact of Device Location Changes on Alerts

Because device locations rarely change, the alert location will normally be the same as the device
location. However, if the device location is changed, the following will occur:
New events show the new location, but are added to the existing (and open) alert at the old
location.
When the alert is closed by an operator, any new events create a new alert at the new location
(the location reference in the alert is now consistent with the device location in the event).
Deleting a Location
Locations can be deleted only if no resources (such as cameras) are associated with the location or any
of its sub-locations.
Procedure
To delete a location or sub-location:
Step 1 Remove all devices and resources from the location and sub-locations.
You can reassign the devices and resources to a different location, or delete the items
Step 2 Select System Settings > Locations.
Step 3 Select the location or sub-location.

Step 4 Click Delete.
Step 5 If the delete operation fails and an error message appears, remove or reassign any resources
that are associated with the location or sub-location and try again.
Lesson 3
Adding Users and User

Groups
Overview
Refer to the following topics to create user accounts and define the features and
functions that can be accessed by those users. You can also provide access to
users that are managed on an external (LDAP) server.
Adding User Groups
User groups allow multiple users to be assigned the same set of access permissions. For example, all
lobby attendants can be assigned to a user group Lobby and security personnel to an Administrator
group. Although members of the Lobby group can view live and recorded video, they cannot make
configuration changes. Security administrators, however, can manage templates, schedules cameras,
users, or other resources. These permissions are defined by the user Role assigned to the user group.
User groups are also associated with a specific location, allowing you to limit access to the Cisco VSM
resources in a specific location (such as a campus, building, or floor).
If a user belongs to more than one user group, the user inherits the combined rights and permissions of
all the groups.
Creating User Groups
Procedure
To create a user group, do the following:
Step 1 Select Users, and then select the User Groups tab .
The currently configured user groups are listed in the left column.
Step 2 Edit or add a user group:

To edit a group, click an existing entry to highlight it, and continue to Step 3.
To add a group, click the Add button
Step 3 Enter the group settings

User Group Settings
Setting Description
Name (Required) Enter a meaningful name.
Access Location
(Required) Select the location that the users in this group will have access to. For example,
select California to restrict access to equipment and associated video (such as cameras, Media
Servers and video streams) that are also assigned to California or a sub -location.
Location Exception(s)
(Optional) Select the locations within the Access Location that users should not be able to
access. For example, if you select the Access Location California, and the Location Exception
San Francisco, users in the group can access all California locations except San Francisco.
Role (Required) Select the Role that defines the access permissions for the group. To create or
modify the available Roles.
PTZ priority over other
User (Required) Select a number from 1 to 100 that defines use user group priority (relative to
Groups members of other user groups) to use a cameras pan, tilt and zoom (PTZ) controls. User
groups with a higher number have priority over groups with a lower number.
For example, assign Operators a priority of 50, and Administrators a priority number 60.
Assign security personnel priority 70, and building managers priority 80.
The default is 100 (highest priority).
Note
If two users belong to user groups with the same priority, then the first user to access the PTZ con trols
gains priority and can continue to use the controls.
You can also define the idle time that a lower priority user must wait to use the PTZ controls after a
higher priority user stops using the controls.
Live QoS (Required) Defines the priority of the user group to receive live video if network traffic is
heavy. The video quality is not affected, but user groups with a low QoS setting may have
dropped packets so user groups with a higher QoS setting can continue to receive
uninterrupted video.
LowIf network traffic is heavy, video packets may be dropped for users assigned to
this group.
Mediumthe user group has secondary priority to receive video packets over the
network.
If network traffic is heavy, video packets may be dropped for users assigned t o this
group.
Highthe user group has the highest priority to receive video packets over the
network.
Archive QoS
(Required) Defines the priority of the user group to receive recorded (archive) video if
network traffic is heavy. The video quality is not affected, but user groups with a low QoS
setting may have dropped packets so user groups with a higher QoS setting can continue to
receive uninterrupted video.
LowIf network traffic is heavy, video packets may be dropped for users assigned to
this group.
Mediumthe user group has secondary priority to receive video packets over the
network.
If network traffic is heavy, video packets may be dropped for users assigned to this
group.
Highthe user group has the highest priority to receive video packets over t he
network.
User Group Settings (continued)
Allow Site Change
(Optional) Select Allow Change Site to allow users to change their Site after logging into
the Operations Manager. This option is disabled (deselected) by default when adding a
new user group.
Deselect to disable Site changes. Users must log out and log back in to change
Sites.
Users can only change Sites if they are assigned to User Groups with access to
multipleSites.
If a user selects the Not in Any Site option, then video from came ras in Sites
that have the Dynamic Proxy option enabled will be streamed from the Dynamic
Proxy server.
Note
Users who have access to multiple sites, but do not have the option to change sites, will default to
Not in any site when logging in.
If a Sites Dynamic Proxy option is disabled (deselected), video from cameras at the Site will be
delivered to all users by the Sites Media Servers (and not by a Dynamic Proxy server).
Tip
Sites are used to define if you are inside or outside a location served by a Dynamic Proxy server.
Defaults
Allow Site Change is disabled by default when adding a User Group.
Allow Site Change is enabled by default for all User Groups when upgrading to r7 .5 from
a previous release.7.5 (or higher) from a previous release.
Tags (Optional) Enter keywords used by the Find function.
Description (Optional) Enter a description of the rights granted by the Role.
Approval Required (Optional) If selected, a second user is required to approve the user login. When the user
logs in, a window appears requiring a second user to enter their username and password.
Approval Usergroup (Required if Approval Required is selected). Select a User Group that can approve logins
for members of the Approval Required usergroup.
Allow Multiple (Optional) Allows users with the same credentials to login from multiple workstations.
Logins This setting is enabled by default.
Note
Users who configure unattended video walls (using the Cisco SASD Wall Configurator) must
belong to a user group that allows multiple logins. This is because each unattended video wall
requires a unique Cisco VSM login session for the video wall to be displayed .
Step 4 Add users who will be granted the group permissions.

Click Add under the User box
Select one or more users from the pop-up window.
Select OK.
Tip
Press Shift-click or Ctrl-click to select multiple users.
Step 5 (Optional) Add an LDAP server filter, if necessary.
Step 6 Click Create or Save to add or edit the user group.

Adding Users
Users provide login access to individuals. Once user accounts are created, you can assign the users to
one or more user groups. User groups provide the users with access permissions and limit access to
specific locations.
Creating Users
Tip
A second user (such as a manager) can also be required to approve when a user logs in .
Procedure
To create users, do the following:

Step 1 Select Users, and then select the User tab .
The currently configured users groups are in the left column.
Step 2 Edit or add a user:
To edit a user, click an existing entry to highlight it, and continue to Step 3.
To add a user, click the Add button.
Step 3 Enter the basic user settings.

User Settings
Setting Description
Username (Required) The username is used to log in to the Operations Manager
and Cisco Video Surveillance Safety and Security Desktop.
First Name (Required) Enter the users first name.
Last Name (Required) Enter the users last name
Email (Optional) Enter an email address for the user.
The email address is for informational purposes only.

Password
(Required) Enter the initial password for the user.
The password minimum length is 8 characters and must include

one uppercase character and one digit.
The user is prompted to change the password the first time they
log in.
If the user forgets their password, an administrator can change

the password, which will again require the user to enter a new
password on first login.
Tips
Only super-admins can use this field to change another users password.
All other users can change their own password by clicking on their
username in the top right corner of the browser.
Super-admins can use this field to change their own password.
Confirm Password Re-enter the password.

Tags (Optional) Enter the keywords used by the Find feature.
Description (Optional) Enter a description for the user.
Step 4 (Optional) Add the user to one or more user groups.
Click Add under the User Groups box.

Select one or more user groups from the pop-up window.
Select OK.
Step 5 Select Create or Save to save the changes.

Adding Users from an LDAP Server
Add an LDAP (Lightweight Directory Access Protocol) server to the Cisco VSM user configuration to
provide access to members of an external user database. After the LDAP server is added, users from that
system can log in to Cisco VSM using the credentials configured on the LDAP server (the users do not
need to be added individually to the Operations Manager configuration).
LDAP Usage Notes

LDAP users can be added or removed from the source database without affecting Cisco VSM.
When the LDAP user logs in to Cisco Video Surveillance, their credentials are authentic ated
with the LDAP server, and access is granted or denied based on the LDAP response.
Use LDAP filters to limit the users who can access Cisco VSM.
To delete an LDAP server, you must unassociate the LDAP server from all Cisco VSM user
groups.
Upgrade Requirements
New fields were added in Cisco VSM release 7.0.1 to simplify the LDAP server configuration. After
upgrading from release 7.0.0, the administrator must reconfigure the LDAP server settings including the
following:
Review all LDAP server configurations in the Operations Manager and update missing
information after the upgrade.
Verify and reconfigure the binding requirements.
Reconfigure the LDAP filters and User Group associations for each server.
Note
These settings are not imported automatically upon upgrade. Operations Manager will not prompt the
administrator or display messages that indicate the new fields that need to be updated. Carefully review
the LDAP configuration descriptions and instructions to implement the required changes.
You must be logged in to the localhost domain to apply these changes (Figure).
Localhost login for LDAP Configuration Changes

LDAP Server Settings
The LDAP server settings define the network address of the LDAP server, the method used to bind
(connect) Cisco VSM with the server, the location of the LDAP user information, and the filters that
define the specific LDAP users that can access the Cisco VSM system.
LDAP Server Settings
The following table describes the purpose and requirements for each setting
Note
The LDAP server settings were changed for Release 7.0.1. If you are upgrading from Release 7.0.0, you must revise
the configuration to conform to the new fields and requirements.
LDAP Server: General Information Settings

Setting Description
Anonymous Binding (Optional) Select this option, if the LDAP server being configured supports anonymous
Name access.
(Required) Enter a descriptive name for the server.
Hostname (Required) Enter the server hostname or IP address.
Port (Required) Enter the server port. Port 389 is typically used for LDAP communication.
LDAP Server: General Information Settings
Principal (Required)
The Principal setting is used to bind Cisco VSM to the LDAP server. In other words, the Principal
setting defines the user information used to authenticate individual users with the LDAP server.
The Principal entry includes the %USERID% variable, which represents the userID configured on the
LDAP sever. The %USERID% and password are entered when the user logs into Cisco VSM, and is sent
to the LDAP server for authentication.
If the Principal path (Bind DN) contains userid, enter the Principal in the following pattern:
CN=%USERID%,OU=Company Users,DC=mycompany,DC=com
If Principal path (Bind DN) contains user's full name instead of userid(eg. CN represents full
name instead of userid) especially for AD servers, then enter the Principal in the following
pattern: %USERID%@domain.com.
The following illustration shows an LDAP configuration that uses the userID as the CN.
Anonymous Binding
Select this option if the LDAP server allows anonymous access and you prefer to connect and search the
LDAP server anonymously in order to authenticate the users logging in to Cisco VSM.
Anonymous Binding requires only the base DN, and does not require the %USERID% variable. For
example:
ou=employees,ou=people,o=mycompany.com
Note
The following error is returned if the LDAP server does not support Anonymous Binding:
Operation failed: User <user id> is not found in LDAP or given distinguished name does not
support anonymous access.
User Search Base (Required, except for Anonymous Binding)
The Search Base indicates the lowest level of LDAP hierarchy where users will be found. User
information includes attributes such as first name, last name, email address, etc.
For example: OU=Company Users,DC=Mycompany,DC=com
Anonymous Binding
This field is optional field for Anonymous Binding.
Userid Attribute (Required)

Enter the name of the LDAP mapping field where the User ID is stored. For example:
cn
uid
userid
sAMAccountName (Active Directory onlythis value is used only with Active Directory servers). The
following illustration shows an LDAP configuration that uses the sAMAccountName field for the
userID.
Firstname Attribute (Optional, if defined on the LDAP server).
The name of the LDAP server attribute that holds the users first name.
For example: givenName or displayName.
Lastname Attribute (Optional) The name of the LDAP server attribute that holds the users surname.
For example: sn (if defined on the LDAP server).
Email Attribute (Optional) The name of the LDAP server attribute that holds the users email address
For example: mail (if defined on the LDAP server).
Tags (Optional) Words that assist in a Find.
Description (Optional) Description of the LDAP server. For example: the server purpose, location,
or user base.
LDAP Search Filter Settings
Filters restrict authentication to a subset of users (the filter represents a user group that is defined on the
LDAP server). Each filter can be associated with a different user group, which grants LDAP users in that
filter the access permissions of the Cisco VSM user group. This allows you to grant different
permissions to different sets of users.
For example, a filter for the dept_eng users can be associated with an admin user group while rest
everyone in company_eng will be made an operator.
Note
The LDAP filter settings were changed for Release 7.0.1. If you are upgrading from Release 7.0.0, you
must revise the configuration to conform to the new fields and requirements.
LDAP Filter Settings

Field Description
Name Enter a descriptive name for the filter. For example: Security users
User Search Path The directory path where user groups are stored on the LDAP hierarchy.
In some LDAP configurations, the user information and user group information are in
different locations. The User Search Base field specifies the hierarchy location below
which the user group information is located.
For example: ou=groups,dc=mycompany,dc=com
User Group Filter Enter the LDAP syntax that limits access to members of a specific group on the
LDAP server.
For example, to match any user who is a member of the vsomadmin user group, the user
group search filter is:
(&(sAMAccountName=%USERID%)(memberOf=CN=vsomadmin, OU=
Groups,DC=company,DC=com))
The variable %USERID% matches the user ID entered by the user at the login screen with
an Active Directory record with the same user ID (sAMAccountName), and that Active
Directory record must also be a member of the user group
CN=vsomadmin,OU=Groups,DC=company,DC=com).
To match an individual Active Directory user ID johndoe, the user group search
filter is:
(&(sAMAccountName=%USERID%)(sAMAccountName=johndoe))
This example matches the user ID entered by the user at the login screen with an Active
Directory record with the same user ID (sAMAccountName), and the Active Directory
record must have the sANAccountName johndoe.
LDAP Configuration Procedure
Complete the following procedure to bind a LDAP server to Cisco VSM, and associate the LDAP user
with a Cisco VSM user group.
Note
To configure LDAP servers, you must log in with super-admin privileges, using the localhost Domain.
Procedure
Step 1 Log on to the Cisco VSM using the following:
An account that belongs to a User Group with super-admin access permissions (for
example, admin)
Select the localhost Domain.
Localhost Login for LDAP Configuration Changes
Step 2 Select the LDAP Server tab .
Step 3 Click Add (or select an existing entry to edit a server).

Sample LDAP Server Settings
Step 4 (Required) Enter the General LDAP server settings
a. Enter the settings

b. Click Test and enter the test username and password (credentials are not required if
Anonymous Binding is selected).
c. If the test fails, correct the settings and try again.
Note
The LDAP server settings were changed for Release 7.0.1. If you are upgrading from Release 7.0.0, you must revise
Step 5 (Required) Define one or more LDAP Search Filters.
a. Click Add
b. Enter the settings
c. Click Test to verify the filter. You must enter a valid username and password for the LDAP
server and filter. If the test fails, correct your entries and try again.
Note
The LDAP filter settings were changed for Release 7.0.1. If you are upgrading from Release 7.0.0, you must revise
d. (Optional) Repeat Step 5 to add additional filters. Each filter allows those LDAP users to access
Cisco VSM (based on the user group assignments
Step 6 (Required) Click Create or Save to save the LDAP server settings.
Step 7 (Required) Add the LDAP server/filters to a Cisco VSM user group.
The user group(s) define the Cisco VSM access permissions for the LDAP users (defined by the filter).
The LDAP server/filters can be added to multiple user groups. The users gain the combined access
permissions of all associated user groups.
Adding an LDAP Server to a User Group
a. Select the User Groups tab .
b. Select a user group
c. In the LDAP Server section, click Add.
d. Select the LDAP Server name that includes the appropriate filter and click OK.
Tip
The filter defines a sub-set of LDAP users that will gain the user group access permissions.
e. Click Save.
Step 8 (Optional) Click the LDAP Server tab to verify that the user group appears in the LDAP
server configuration.
Step 9 (Optional) Log out and log back in using the credentials for an LDAP user (Figure).
Select an LDAP Login Domain
a. Click Log Out.
b. In the Cisco VSM Login page, enter the Active Directory username and password.
c. From the Domain menu, select the LDAP server name and filter comb ination.
d. Click Log In.
Viewing and Logging Out Active Users

The Active Users page displays information about the user accounts that are currently logged in to t he
Cisco Video Surveillance system. This page is available to super-admins only.
Choose Operations > Active Users.
To discontinue an active user session, select an entry and click Kill Session. Users that are logged out in
this method can continue watching the video they are currently viewing. But users must log in again if
they attempt to access new video streams or open a new video pane.
Active User Fields
Setting Description
Username The username of the account used to access the system.
First Name The first name in the user account
Last Name The last name in the user account
User Group(s)
The user groups the user is assigned to.
User groups define the user role and location for member users, which defines
the cameras and resources they can access.
Super-admin Indicates if the user account is assigned the super-admin role.
Logged-In Time The date and time when the user logged in.
Last Access Time The date and time the user last performed any action on the system.
From IP The IP address of the device or computer used to access the system.
Note
You cannot kill (end) your own user session.
Tip
To view a history of user activity, go to Operations > Audit Logs
Lesson 4
Configuring Serves
Overview
A server is a physical or virtual machine (VM) that runs the Cisco Video
Surveillance system software. Each server can run one or more server services.
For example, the Operations Manager is a server service that provides the user
interface used to configure and manage a Cisco Video Surveillance
deployment.
Additional services can be enabled when the server is added to the Operations
Manager configuration. For example, a server can be added as a Media Server,
Maps Server or Metadata Server that supports those features and functions for
the entire deployment
Understanding Server Services
Each server can run one or more services that provide features and functions for the Cisco Video
Surveillance system. For example, the Operations Manager provides the configuration interface and
management features for the entire deployment, the Media Server service manages c ameras and encoders
and plays and records video, and the Maps service supports image layers used in location maps. In
addition, a Federator service allows users to view the resources from multiple Operations Manager
deployments.
Adding or Editing Servers

To add or edit servers, select System Settings > Servers, and click Add. You can add a single server
manually, or import multiple servers using CSV file.
Note
The Operations Manager server (VsomServer) is added by default and cannot be deleted. All ser vers are
assigned the Primary HA role by default
Tip
Select an existing entry to revise an existing server configuration
Overview
To manually add a single server, open the server configuration page and click. If the server is not
available on the network, it can be added in pre-provisioned state (Figure).
Adding a Server
Pre-Provisioning Servers
Pre-provisioning allows you to add a server before it is installed or available on the network. The
server is waiting to be added to Cisco VSM and is not available for use. A pre-provisioned server can
be modified, but cannot stream or record video.
If a server is pre-provisioned, the Media server service is activated by default. This allows
pre-provisioned cameras and encoders to be added to the pre-provisioned server.
After the server is installed and available on the network, you can enable it by choosing
Device Settings > Enable from the server configuration page. The server configuration must
be complete, and Cisco VSM must be able to verify network communication or the enable
action will fail.
Tip
Use Bulk Actions to enable multiple servers.
Prerequisites
The server(s) must be installed on a physical machine, or as a virtual machine (VM).
Complete the server initial configuration (including network settings) using the Setup Wizard available
in the browser-based Cisco VSM Management Console.
Adding or Editing a Single Server

Procedure
To add a new server, complete the following procedure.
Note
The Operations Manager server (VsomServer) is added by default and cannot be deleted. All servers
are assigned the Primary HA role by default.
Step 1 Install the server and complete the Initial Setup Wizard using the browser -based Management
Console.
Cisco Physical Security UCS Platform Series User Guide

Cisco Video Surveillance Virtual Machine Deployment and Recovery Guide for UCS
Platforms
Cisco Video Surveillance Management Console Administration Guide.
You must belong to a User Group with permissions for Servers & Encoders
Step 3 Add a server license, if necessary.
Each Media Server requires a license in order to be added to the Operations Manager
configuration.
Step 4 Select System Settings > Servers.
Step 5 Click Add.
Tip
To edit a server, click an existing entry to highlight it.
If you are adding a server that was previously configured in Cisco VSM, you will be prompted to import or discard
any camera configurations or recordings that exist on the server.
Step 6 (Add only) Complete the initial server setup:

Add a Server
Server Settings
Setting Description
Hostname/IP The hostname or IP address used by the Operations Manager to access the server.
Username (Read-only) The default username for all servers is localadmin.
The username cannot be changed.

Password The server password.
Tip
The server password is initially defined using the Cisco Video Surveillance Management Cons ole
interface.
Name A meaningful name for the server. For example, Primary Server or Campus A Server.
Service Type The service that runs on the server.
Select a service to enable the service functionality.

Install Location The location where the server is installed.
The location determines the cameras and users that can access the server.
Cameras/encoders and their associated Media Servers must belong to the same Site (you cannot
associate a camera in Site A to a Media Server in Site B)
Click Add.
If the validation is successful, continue to Step 7.

If the server cannot be found on the network, an error message appears.
o Verify the server hostname and login credentials and return to Step 5 to try again.
o You can also Pre-Provision the server, meaning it is added to the configuration but remains
non-functional. Select Device Setting > Enable when the configuration is complete, or use
Bulk Actions to enable multiple server
Step 7 (Optional) Enter or revise the additional settings, if necessary.
Step 8 Assign cameras and encoders to the Media Server service on the server, if necessary. Cameras
and encoders can be assigned to the Media Server even if the server if pre -provisioned.
Step 9 Click Save.

Importing or Updating Servers Using a CSV File
Multiple servers can be imported using a comma separated value (CSV) file that includes configuration
details for each device. This same method can be used to update existing server configurations.
Overview
The figure summarizes the process to import devices from a CSV file. Devices can be added in Enabled
state if all required configurations are included, or in Pre-Provisioned state if configurations are missing
or if the devices are not yet available on the network. If an error occurs, correct the CSV file and try
again.
Importing Servers from a CSV File
Usage Notes
Servers can be pre-provisioned in Release 7.2 and higher.

You can choose to retain the devices (cameras and encoders) that were previously associated
with the server, or discard them. Any discarded devices must be re-added, if required.
o Enabled cameras and encoders associated with the server are added to the Operations
Manager.
o You can also choose to Pre-Provision the devices, meaning they are added to the
configuration but are not functional until available on the network.
o Soft deleted cameras are added to the Operations Manager in the soft-deleted state,
which allows recordings to be accessed.
o Disabled cameras are not added to the Operations Manager configuration.
Entries with non-ASCII characters must be tab delimited. Entries that include only ASCII
characters can be comma delimited.
Example of a Server Import File
The CSV file can be created in plain text using a program such as Excel or OpenOffice Calc. For
example, in Excel, create the file and then choose Save As > Other formats. Select CSV (Comma
delimited) for the Save as type.
The fields (columns) must follow a specific format, which is shown in the downloadable sample.
Server Import File Field Descriptions
Content Required/Optional Description
Comment // Optional Blank rows or lines/cells starting with ''//'' are treated as
comments and ignored.
Name Required Enter the server name
For example: Primary Server
Host name or IP Required The network address for the physical or virtual machine.
address
Install Location Required Enter the location where the server is physically installed, or
the physical location of the cameras and encoders supported by
Path the camera.
For example: USA.CA.SJ.28.Lobby
Tip
To view the location path, go to System Settings > Locations and
highlight the location name.
localadmin Required The password configured on the server to provide network
password access from the Operations Manager.
This setting changes the Operations Managers

understanding of the server password. This does not
change the actual server password.
.
Note
The default username for all servers is localadmin. The username is
read-only and cannot be changed.
Server Role Required The high-availability role of the server. The options are:
primary_server
redundant_server
failover_server
long_term_storage_server
Tags Optional Keywords used by the Find field.

Complete the following procedure to import servers using a CSV file.
Procedure
Step 1 Create the CSV file containing details for each server.
Step 3 Choose Add and Import servers from file.
a. Import Step 1 - Retain Device(s)
(Cameras only) Select the Retain box if existing device(s) found on the server during import
should be retained. If selected:
Enabled cameras and encoders associated with the server are added to the Operations
Manager.
Soft deleted cameras are added to the Operations Manager in the soft-deleted state, which
allows recordings to be accessed.
Disabled cameras are not added to the Operations Manager configuration.
Select Pre-Provision to pre-provision the devices:
Cameras and encoders associated with the server are added in the pre-provisioned state.
Pre-provisioned devices must be enabled once the configuration is complete.
.
b. Import Step 2 - Download Sample
(Optional) Click Download Sample to download a sample CSV import file. Use this sample to
create the import file as described in the Creating the CSV File section on page 6 -21. Click
Next.
c. Import Step 3 - File Upload.
Click to select the CSV file from a local or network disk. Click Upload.
d. Import Step 4 - Processing:
Wait for the import process to complete.
e. Import Step 5 - Results Success:
If a success message appears, continue to Step 5.
If an error message appears, continue to Step 4.
f. If an error message appears, complete the following troubleshooting steps:
Click Download Annotated CSV, save the error file and open it in Excel or OpenOffice
Calc.
Correct the annotated errors and save the revised file in the CSV format.
Correct the CSV file in the //Error rows
Click Start Over to re-import the fixed file.
Return to Step 3 and re-import the corrected CSV file.
Import Error File
Step 5 Click Close once the import process is complete.

Step 6 View the device status to determine if additional configuration is required.
Step 7 Complete the camera and encoder configurations to enable the devices
Deleting a Server
To remove a server you must remove all devices and other associations with the server, or the job will
fail.
Usage Notes
You can only delete a server that is not associated with cameras or encoders.
The Operations Manager server (VsomServer) cannot be deleted.
When a camera is moved to a Media Server on a different server, recordings are begun again.
Any existing recordings remain on the old Media Server. If the old Med ia Server is deleted, any
associated recordings are removed.
If the server is unreachable, and no HA servers are configured, the user is given an option to
force-delete the server, which also deletes all camera configurations and recordings. All
associated cameras must be re-added to Cisco VSM, and all recordings are lost.
Procedure
You must belong to a User Group with permissions for Servers & Encoders.
Step 2 Verify that all cameras and encoders associated with the Media Server are switched to a
different Media Server.
The cameras existing recordings will remain on the old server.
Step 3 Click System Settings > Servers.
Step 4 Select the server name.
Step 6 Click OK to confirm.
Step 7 Wait for the Job to complete.
Viewing Server Status
To view the status of a server, click the Status tab in the server configuration page (Figure).
Device Status
Server Device Status
Device States
State Description
Enabled: OK The device is operating normally. has no error.s
Enabled: Warning A minor event occurred that did not significantly impact device operations.
Enabled: Critical An event occurred that impacts the device operation or configuration.
Pre-provisioned The device is added to the configuration but not available on the network.
The device is waiting to be added to Cisco VSM and is not available for use. A pre -provisioned
device can be modified, but the cannot stream or record video until the configuration is complete
and you choose Device Settings > Enable.
Usage Notes
Click the Status History tab to view detailed information regarding the events or alerts that impact the
Device Status. For example, if a Synchronization mismatch occurs, and the Configuration status changes
from OK to a synchronization alert, click the Status History tab to view details for the errors that caused
the mismatch.
Click Reset Status to clear status issues that do not automatically clear when the issue is
resolve
See the following options to repair configuration issues or reset the device state:
Repairing the Configuration or Restarting the Server
Resetting the Server Device State.

Resetting the Serve Device State
Click the Reset Status button on the server Status page to clear device status and configuration issues.
Clears status issues that do not automatically clear when the issue is resolved. For example, an
issue that causes a coredump might still display a critical error in the Operations Manager even
if the issue is resolved.
Performs a Repair Configuration that synchronizes the server configuration with the Operations
Manager (mismatched configurations on the Media Server are replaced with the Operations
Manager settings)
Note
Any unresolved configuration issues will reappear after the reset.
Only the server state is reset, not the device alerts or events. You must still acknowledge or
clear any alert using the Cisco Video Surveillance Safety and Security Desktop.
To access the Reset Status button, you must be a Super-Admin or belong to a user group
assigned to the super_admin_role (a super-admin is anybody that has all permissions at the root
location)
Repairing the Configuration or Restarting the Server
From the General tab, select the Device Setting menu and select one of the actions described in Server
Operations
Operation Description
Replace Overwrite all configuration settings on the server with the settings in the Operations
Configurations Manager.
Repair Push only the configuration changes required to correct a mismatched field.
Configurations Changes are pushed from the Operations Manager to the Media Server
Restart Reboot the server and trigger a synchronization (Repair Configuration).
Note
The restart period can last 1 minute or longer. During this time, the Cisco VSM system will
be offline and inaccessible.
Operations Manager Advanced Settings
SMTP Management Settings
The SMTP Server is used to send email notifications. Enter the server settings on the Operations
Manager server to enable this feature.
Note
SMTP settings are the only available Operations Manager advanced settings in this release.
Operations Manager Advanced Settings
Usage Notes
The SMTP settings are required if the Operations Manager application is enabled on the server.
SMTP settings can only be set for the Operations Manager server (VsomServer).
SMTP settings in the Cisco VSM Management Console Management are also shown in the
Operations Manager configuration.

Procedure
Step 1 Log in to the Operations Manager.

Step 2 Click System Settings > Servers and select the Operations Manager (VSOM) server.
Step 3 Click the Advanced icon next to the Video Surveillance Operations Manager (Figure)
Step 4 Enter the SMTP Management settings to send server-generated emails.
SMTP Settings
Field Settings
SMTP Server The IP address or hostname if the SMTP server used to send emails.
From Address The email address that appears in the from field. User replies will be sent to
this address. This field is required to send e-mails when an SNMP event
occurs.
Lesson 5
Adding and Managing

Cameras
Overview
Refer to the following topics for information to add, configure, and manage
cameras in a Cisco VSM deployment.
Understanding Network and Analog Cameras
Two types of cameras can be added to Cisco VSM:
IP cameras (also called network cameras) are connect directly to the network and are added to
Cisco VSM by entering the cameras IP address and other settings.
Analog cameras are connected to an encoder. The encoder provides network connectivity and
digitizes the analog video.
The following steps summarize how to add or update a video camera.
Step
Step 2 Configure recording schedules
Step 3 (Optional) Add camera templates.
Step 4 (Optional) Add camera encoders to support analog cameras.
Step 5 Add one or more cameras.
Step 6 Edit additional camera settings.
Step 7 (Optional) Create a custom configuration for a single camera.
Step 8 Configure the Image Settings, such as PTZ, motion detection, and brightness and contrast.
Step 9 Configure the high availability options.
Step 10 Create actions that are triggered by camera events.
Viewing Cameras
To display cameras already configured on the system, click Cameras and then choose the Cameras tab.
You can view the cameras for a location, Media Server, or template by clicking one of the icons
described below
Click a camera name to view and edit the settings for that camera. Click a template name to edit the
settings applied to all cameras associated with the template.
Cameras Tab
Tab Description
Cameras By Location Displays the cameras assigned to each location.
For example, click the Cameras By Location tab and then select a location
name. The cameras assigned to that location are listed by name. Click a camera
name to display and edit the camera settings.
Cameras by Media Server Displays the cameras assigned to each Media Server.
If only one Media Server is used, all cameras will be listed.

Cameras By Template Displays the cameras assigned to each template.
Tip
The number next to the template name indicates the number of cameras assigned to the
template.
Note
The camera configuration pages may not display properly if the Internet Explorer (IE)
compatibility view box is checked. Deselect this option, if necessary.
Viewing a List of Supported Cameras
To view the camera models supported in the Cisco Video Surveillance release you are using, open the
model list when adding a camera.
Procedure
Step 1 Click Cameras and then choose the Cameras tab
Step 2 Select the Camera Type: IP Camera or Analog Camera.
Step 3 Click the Model field.

A list of supported cameras for that camera type and the Cisco Video Surveillance release
is displayed
Step 4 Expand the Manufacturer names to view the list of supported models.
Supported Cameras
Manually Adding Cameras
Cameras can be added to Cisco VSM individually, or in groups. You can add cameras that are already
installed, or pre-provision cameras that are not yet available on the network. Network cameras can also
be discovered on the network and automatically configured or held offline u ntil approved by an
administrator. In addition, if you add a Media Server that was previously installed in another VSM 6.x or
7.x deployment, you will be prompted to add or discard any cameras configured on that server.
Manually Adding a Single Camera

To manually add a single camera, open the camera configuration page and click Add. Enter the camera
settings.
If the device is not available on the network, it can be added in pre -provisioned state.
Manually Adding a Camera or Encoder
Note
All required fields must be complete to add a camera manually. You cannot submit a partial configuration.
Pre-Provisioning Cameras
Pre-provisioning cameras allows you to add the cameras before they are installed or available on the
network. The camera is waiting to be added to Cisco VSM and is not available for use. A pre-provisioned
camera can be modified, but the camera cannot stream or record video.
After the camera is installed and available on the network, you can enable the camera by choosing
Enable from the Device Settings menu. The camera configuration must be complete, and Cisco VSM
must be able to verify network communication or the enable action will fail.
Usage Notes
To add the camera, you must choose a pre-defined configuration template and camera location.
Only users with access permissions to that same location can view video from the camera.
To make configuration changes, users must have Camera management permissions.
The camera must be assigned to a Media Server, Location, and camera template.
Tip
Although you must choose a camera template when adding the camera, you can edit the camera configuration after
the initial configuration to create a custom configuration.
To automatically add camera map icons to the location maps (based on the cameras Insta lled
Location), select the Auto Create Map Markers setting .You can also specify an alternative
location when importing cameras from a CSV file
Network (IP) Camera Rules and Settings
The camera must be accessible on the network if the device is added in Enabled state
If the camera is not available on the network, you can add the camera in pre -provisioned state.
The camera will be disabled until you choose Enable from the Device Settings menu (all
required fields must be complete).
If the camera is still not reachable on the network it will be in Enabled: Critical state until the
network issue is resolved.
Network Camera General Settings
Setting Description
IP Address Enter the hostname or IP address entered in the camera configuration. See the camera
documentation for instructions.
Note
All edge devices (such as cameras and encoders) must added to a server using a local (non -NAT)
addresses.
Username Enter the username for accessing the camera on the network.
Password Enter the password for accessing the camera on the network.
Name Enter a descriptive name that can help you identify the camera. The name can include any
combination of characters and spaces.
Install Location Click to select the location where the camera is physically installed.
The Installed and Pointed locations define where the camera is physically installed vs. the
scene that the camera is recording. For example, a camera installed on building 2 might be
pointed at the lobby door of building 1. If an alert event occurs at the Building 1 lobby, it
can be flagged and viewed using the Cisco Safety and Security Desktop application even
though the camera is physically installed on building 2. The camera and the associated
Media Server must be in the same Site
Tip
To automatically add camera map icons to the location map based on the Installed Location, select
the Auto Create Map Markers
Media Server Select the Media Server responsible for storing and playing video from the camera.
The camera and the associated Media Server must be in the same
Model Select the camera model.
Setting Description
Template Select a camera template from the pop-up window.
You must choose an existing template when the camera is added to Cisco VSM.
After the camera is created, you can create a custom configuration or select a
different template.
Templates define attributes such as video quality and schedules. Only templates
that support the camera are displayed.
Camera Settings Apply a set of camera settings for features such as the motion detectio n window and
sensitivity, tamper settings, and NTP server and timezone used by the device.
Existing Settingsapply a pre-defined set of configurations.
New Settingdefine a new set of configurations. Enter a name to save the
Camera Settings, so they can be applied to other cameras.
Multicast
Note
The multicast fields are enabled only if a template is chosen that uses Custom settings to enable UDP_Multicast
on Stream A and/or Stream B.
Primary Address (Optional) Enter the multicast IP address where the cameras primary video stream (Stream
A) should be sent.
This field is enabled only if the cameras template Stream A is configured for multicast.
Addresses must be in the proper address range.
Private network addresses: 239.0.0.0 - 239.255.255.255

Public network addresses: 224.0.0.0 - 244.0.0.255 and 244.0.1.0 - 238.255.255.255
Note
Public addresses must be individually assigned by IANA (Internet Assigned Numbers
Authority)
Primary Port Enter the port value used by Cisco Video Surveillance to listen to the cameras primary
video stream.
Secondary Address (Optional) Enter the multicast IP address where the cameras secondary video stream
(Stream B) should be sent.
This field is enabled only if the cameras template Stream B is configured for multicast.
Addresses must be in the proper address range.
Private network addresses: 239.0.0.0 - 239.255.255.255

Public network addresses: 224.0.0.0 - 244.0.0.255 and 244.0.1.0 - 238.255.255.255
Note
Public addresses must be individually assigned by IANA (Internet Assigned Numbers Authority)
Secondary Port Enter the port value used by Cisco Video Surveillance to listen to the cameras secondary
video stream
Analog Camera Rules and Settings
Analog cameras are attached to an encoder that provides network connect ivity.
See the encoder documentation for instructions to properly attach the serial cables to the
cameras and determine the serial port and serial address for each camera.
Single analog camera are attached to the encoder directly. Multiple cameras can be attached in a
daisy chain configuration. A serial port and serial address is assigned to each camera. See the
encoder documentation for more information.
The following table describes the settings available for analog cameras, which includes settings for the
encoder that provides network connectivity.
Analog Camera General Settings
Setting Description
Encoder Select the encoder that supports the analog camera.
Video Port The physical encoder video port where the camera video cable is attached.
Tip
Only the unused ports are displayed.
Audio Port (Optional) The physical encoder audio port where the camera audio cable is attached.
Tip
Only the unused ports are displayed.
Name Enter a descriptive name that can help you identify the camera. The name can include any
combination of characters and spaces.
Installed Location Select the location where the camera is physically installed.
Note
The Installed and Pointed locations define where the camera is physically installed vs. the scene that
the camera is recording. For example, a camera installed on building 2 might be pointed at the lobby
door of building 1. If an alert event occurs at the Building 1 lobby, it can be flagged and viewed using
the Cisco Safety and Security Desktop application even though the camera is physically installed on
building 2.
Model Select the camera model.
Template Select a camera template from the pop-up window.
The template is based on the encoder model, not the camera model.
You must choose an existing template when the camera is added to Cisco VSM.
After the camera is created, you can create a custom configuration or select a
different template.
Templates define attributes such as video quality and schedules. Only templates t hat
support the camera are displayed.
Procedure
To manually add a camera to the Cisco VSM configuration, complete the following procedure.

You must belong to a User Group with permissions for Cameras.
Step 2 (Required) Add additional camera licenses for non-Cisco cameras, if necessary.
Step 3 (Optional) Create a camera template that defines the camera configuration, if necessary.
You can also use an existing template, such as the default syste m templates for low,
medium and high quality video.
You must assign a template to the camera when adding it to Cisco VSM.
After adding the camera, you can modify the template or create a custom configuration
for the camera.
Step 4 Click Cameras.
Step 5 Click Add.

Tip
You can also click the Add icon and choose Add a camera manually.
Step 6 Select the camera type:
IP Cameranetworked IP camera
Analog Cameraanalog camera are attached to an encoder to provide network
connectivity and digitize the analog video.
Tip
To use the auto-discovery option.
Step 7 Enter the basic camera settings.
Network (IP) Camera Rules and Settings

Analog Camera Rules and Settings
Step 8 Click Add.

Step 9 If a camera is not found on the network (the camera is offline or the username/password are
incorrect), you can choose to pre-provision the camera. Pre-provisioning allows the camera
to be added to Cisco VSM as a disabled device. Select Enable from the Device Settings
menu once camera network installation is complete.
Step 10 Wait for the Job to complete.
Step 11 (Optional) When the camera configuration page appears, update the additional General
Information settings, if necessary
Setting Description
Pointed Location Click to select the location where the camera is pointed. This is the video that
will be displayed and recorded by the camera.
Description Enter a description of the camera, if necessary.
Step 12 (Optional) Enter additional configurations, if necessary.
Step 13 (Optional) If the camera was pre-provisioned, complete the configuration and select Enable
from the Device Settings menu.
Note
The Enable option is only enabled if the camera configuration is complete and the device is available on the
network.
Step 14 Repeat Step 5 through Step 12 to add additional cameras, if necessary.

Importing or Updating Cameras or Encoders Using a
CSV File
Multiple cameras or encoders can be imported using a comma separated value (CSV) file that includes
configuration details for each device. This same method can be used to update existing camera
configurations.
Overview
Figure summarizes the process to import devices from a CSV file. Devices can be added in Enabled state
if all required configurations are included, or in Pre-Provisioned state if configurations are missing or if
the devices are not yet available on the network. If an error occurs, correct the CSV file and try again.
Importing Cameras or Encoders from a CSV File
Usage Notes
Cameras, encoders and servers can be pre-provisioned in Release 7.2 and higher.
Pre-provisioned devices are devices waiting to be added to Cisco VSM. You can make
additional configuration changes, but the device cannot stream or record video until the
configuration and network issues are resolved. Choose Enable from the Device Settings menu
to enable the device video functions.
If the CSV file details are accurate and complete, the devices are added to Cisco VSM and video
from the cameras is available for viewing and recording.
If any required fields are left blank, or if any devices in the file are not available on the network,
then the devices are added to Cisco VSM in pre-provisioned state, even if the pre-provisioned
option is deselected. Complete the configuration to change the status to Enabled.
If any fields are inconsistent with the Cisco VSM configuration, the import action fails and an
error file is created that specifies the problem(s). For example, if the CSV file specifies a Media
Server or location that does not exist in your Cisco VSM configuration, an error occurs. Correct
the CSV file and try again.
You cannot mix device types in the import file. For example, the file can include servers,
encoders, IP cameras, or analog cameras only.
If cameras are updated using the CSV import, and the template is changed to one with different
stream resolutions, then all motion detection windows are deleted and you must re -configure the
motion windows for those cameras. To do this:
o Import the CSV file again to specify the motion detection windows (without changing
the camera template).
o Apply the motion windows to cameras

Tip
To download a sample import file, launch the import wizard. Click the Download Sample button in the second step
of the wizard to obtain a sample file. The import file is different for each device type: IP cameras, analog cameras,
and encoders.
Example of a Camera Import File
Table describes the CSV file fields for both IP and analog cameras (the fields vary for each cameras
type).
The CSV file can be created in a program such as Excel or OpenOffice Calc and saved as a CSV file.
For example, in Excel, create the file and then choose Save As > Other formats. Select CSV (Comma
delimited) for the Save as type.
Import File Field Descriptions
Comment // IP / AnalogCameras Blank rows or lines/cells starting with ''//'' are treated as comments and
Optional ignored.
Name IP / Analog Cameras Enter the camera name
Required
For example: LOBBY INT ENTRY
Model IP / Analog Cameras
Required The camera model. For example: cisco_2500
IP address IP cameras
Required At least one value is required (IP address, MAC or serial number).
MAC address
Serial no New CamerasThe IP address, serial number, and MAC address
must be unique for new cameras.
Existing camerasIf all three entries are provided for an existing
camera, the settings must match the devices existing settings.
Server Name IP cameras Enter the Media Server name.
Optional if the camera Note

is pre-provisioned; The Media Server must be valid and already present in the system.
required if not.
Encoder Name Analog cameras Enter the name of the encoder that provides connectivity for the analog
camera.
Required
Encoder video Analog cameras
port Enter the encoder port number used for video by the analog cameras
Required but non-
editable
Encoder audio Analog cameras
in port Enter the encoder port number used for audio input by the analog cameras
Optional but non-
Install editable
IP / Analog
Location Cameras
Path Enter the location where the camera is physically installed. For example
Optional if the camera cameras installed location path.
is Preprovisioned;requ
ed if not. For example: CA/North Campus/bldg 2
Point-To IP / Analog
Location Path Cameras Enter the location where the camera is capturing video. For example, a
camera installed on building 2 can be pointed at building 1, so the
Optional if the camera cameras video is from the pointed at location building 1.
is
pre-provisioned; For example: CA/North Campus/bldg 1
required if not.
Template IP / Analog Cameras
Name Optional if the camera
is The configuration template that defines the camera video quality,
pre-provisioned; recording and motion parameters, and other settings.
required if not.
The template must be valid and already present in the system.
If the template is changed to one with different stream
resolutions, then all motion detection windows are deleted and
you must re-configure the motion windows for those cameras.
Use one of the following options:
o Import the CSV file again to specify the motion detection
windows (without changing the camera template).
o Apply the motion windows to cameras
Username IP Cameras
Optional if the camera
is The username configured on the camera to provide network access.
pre-provisioned;
required if not. See the camera documentation for instructions to define the camera
credentials.
Password IP Cameras
Optional if the camera The password configured on the camera to provide network access.
is
pre-provisioned; o See the camera documentation for instructions to define the
required if not. camera credentials.
Tags Optional
Keywords used in the camera search field.
Camera IP Cameras Optional The name of a pre-defined set of camera settings. Enter the name of an
Settings name existing setting only (new settings cannot be created when importing
cameras).
This setting is optional. The same settings can be applied

manually for each camera.
For example, settings can be included for features such as the
motion detection window and sensitivity, tamper settings, and
NTP server and timezone used by the device.
If the camera template is changed, the motion windows will not
be added and you must manually re-define all motion detection
windows. Use one of the following options:
Import the CSV file again to specify the motion detection
windows (without changing the camera template).
Apply the motion windows to cameras.
Latitude IP / Analog Cameras

Longitude Optional Include these values to optionally place a camera icon on the location
map:
Angle
Elevation Note
If Latitude, Longitude, Angle, and Elevation are included in the CSV file, then
camera markers are created. If these entries are not included in the CSV file, but
the system setting Auto Create Map Markers is enabled (General System
Settings, page 20-1), the camera markers will be automatically created if the
cameras Install Location includes Latitude and Longitude coordinates. If any of
these conditions are absent, then camera markers will not be created.
Latitude and Longitude

If the Latitude and Longitude values are included, the camera
map marker will be created. Both Latitude and Longitude must
be entered. For example, if Latitude is entered, you must also
include the Longitude.
If the Latitude and Longitude values are not provided, but the
camera's Install Location includes Latitude and Longitude
values, then camera marker will be created based on the Install
Location.
Angle and Elevation

These values are optional if Latitude and Longitude are entered. They are
not required if Latitude and Longitude are not entered.
AngleThe camera angle represents the cameras field of view

(for informational purposes only). For example, 0 points straight
up, 90 points 90 degrees clockwise.
ElevationIdentifies cameras placed at different heights. For
example, multiple cameras in a building can be installed at same
Latitude and Longitude, but on different floors. Enter a different
elevation to represent different heights.
Complete the following procedure to import a CSV file.
Procedure
Step 1 (Optional) Enable Auto-configuration for the camera model(s).
Auto Provisioning applies camera settings based on the camera model.

Step 2 Create the camera CSV file containing details for each device.
Or click Cameras and then Encoders to import a list of encoders.

Step 4 Choose Add and choose Import cameras from file or Import encoders from file.
a. Import Step 1 - Device Type

o (Cameras only) Select IP Camera or Analog Camera.
o Click the Pre-Provision box if the devices should be pre-provisioned when added to Cisco
VSM. This allows you to add the devices before they are available on the network, or before
they should be available to end users.
Note
If any required fields are left blank, or if any cameras in the file are not available on the network, then
the devices are added to Cisco VSM in pre-provisioned state, even if the pre-provisioned option is
deselected. Complete the configuration to change the status to Enabled
b. Import Step 2 - Download Sample

o (Optional) Click Download Sample to download a sample CSV import file. Click Next.
c. Import Step 3 - File Upload:

o Click Choose to select the CSV file from a local or network disk. Click Upload.
d. Import Step 4 - Processing:
o Wait for the import process to complete.
e. Import Step 5 - Results:
o If a success message appears, continue to Step 6.
o If an error message appears, continue to Step 5.
f. If an error message appears, complete the following troubleshooting steps:

o Click Download Annotated CSV, save the error file and open it in Excel or OpenOffice
Calc.
o Correct the annotated errors in the //Error rows
o Save the revised file in the .CSV format.
o Return to Step 4 and re-import the corrected CSV file.
Step 6 Click Close.
Step 7 View the camera status to determine if additional configuration is required.

Configuring 360 (Fisheye) Cameras
A fisheye camera image displays a panoramic 360 field of view. Fisheye camera displays are not a
typical, flat image. The image is round and distorted, which is the result of capturing an ultra -wide field
of view. You can use Dewarp modes to flatten or dewarp the image to make it accessible to the operator.
Note
Some features are model-specific. See the release notes for supported cameras.
Procedure
To use fisheye cameras, you must first install the camera and add it to Cisco VSM. Then define the 360
Camera settings.
Step 1 Install the camera on your network.
Note
You must mount fisheye cameras perfectly flat, on either a vertical or horizontal surface. For example, do not
install the camera on a cathedral ceiling.
Step 2 Add the camera to the Operations Manager configuration.
Step 3 Define the camera Orientation and Dewarp settings (360 Camera Settings), using one of the
following methods:
o The cameras General Settings
o Pre-set Camera Settings
Step 4 Create the video Views that include the fisheye cameras.
Step 5 Use Cisco SASD to view video from fisheye cameras.

Creating and Applying Preset Camera Settings
Camera settings are the device-specific settings that are not included in the camera templates. For
example, motion detection configuration, camera tamper settings, NTP and timezone settings are all
configured on each individual device.
The Camera Settings feature allows you to create preset configurations that can be applied to cameras
when they are added to Cisco VSM. For example, you can select the Camera Setting when adding a
camera manually, when the device is discovered on the network, or when adding multiple devices using
a CSV file. If the cameras are already added to Cisco VSM, use Bulk Actions to apply the Camera
Settings to multiple devices.
Camera Settings
Procedure
Note
Only the settings supported by the camera model are displayed.
Step 1 Create a Camera Setting.
You must belong to a user group with Cameras permission. Use one of the following methods to access
the Camera Settings.
o Manually Adding Cameras.

o Enabling the Auto Configuration Defaults for a Camera Model
o Bulk Actions: Revising Multiple Cameras
Step 2 Select New Setting.
Step 3 To save the setting for use by other cameras, select Save setting for future use and enter a
name for the setting.
Action Description
360 Camera Settings Defines the display settings for panoramic cameras that display a 360 field of view.
Orientation
The physical camera mounting: Ceiling, Wall, or Table
Note
Cameras must be mounted perfectly flat, on either a vertical or horizontal surface.
Dewarp Mode
A fisheye camera image is round and distorted, which is the result of capturing an ultra-
wide field of view. Use Dewarp modes to flatten or dewarp the image.
Dewarp mode varies by orientation. For example, Double Panoramic View is available
in Ceiling and Table orientations, but not for Wall orientations. PTZ operation is not
available in either panoramic Dewarp mode. Digital PTZ is available in individual
regions.
Use the different Dewarp modes to set the view to a grid layout of different regions of
the fisheye image:
Single RegionSingle-pane view without dewarping.

Panoramic ViewSingle-pane view with dewarping. The image is divided
down the center, with the left and right sides flattened and joined from the top -
center location.
Double Panoramic View (Ceiling and Table orientations only)Single-pane
view that splits the Panoramic view down the center, top-to-bottom, and creates
a stacked view.
Quad ViewSingle-pane view that splits the Panoramic View into four
quadrants.
Note:
In individual panes, PTZ features are available in Quad View. You can move the image region
and zoom in on a region. Use the mouse wheel to zoom and the left mouse button to drag the
view to a new region.
Motion Configuration The settings that define the amount and type of motion required to trigger a motion
detection event.
Default Motion Window Select this check box to enable the following additional options:
Configure full motion windowDraws the motion detection window to fill the entire
camera view. This setting is not applied if the camera is already configured with motion
detection windows.
Override existing motion windowsOverrides the existing configured motion

window(s) with a default full motion window.
These options apply only if the camera supports motion detectio n.
Camera Tamper Select the following to change the default value.
Camera tamper durationThe number of seconds that the camera must be

tampered with before a critical camera event is generated. For example, camera
tamper occurs if the camera field of view is blocked or darkened, or if the
camera is manually moved to redirect the field of view.
Tamper State Auto Clear DurationThe number of minutes before the

camera tamper state is automatically cleared.
NTP Information Select Mode to enable the following settings:
Automaticthe camera uses the assigned Media Server as the network time
protocol (NTP) server.
User-configuredthe camera uses a custom NTP server.
o NTP Serverthe IP address of the NTP server. Enter multiple entries

separated by a space or comma.
o Timezone(optional) the device timezone.

Note
If you de-select this option, the camera is not configured with an NTP server address.
The camera retains any NTP address(es) previously configured on the device. If an NTP server is
not configured on the device, you must update the camera settings to either enter an NTP serve r
address or select Use Media Server as NTP.
This setting applies only for camera models that support NTP.
Timezone Information Use Media Servers TimezoneUse the same timezone for the Media Server assigned
to the camera.
TimezoneUse a custom timezone.
Step 5 Click OK.

Step 6 Select the Camera Setting when using one of the following methods to add or revise cameras.
Importing or Updating Cameras or Encoders Using a CSV File.

Manually Adding Cameras.
Enabling the Auto Configuration Defaults for a Camera Model.
Bulk Actions: Revising Multiple Cameras.
Managing Cameras with Duplicate IP Addresses

By default, cameras must have a unique IP address, or an ID collision issue will occur. This prevents t wo
devices with the same address from causing device and configuration errors.
If your network configuration requires devices with duplicate IP addresses, however, you can enable the
Allow Duplicate IP system setting to allow multiple cameras with the same network address to be added
to the Operations Manager configuration. This may be necessary when the same set of private IP
addresses are used at multiple sites.
Enabling the Auto Configuration Defaults for a Camera Model
Enable the auto-configuration default settings to automatically apply a set of basic configurations to
cameras that are discovered on the network.
Auto-configuration is disabled for all camera models by default. You must enable the defaults for each
camera model.
Device Auto Configuration
Usage Notes
If auto-configuration is not enabled for a camera model (or if the auto -configuration fails) then
the camera is placed in the Cameras Pending Approval list.
If the auto-configuration fails, cameras can also be placed Enabled:Critical state. For example,
if the entered password does not match the password configured on the device.
Medianet-enabled devices also include an Uninitialized option. Select this to log in to the
camera using the default device credentials. Enter a password to automatically replace the
device password with the new setting (the username is read-only).
Uninitialized Option
Procedure
To enable auto-configuration for cameras that are discovered on the network or imported from a CSV
file, complete the following procedure.
You must be a Super-Admin or belong to a user group assigned to the super_admin_role

(a super-admin is anybody that has all permissions at the root location)
Step 2 Select System Settings > Auto Provisioning Settings.
The Device Auto Configuration screen appears

Step 3 Click a camera Vendor.
Step 4 Click a camera Model.
Step 5 Select the Enable Auto Configuration check-box.

Setting Description
Uninitialized (Medianet enabled devices only) Select this option to use the default credentials to initially
access the camera. Enter a new password to change the default setting.
Note
The change will not be implemented if the current username and password has been changed from the
factory default.
Username Enter the username used to access the camera over the network.
Password Enter the password used to access the camera over the network.
See the camera documentation for instructions to set the credentials, or ask your system
administrator for the information.
Template Select the camera template that will provide the camera configuration..
Media Server (Optional) Select the Media Server that will manage the camera (the camera will be assigned to
this Media Server)..
Camera Settings Apply a set of camera settings for features such as the motion detection window and sensitivity,
tamper settings, and NTP server and timezone used by the device.
Select Existing Settings to apply a pre-defined set of configurations.
Select New Setting to define a new set of configurations. Enter a name to save the C amera
Settings, so they can be applied to other cameras.
Step 7 Click Save.
Step 8 (Optional Repeat this procedure to enable auto-configuration defaults for additional camera
models.
Cameras Pending Approval List
Discovered cameras that are not auto-configured are held in the Cameras Pending Approval list so they
can be reviewed and updated before being added to Cisco VSM. The cameras in this list are not available
for streaming or recording video.
These cameras can also be added to the blacklist which deletes them from the Cisco VSM configuration
and prevents them from being found in future discovery operations.
Cameras Pending Approval
Tip
Camera models that have the auto-configuration defaults enabled are added to Cisco VSM. If auto-configuration
fails or is not enabled, the camera is added to Cameras Pending Approval. If the camera is in Enabled: Warning or
Critical state, go to device Status page to get information, fix the problem and choose Repair Configuration from
the Device Settings menu.
Procedure
To move cameras from the Cameras Pending Approval list to either Cisco VSM or to the blacklist,
complete the following procedure.
You must have Manage Cameras permissions to approve or blacklist cameras.
Step 2 Perform a camera discovery
Step 3 Choose Add > Cameras Pending Approval.
Step 4 (Optional) Filter the list of discovered cameras
For example, select a camera make or model to narrow the results.

Step 5 Select one or more cameras from the list.
Tip
Click the camera to highlight it, or use Ctrl-Click or Shift-Click to select multiple cameras.
Step 6 (Optional) Enter additional camera configurations:
Click the buttons at the bottom of the list to edit the required fields. You can also double -
click a field to edit the setting.
Scroll the list to the right, if necessary, to display the editable fields.
Editable fields are displayed in bold.
Setting Description
IP Address The IP address assigned to the camera.
Name (Optional) Double-click the entry to change the camera name. The default entry
is auto-generated.
Media Server (Required) select the Media Server to manage the camera.
Install Location (Required) select the location where the camera is physically installed.
Pointed Location (Required) select the location where the camera is pointed. This is the scene
shown in the cameras video.
Template (Required) select the configuration template for the camera..
Credential (Required) enter the username and password used to access the camera over the
network. See the camera documentation for instructions to set the credentials,
or ask your system administrator for the information.
Step 7 Click Add to save the configuration and add the camera(s) to Cisco VSM.
Step 8 Verify that the camera(s) were successfully added.
Step 9 (Optional) Modify the camera settings, if necessary.
Note
Click Blacklist to blacklist the camera.
Blacklisting Cameras
Blacklisted cameras are deleted from the Cisco VSM configuration and are ignored in discovery
operations. Cameras can be kept in the Blacklist indefinitely.
Blacklisting a Camera
Cameras can be added to the blacklist using the following methods:
Blacklist a Discovered Camera in the Cameras Pending Approval List

Delete and Blacklist a Camera
Blacklist a Discovered Camera in the Cameras Pending Approval List

Step 2 Choose Add > Cameras Pending Approval.
Step 3 Select one or more cameras from the list.
Tip
Click the camera to highlight it, or use Ctrl-Click or Shift-Click to select multiple cameras.
Step 4 Click Blacklist.
Delete and Blacklist a Camera

Step 2 Select the location and camera name.
Step 4 Select Blacklist & Full Delete.
Caution
Full Delete permanently deletes all recordings associated with the camera.
Viewing Cameras in the Blacklist
Procedure
Step 2 Choose Add > Camera Blacklist.
Step 3 (Optional) Use the filter settings to narrow the displayed devices.
Removing a Camera From the Blacklist

To remove a camera from the blacklist so it can be re-added to Cisco VSM, do one of the following:
Remove the device from the blacklist, as described in the following procedure.
Manually add the camera. This removes the camera from the blacklist and adds it to Cisco VSM.
Procedure
Step 2 Choose Add > Camera Blacklist.
Step 3 (Optional) Use the filter settings to narrow the displayed devices.
Step 4 Highlight one or more entries and click Remove From Blacklist.
Step 5 (Optional) Perform a camera discovery to re-add the camera.

Editing the Camera Settings
Camera settings are applied to cameras, camera templates, or custom configurations.
The following settings are accessed in the Camera configuration page. You can also update camera
configurations by importing a CSV file that defines the settings.
Accessing the Camera Settings

To revise the settings for a camera or camera template, click the Cameras tab and highlight the device
(or template).
Usage Notes
Not all settings are available for all cameras. For example, Image settings are available only if
the camera supports features such as motion detection, PTZ controls, and image adjustments.
Device configuration changes can fail is a camera firmware upgrade is in process. Make sure that
a camera firmware is not being upgraded (or wait until it is complete) and try again.
Most camera settings are applied by the template assigned to the camera. To create a
configuration for a single camera, create a custom configuration for the camera.
The camera configuration pages may not display properly if the Internet Explorer (IE)
compatibility view box is checked. Deselect this option, if necessary.
Procedure
You must belong to a User Group with permissions for Cameras.
Step 3 Click the tabs in the top left column to view cameras and templates.
Tab Description
Cameras By Location Displays the cameras assigned to each location.
For example, click the Cameras By Location tab and then select a
location name.The cameras assigned to that location are listed by
name. Click a camera name to edit the camera settings.
Cameras by Media Server Displays the cameras assigned to each Media Server.
If only one Media Server is used, all cameras will be listed.

Cameras By Template Displays the cameras assigned to each template.
Tip The number next to the template name indicates the number of
cameras assigned to the template.
Camera General Settings
Step 4 Revise the available settings..
Step 5 Click Save.
Step 6 (Optional) Revise the camera template, or create a custom template.

Streaming, Recording and Event Settings
The Streaming, Recording and Event settings are applied to camera templates and define video attributes
for cameras associated with the template. For example, the quality of video streams, how video is
recorded, and the advanced storage options for backing up video to a Redundant or Long Term Storage
(LTS) server. The Advanced Events option defines the events that trigger actions.
Tip
The Streaming, Recording and Event settings (Table) are read-only when viewing a camera configuration. To edit the
settings, edit the template associated with the camera, or create a custom configuration for the camera (click Set
Template and choose Custom).
Streaming, Recording and Event Settings

Setting Description
Template (Cameras only) Click Set Template to select the template used for the camera, and click OK.
Only supported templates are displayed (based on the users location and camera model).
The remaining Streaming, Recording and Event settings are defined by the template and
are read-only.
If the camera template resolution settings are changed, all motion detection windows are
deleted and you must re-configure them. This occurs if the camera template is revised, or
if you select a different template for the camera
Using a Custom Template for a Single Camera
Click Custom to enter custom settings for the camera
Although you can enter custom settings for both video streams, the IP or analog camera must also
support the settings for both streams (analog camera support is dependent on the cameras
encoder). If the camera or encoder model does not support the settings, or does not support two
streams, the configuration will fail. See the camera or encoder documentation for more
information regarding the stream settings supported by the device.
Tip
The remaining Streaming, Recording and Event settings can be changed for a specific camera only if the
Custom option is selected.
Video Format (Templates only) Select one of the following:
NTSC the analog television standard primarily used in North and some countries in
South
America and Asia.
PALthe analog television standard primarily used in Europe, Africa and some countries
in South America and Asia.
Note
The available quality settings depend on the camera model. For example, if a camera only supports NTSC
format, only NTSC can be selected. If a camera supports both PAL and NTSC, both formats will be available.
Streaming, Recording and Event Settings (continued)
Setting Description
Recording Schedule (Templates only) Select one of the following:
Basic Recording: 24x7Records 24 hours a day, every day, based on the continuous
and event recording properties. or
Select a previously-defined schedule.
Recording schedules appear only if schedules are configured.
Recording schedules allow you to define recording properties for different times of the day, days
of the week, or for special events. For example, a school might require different video surveillance
actions during School hours, After school hours, School off hours, and Closed hours. Additional
exceptions to the regular schedule might be required for special events, such as a Homecoming
event or the Christmas holiday. A recording entry appears for each time slot included in the
schedule.
Video Quality (Templates only) Slide the selector to Lo, Me or Hi to select pre-defined video quality settings for
stream A (primary) and stream B (if supported). Higher quality video requires more network
bandwidth, processing resources, and storage space than lower video quality.
Select Off to disable video recording and playback.
Choosing Hi on Stream A may disable Stream B if Stream A requires a high level of

processing and network resources. To enable Stream B, lower the quality level of Stream
A.
Click the Lo, Me or Hi header to view the pre-set values (read-only).
Click Custom to choose specific settings (such as the video codec, transport, bitrate mode,
resolution, framerate, bitrate, and quality)
Caution
Switching a camera's codec may take 30 seconds or more to complete, resulting in a temporary
loss of the live video stream. Recorded video is not affected, but you cannot create recorded clips
that include more than one codec.
Recording Options (Templates only) Click the recording option for each recurring schedule.
Note
If Basic Recording: 24x7was selected, only one row appears. If a schedule was selected, a row appears for
each schedule.
Select No Recording to disable recording for the stream.

Select Record on Motion to record motion events.
In Retain event recordings, enter the amount of time a motion event should be
retained (saved) on the system. Changes to this setting apply to new
recordings only (the retention time cannot be changed for existing
recordings). Recordings are deleted when the expired time is reached, or if the
Storage% is reached (the oldest files are deleted first, regardless of their
expiry time).
In Padding, enter the number of seconds of recording that will be included
before and after the event occurs.
Motion recording is available only if the camera supports motion detection
for instructions to define the areas of the image that trigger motion events.
Select Continuous Recording to record video in a loop.
For example, video will be recorded continuously for one day before being
overridden. This allows you to view video from the past 24 hours.
In Retain continuous recordings enter the amount of days that recorded video
should be recorded in a loop, or if a recording schedule is selected, the
amount of time recorded video should be retained on the system. Changes to
this setting apply to new recordings only (the retention time cannot be
changed for existing recordings).
Select Record on Motion and Continuous Recording to record continuously

and mark any motion events. This option is available only if motion detection is
supported by the camera.
Retain continuous (Templates only)
recordings
24x7 RecordingDefines the amount of days that recorded video should be recorded in
a loop. For example, a retention of 1 day means the system will retain continuously
recorded video for the past 24 hours. As new video is recorded, the equivalent amount
of the oldest video is deleted.
If a recording schedule is selectedDefines the amount of time recorded video should

be retained on the system. For example, if a schedule is selected that records video
from 2 pm to 4 pm, and you wish to retain that recording on the system for 10 days,
enter 10 in the Retain continuous recordings field.
This value must be a number greater than 0 (days).
The default is 1 day.
The maximum value is 3650 days (10 years).
Note
This setting will be ignored if the Default Grooming Only setting is enabled on the Media Server that
supports the camera. This can prevent new recordings from beginning if all server disk space is used
Setting Description
Verify Recording (Templates only)
Space
Enable
Select Enable to verify that enough storage space is available on the Media Server to complete
the entire recording. The amount of required storage space is determined by the Storage
Estimation(%) setting for the Media Server. If the required amount of storage space is not
available for the entire recording, then the recording will not start.
For example, if a camera is configured to record a continuous H264 stream at 15mbps for 30
days, the Media Server would first verify that there is enough free disk space for the full
recording length (30 days). If not, then recording will not start. In this example, 15 mbps of
video uses approximately 2 megabytes of storage space per second, so 30 days of recording
would require roughly 5 terabytes of disk storage.
Note
The verification takes into account the storage demands required by other cameras assigned to the Media
Server.
Enabling the Default Grooming Only setting for the Media Server assigned to the camera can cause all
disk space to be used and prevent new recordings from beginning
Disable
Disabling this setting will allow recording to be started even when storage is full. But it can
cause the system to become oversubscribed, and critical alerts to occur as system performance
is impacted.
If this setting is disabled, and insufficient disk space for new recordings, the disk will become
oversubscribed and default grooming will occur when storage is full.
Frequent default disk grooming can cause the server to be slow, as the load average of the
server will be high, an critical alerts can occur for the Media Server:
Disk space usage for recordings has been over-subscribed.
Load Average is critical.
A recording failure event may also occur due to queue overflow, which can cause
frame drops.
On Demand (Templates Only)

Recording
Enables or disables the On Demand Recording feature on the cameras assigned to the
template.
Note
Recordings are retained according to the Retain event recordings setting.
Setting Description
Retain event recordings (Templates only) The amount of time a motion event should be retained (saved) on the system.
For example, enter 10 to keep motion event recordings for 10 days after the event video is
captured.
Note
This setting also applied to On Demand Recording recordings.
Enter the number of days the video should be retained.

Enter a number between 1 and 3650 days (10 years).
The default is 30 days.
or
Select Max Possible to retain the recordings as long as disk space is available. If disk
space is not available, then recordings are deleted based on the Storage (%) for the
Media Server.
For example, if the Storage (%) is set to 90%, and a camera template Retain event
recordings setting is Max Possible, event recordings may be deleted once the disk
repositories are 90% full (deleted video includes the oldest regular, continuous loop or
event archives).
File Deletion
Recordings are deleted when the expired time is reached, or if the Storage% is reached (the oldest
files are deleted first, regardless of their expiry time). Video archive files are deleted until the free
disk space is less than the Storage (%).
Note
This setting will be ignored if the Default Grooming Only setting is enabled on the Media Server that
supports the camera. This can prevent new recordings from beginning if all server disk space is used.
Alert Notifications (Templates only)
Click Alert Notifications to enable or disable the alerts that are generated when a
motion stop or start event occurs.
Tip
Use Advanced Events to generate alerts only when a motion stop or motion start event occurs.
Advanced Events (Templates only) Use Advanced Events to trigger actions when an event occurs.
Instantaneous Trigger EventsEvents that trigger an immediate action (for example,

when motion is detected).
States of BeingEvents that trigger an ongoing action as long as that event occurs (for
example, while a contact remains open).
Advanced Storage (Templates only) Defines storage options for recorded video, such as the use of Redundant,
Failover, or Long Term Storage servers. Also defined advanced streaming and recording
options.
Setting Description
Record Audio (Templates only)
Defines if audio should be recorded when video is being recorded.
Note
The audio settings is disabled if audio is not supported by the camera.
Off(Default) Audio is disabled for both live and recorded video playback.
Live OnlyAudio is enabled for live video streaming only.
Live and RecordedAudio is enabled for live streaming and recorded video
playback.
Padding (Templates only)
Defines the number of seconds of additional recording that will be included before and after a
motion event.
PreEnter the number of seconds before a motion event occurs that video should be
retained.
PostEnter the number of seconds after a motion event occurs that video should be
retained.
Using Custom Video Quality Settings
Custom video quality settings allow you to define the codec, transport method, bit rate, frame rate, and
other settings that are supported by the camera model, as described in
Usage Notes
Custom video quality settings can only be applied to model-specific camera templates.
The available quality settings depend on the camera model. For example, if a camera only
supports the H.264 codec, only H.264 can be selected.
Although you can enter custom settings for both video streams, the IP or analog camera must
also support the settings for both streams (analog camera support is dependent on the cameras
encoder). If the camera or encoder model does not support the settings, or does not support two
streams, the configuration will fail. See the camera or encoder documentation for more
information regarding the stream settings supported by the device.
To configure multicast transmission.
Custom Video Quality Settings

Custom Video Quality Settings
Setting Description
Codec Select the video encoding format, such as JPEG, MPEG4 or H.264.
Caution Switching a camera's codec may take 30 seconds or more to complete, resulting in a temporary loss of the
live video stream. Recorded video is not affected, but you cannot create recorded clips that include more
than one codec.
Transport Select an option to stream video using either TCP or UDP.
Note
We recommend UDP for most networks where packet loss and high latency are not an issue.
Bit rate mode Select CBR (Constant Bit Rate) or VBR (Variable Bit Rate).
CBR delivers video at the selected bit rate (or at that average over time), depending on the video
device.
VBR adjusts the video quality and/or frame rate as the scene changes. Depending on the video
device, the selected bit rate may or not may be the streams maximum.
The bit rate is reduced when there is little movement or change
The bit rate is increased when there is more change.
Frame rate Select a frame rate (only frame rates supported by the device are displayed).
Bit rate Select the bit rate at which the video device will stream the selected frame rate.
Note
The frame rate must be specified first. Only frame rate and bit rate combinations supported by the device are
displayed.
Quality (VBR Bit rate mode only) Select the priority of the video quality against the desired frame rate.
A high Quality setting may cause the video device to reduce the frame rate during periods of
high motion or change (in order to maintain a higher quality image).
A low Quality setting may cause the video device to greatly reduce the image quality to
maintain a higher frame rate during the periods of high motion or change in the video.
Procedure
Step 1 Create or edit a model-specific camera template.
Step 2 Select the Streaming, Recording and Event tab.
Step 3 Click Custom in the Video Quality field.
Step 4 Enter the settings described in Table and click Set.
Step 5 Complete the template configuration.
Image Settings
Image settings allow you to define the where motion is detected in a camera image, the pan, tilt, and
zoom settings for a camera, and the image properties such as contrast and brightness.
Motion Settings
Pan Tilt and Zoom (PTZ) Settings
Photographic Controls
o Click the Image tab to access the Photographic Controls that define properties such as
contrast and brightness.
Note
Only the settings supported by the camera model are shown.
Analog cameras support video controls only if the camera is configured for serial pass through
(a serial cable must be connected from the camera to the encoder, and a serial port must be
configured on the analog camera).
Photographic Controls
Setting Description
White Balance Adjusts the camera to compensate for the type of light (daylight, fluorescent,
incandescent, etc.,) or lighting conditions in the scene so it will look normal to
the human eye.
Sharpness Adjusts edge contrast (the contrast along edges in a photographic image).
Increase sharpness to increase the contrast only along or near the image edges
without affecting the smooth areas of the image.
Contrast Adjusts the separation between the darkest and brightest areas of the image.
Increase contrast to make shadows darker and highlights brighter. Decrease
contrast to lighten shadows and darken highlights.
Saturation Adjusts the intensity and vibrancy of each color channel.
Hue Adjusting hue will shift the entire color palate along a spectrum. This results in
all colors being changed toward a different dominant color. Useful for adjusting
the image to make it look more natural in unusual lighting conditions.
Deleting Cameras
When deleting a camera, you can delete the camera and all recordings, or keep the recordings on the
system.
To delete one or more cameras, use the following methods:
Delete a Single Camera
Step 2 Select the location and camera name.
Step 4 Select one of the Delete Options.
Delete Multiple Cameras
Step 1 (Optional) Retain the Media Server IP address that is stored on the cameras Preferred Media
Server list.
By default, the IP address of the Media Server assigned to the camera will be deleted from the
cameras Preferred Media Server list. If the camera is re-added to Cisco VSM, the Media
Server must be re-configured on the camera
You can change this behavior to keep the configuration, so the camera will be re-assigned to the
same Media Server if the device is re-added and discovered on the network.
Camera Status
Select the camera or encoder Status tab Figure to display information about camera device health, service
jobs, and security events.
Camera Device Status
Procedure
Step 1 Select Cameras.
Step 2 Select a location and select a camera from the list.
Step 3 Select the Status tab.
Step 4 Select one of the following tabs:
Device Status.
Status History.
Service Jobs (Cameras)
Camera Events.
Device Status
Displays a snapshot of the current device health status, and the device attribute that is experiencing the
error. The cameras device health impacts the cameras ability to communicate with a Media Server,
stream video over the network, or record video.
For example, in Figure, the camera is in the Enabled: Critical state, meaning that it cannot display or
record video. This state is due to a Critical configuration error.
Tip
Click Refresh Status to reload the current device status.
Camera States
When a camera is added to Cisco VSM, it is placed in either Enabled or Pre-provisioned state.
Enabled means that the user intends the camera is to be functional. There are three possible sub-
levels: OK, Warning, and Critical.
Pre-provisioned means that the device is added to the configuration but not available on the
network.
Camera Status
State Description
Enabled: OK The device is operating normally and has no errors.
Enabled: Warning A minor event occurred that did not significantly impact device operations.
The device is disabled and unavailable for use. The configuration can be modified, and any
Disabled existing recordings can be viewed, but the camera cannot stream or record new video.
An event occurred that impacts the device operation or configuration.
IP CameraThe IP camera is enabled but is in a state unable to perform its full capacity.
Analog CameraThe analog camera is enabled but is in a state unable to perform its full
Enabled: Critical capacity.
Tip
An IP camera and an analog camera that are in Enabled: Critical state after they are enabled from a Pre-
provisioned state usually indicate a mis-match configuration. This is often caused by a missing motion
detection configuration on the camera when the camera template requires one.
State Description
Pre-provisioned The device is added to the configuration but not available on the network.
The device is waiting to be added to Cisco VSM and is not available for use. A pre-provisioned
camera can be modified, but the camera cannot stream or record video until the configuration is
complete and you choose Enable from the Device Settings menu
IP CameraA Pre-provisioned IP camera may or may not have been connected to the
network. Settings can be changed, but the only device action allowed is Device Settings
> Enable. The device can be deleted.
EncoderA Pre-provisioned encoder may, or may not have been connected to the
network. Settings can be changed, but the only device action allowed is Device Settings
> Enable. The device can be deleted.
Note
You can enable an IP camera or encoder that is in Pre-provisioned state only after the device is connected
to the network and the associated Media Server is enabled. The Operations Manager does not automatically
enable them. An attempt to enable an IP camera or an encoder before connecting them to the network only
changes its state from Pre-provisioned to Enabled: Critical.
Analog CameraAn analog camera in this state is associated to an encoder that is either
in a state of Pre-provisioned or Enabled. Settings can be changed, but the only device
action allowed is Device Settings > Enable. The device can be deleted.
Analog cameras that are added to a Pre-provisioned encoder are also Pre-
provisioned.
You can enable an analog camera that is in Pre-provisioned state only after its
associated encoder is enabled. The Operations Manager does not automatically
enable it.
Soft Deleted The device configuration is removed from the Operations Manager but the recordings associated
(Keep Recordings) with that device are still available for viewing (until removed due to grooming policies).
To view the recordings, select the camera name in the Monitor Video page.
Soft-deleted cameras are still included in the camera license count.

Hard Deleted The device and all associated recordings are permanently deleted from Cisco VSM.
(Delete Recordings)
Note
No icon is displayed You can also choose to place the camera in the Blacklist.
Status History
Click the Status History tab for additional details Figure. The history page displays the specific health
events that impact the device status.
Display Options
Step 1 Select Display and choose a time range. By default, events from the past 24 hours are shown.
Select Special Range to specify a specific start and end time.
Step 2 Click Affecting Current Status to display only the alerts causing the current problem.
Step 3 Double-click an entry to display the alert details. Alerts can include multiple events for the
same issue.
Step 4 Double-click an event to display the event details. Alerts can include multiple events for the
same issue.
For example, in Figure, the camera is assigned to a template where a camera app is enabled, but the app is
not installed on the camera, an error will occur. To resolve the issue, install the appropriate camera app on
the camera.Once saved, the device status should be OK (click Refresh Status if necessary).
Camera Status History

Service Jobs (Cameras)
Use the Service Jobs tab to view information about the jobs processed on the camera. Service Jobs
reflect the tasks being processed by the Media Server that manages the camera.
For example, job types can include:
Camera Storage
Generate Metadata
Camera AppsThe camera apps that were installed, uninstalled, activated or deactivated.
Format Camera SD Cards
Click an entry to view additional details about the job. The details also include the status and results of
the job.
To cancel a service job that is in progress (Created, or Running state), select the job and click Cancel
Job. Not all job types can be canceled. For example, you can cancel metadata and Camera Storage
service jobs that are still in progress.
Camera Service Jobs
Tip
To view the service jobs for all cameras and encoders managed by a Media Server, select the Service Jobs tab in the
Media Server configuration page. Not all Service Jobs are supported from the Media Server page (such as camera
apps)
Camera Events
Camera events display a cameras security events. For example, you can view all motion start events over
the past 12 hours.
Recovered Events
Cisco VSM can also recover motion, Camera Apps and Contact Closure camera events that occur when the
camera is disconnected from the Cisco Media Server. This feature is supported on Cisco 3xxx, 6xxx, 7xxx,
36xx, 66xx, 69xx, and 28xx cameras.
If the camera template is configured to send alerts, then recovered events are displayed in Cisco SASD
(Alerts workspace) in italics.
Note
Recovered events do not trigger any other actions, such as those configured in the Advanced Events
feature.
A health notification is also displayed for the recovered event.
Procedure
Step 1 Select Cameras and select the camera.
Step 2 Click Status > Camera Events.
Step 3 Select the following filters to display specific events during a span of time.
Camera Event Filters

Option Description
Time Range The span of time that events occurred. For example, the last 7 days.
Issue Type The event type.
Custom Type and Custom event types created by a user.
Subtype
Event Type Allows user to view All Events or Recovered Events. All events include the
following:
Live eventsEvents that occurred while the cameras network
connection to Cisco VSM was active
Recovered eventsEvents that occurred while the camera was
disconnected from Cisco VSM. These events were recovered and added
to Cisco VSM after the camera was reconnected.
Note
The icon indicates that the event occurred while the camera was disconnect from
Cisco VSM, and was later recovered. Alerts for these recovered events are displayed in
Cisco SASD in italics
Step 4 The page automatically refreshes to display events from your selection.
Repairing Camera Configuration Errors
If a camera configuration error occurs, use the Status History to locate and correct the problem. Other
issues are the result of mismatched configuration between the device, the Media Server and/or the
Operations Manager. If this occurs, use the configuration repair options.
For example, be sure to successfully save or revert your changes while still in the motion configuration
window. Clicking out of the window before changes are successfully saved or discarded can cause a
configuration mismatch to occur on the camera Status page (the error will not include any additional
details). If this occurs, perform a Repair Configuration on the camera,
Replace ConfigurationsPushes the entire device configuration from the Operations Manager
to the Media Server. The Media Server data is replaced.
Repair ConfigurationsPushes only the configuration changes required correct a mismatched

field. Changes are pushed from the Operations Manager to the Media Server.
Configuring Camera PTZ Controls, Presets, and Tours
Cameras that support pan (left-right), tilt (up-down) and zoom (in-out) movements can be controlled
using either the on-screen PTZ controls, or a third-party joystick. PTZ control is available when viewing
live video only.
In addition, you can configure PTZ cameras for the following:
Create PTZ presets that allow operators to quickly jump to a preset position.
Create PTZ tours that automatically cycle a camera between the PTZ preset positions.
Create Advanced Events that automatically move the camera to a PTZ preset position when an
event occurs.
Define a Return To Home preset that automatically returns the camera to a selected Home
position when idle for a specified number of seconds.
Define user groups that have priority for accessing PTZ controls.
PTZ Requirements
Cameras that support PTZ controls automatically display an Image tab in the camera configuration that
includes PTZ controls (choose the camera and click the Image > Pan/Tilt/Zoom).
PTZ cameras and PTZ users require the following:

Cameras must support PTZ functionality.
PTZ functionality must be enabled on the camera.
The PTZ settings require that the ActiveX player be installed on a supported browser, such as
Internet Explorer.
To use PTZ controls, you must belong to a user group with Perform PTZ permissions.
To configure PTZ presets, PTZ tours, and Advanced Events, you must belong to a user group
with Cameras permissions.
To configure the PTZ Priority and Lockout Period, you must belong to a user group with Users
& Roles permissions.
PTZ Camera Configuration Summary
Cameras with PTZ functionality display a Pan/Tilt/Zoom tab under the Image tab of the Camera
configuration page.Use the Pan/Tilt/Zoom tab to create PTZ presets, and PTZ tours.
You can also use the Advanced Events to automatically trigger PTZ presets when an event occurs.
Camera PTZ Configuration
The following procedure summarizes the PTZ configuration options.
Procedure
Task
Step 1 Install the PTZ camera and enable PTZ functionality, if necessary.
Step 2 Add the camera to the Cisco VSM configuration.
Step 3 (Optional) Connect a PTZ joystick to a USB port on your PC and calibrate the device for Windows.
Step 4 Verify that you are using a compatible browser (such as Internet Explorer) with the ActiveX player
installed.
Step 5 Open the camera PTZ configuration page to verify the camera PTZ controls are available:
a. Select Cameras and select a camera name.
b. Click the Image tab and verify that the Pan/Tilt/Zoom tab is selected
Step 6
(Optional) Configure the camera PTZ presets.
Presets are used to quickly adjust a camera view to a pre-defined PTZ setting.
Step 7
(Optional) Configure the camera PTZ tours.
PTZ tours are used to cycle the camera view between PTZ presets.
Step 8 (Optional) Define if the camera should return to a selected Home position when idle for a specified
number of seconds.
Note
If a PTZ tour is enabled, then the Return to Home setting is ignored
Step 9 (Optional) Enter the camera PTZ idle time that defines the following:
PTZ Tourthe number of seconds after a manual PTZ movement or event action before the
PTZ tour can resume.
Return to Homethe number of seconds after a manual PTZ movement or event action before
the camera returns to the Return to Home preset position.
User PTZ control (priority lockout or camera controls lockout)the number of seconds that a
lower priority user has to wait before being able to move the camera after a higher priority
user stops using the PTZ controls.
Note
PTZ tours and Return to Home have the lowest priority, allowing users and Advanced Events to assume PTZ
control when necessary.
Step 10 (Optional) Define the user groups that have priority over other users for controlling PTZ cameras.
Note
By default, all user groups have the highest priority (100).
Step 11 (Optional) Configure the Return to Home preset position and timer.
Defining the User Group PTZ Priority
A conflict can occur if multiple users attempt to use the PTZ controls for the same camera. For example, if
a security incident occurs, a security officer may need to assume control over lower-priority users. To
resolve this, each user group is assigned a PTZ priority number from 1 to 100. Users in a group with a
higher number are given PTZ priority over users that belong to a group with a lower number. If the PTZ
controls are in use by a lower-priority user, the higher-priority user can assume control immediately.
When a higher priority user assumes control of a PTZ camera, lower priority users are denied access to
the PTZ controls. The lockout continues until the higher-priority user stops accessing the PTZ controls,
plus the number of idle seconds defined in the PTZ idle setting
Usage Notes
By default, all user groups have the highest priority (100).
Users that belong to multiple user groups gain the highest priority from any assigned
group.
If a higher-priority user is using the PTZ controls, the PTZ controls remain locked and you
cannot control the PTZ movements until released by the higher priority user (and the idle time has
expired).
If users belong to user groups with the same priority, they will be able to access the PTZ controls
at the same time. This can result in conflicting movements.
Advanced Events that trigger a PTZ preset position are assigned a priority of 50. This setting
cannot be changed.
Event-triggered PTZ presets will take control from any user group members that have a
priority lower than 50 (user groups with a higher priority can take control or will
maintain control).
The camera remains at the PTZ preset unless a PTZ tour is enabled or a user accesses the
PTZ controls.
PTZ tours and Return to Home are assigned the lowest priority by default. This allows users to
assume control of any camera that is configured with a rotating PTZ tour. Event-triggered PTZ
movements also override PTZ tours.
When all users stop accessing the PTZ controls and idle time expires, the camera PTZ Tour or
Return to Home position will resume, if configured (the PTZ tour continues). The lockout idle
time is reset each time the higher-priority user accesses the PTZ controls.
If the When manual PTZ idle for field is not defined, then cameras use the number of seconds in
their associated Media Servers Camera Control Lockout field.
Example
The following example is based on this scenario:
A PTZ tour is configured
user1 is in a user group with PTZ priority 60
user2 is in a user group with PTZ priority 100
The PTZ idle time (lockout) is 30 seconds
An Advanced Event is configured to move to the PTZ preset when a motion event occurs
A PTZ tour is enabled and rotating the camera between PTZ presets. User1 can access the PTZ controls
and interrupt the tour. However, if higher-priority user2 also accesses the camera PTZ controls, then
user2 will take control and user1s PTZ commands will be ignored. This is because user2 is in a user
group with priority 100 while user1 is in a user group with priority 60 (PTZ tours have the lowest
priority).
When the higher-priority user2 stops moving the camera, user1 must still wait the number of seconds
defined in the camera When Manual PTZ idle for setting before they can move the camera again. If user2
uses the PTZ controls within that idle time, then the timer is reset and user1 must continue to wait.
Advanced Event PTZ movement is the same as a user with priority 50 moving the camera. If lower
priority users (0-49) are moving the camera, those lower priority users will loose control of the camera
and the event will PTZ move the camera. If higher priority users (51-100) are using the camera then the
event PTZ movement will not happen.
If the event PTZ successfully moved the camera, then the camera's idle time lockout is set preventing
lower priority users from moving the camera until it expires.
When all users stop accessing the PTZ controls, the PTZ tour continues (after the idle time expires).
Defining the User Group PTZ Priority Level
Step 1 Define the PTZ priority for each user group.

a. Select Users, and then select the User Groups tab .
b. Select a user group or create a new group
c. In the PTZ priority over other user groups field, select a number from 1 to 100 (the
default is 100highest priority).
d. Click Save.
Step 2 (Optional) Enter the camera idle time to define the number of seconds a lower-priority user must
wait after a higher-priority user stops using the PTZ controls.
Configuring PTZ Presets
PTZ presets allow operators to quickly jump to a preset position.
To access the PTZ preset, go to the Monitor page, display the camera video, right-click the
image and choose Presets from the Pan, Tilt, and Zoom menu. Choose a preset to move the
camera to the defined position.
To trigger presets with a USB joystick, press the joystick button that corresponds to the PTZ
preset number. For example, joystick button 1 triggers PTZ preset 1, joystick button 2 triggers
PTZ preset 2, etc.
You can also create PTZ tours that automatically cycle a camera between the PTZ preset
positions, or Advanced Events that automatically move the camera to a PTZ preset position
when an event occurs.
PTZ presets cannot be deleted if they are being used in a PTZ tour.
If a camera is replaced, you must re-define the PTZ presets since the coordinates will not match
the new device.
To configure PTZ presets, use the PTZ controls to adjust the live video stream, enter a preset name, and
click Set.
PTZ Preset Configuration

Procedure
To define PTZ presets, do the following:
Step 1 Open the camera PTZ configuration page:

a. Click Cameras.
b. Click a location or Media Server and select a camera.
c. Click the Image tab and then click Pan/Tilt/Zoom
d. Verify that the PTZ controls are enabled (if disabled, click the icon to enable PTZ
controls).
Step 2 Position the camera using the following controls:

Using a Mouse
Pan and TiltLeft-click the image and drag the mouse right, left, up and down.
ZoomShift-click the image and drag the mouse up and down to zoom in and out.
Using a USB Joystick

Panmove the joystick bar horizontally.
Tilt move the joystick bar vertically.
Zoom twist the joystick.
Step 3 Enter a PTZ Preset name.

For example: Lobby Door Close-up.
Step 4 Click Set.
Step 5 (Optional) Click Test to move the camera position between different preset positions.
Step 6 Repeat Step 2 through Step 5 to define additional PTZ presets.
Step 7 Click Save to save the camera settings.

Configuring PTZ Tours
PTZ tours automatically rotate a cameras view between PTZ presets in a specified order, pausing at each
position according to the specified dwell time. The camera will continue to rotate between the presets
until interrupted or disabled by an operator or Advanced Event. When the last preset in the list is reached,
the tour starts over at the beginning.
Usage Notes
Any camera that supports PTZ presets also supports PTZ tours. At least two PTZ presets must be
available to create a PTZ Tour.
You can enable a single PTZ tour for each camera.
PTZ tours have the lowest priority for PTZ camera movements. For example, operators can
manually take PTZ control of the camera, or an Advanced Event can move the camera to a PTZ
preset. Both users and events have priority PTZ access to the camera.
Operators can interrupt the tour by manually changing the PTZ position. The camera will stay at
the user-selected position for the number of seconds configured in the Advanced Setting When
manual PTZ idle for, and then resume the tour with the next preset.
To stop the PTZ tour, deselect Enable PTZ Tour. The camera will return to the first PTZ preset
in the tour list.
If a PTZ tour is enabled, then the Return to Home setting is ignored.
If the PTZ tour is disabled, the camera will stay at the current position, or go to the Return to
Home setting, if configured.
Procedure
Step 1 Define at least two PTZ presets for the camera.
Step 2 Define the PTZ presets included in the tour:
a. Click Add or Edit to open the PTZ Tour Configuration window
PTZ Tour Configuration

b. Select the Transition Time (the time that a camera stays at each preset position before
changing to the next preset).
c. Use the right-left arrows to move the presets from Available to Selected.
Note
At least two presets must be included in the Selected column.
d. Use the up-down arrows to move the presets up or down in the list to define the order of
the preset rotation.
e. Click Save.
Step 3 (Optional) Select Enable PTZ Tour to turn on the PTZ tour for the camera.
The camera will display the PTZ tour whenever live video is displayed. To stop the PTZ tour,
you must deselect Enable PTZ Tour.
Enable the PTZ Tour
Step 4 (Optional) Define the camera PTZ idle time to define the amount of time the number of
seconds after a manual PTZ movement or event action before the PTZ tour can resume.
Configuring Advanced Settings
The PTZ advanced settings are define the following:
The number of idle seconds before the following occur:
The number of seconds before a PTZ tour resumes (after a manual or event override).
The number of seconds a lower priority PTZ user must wait after a higher-priority user
stops using the camera PTZ controls.
The number of seconds before the camera returns to a PTZ preset home position.
The Return to Home PTZ preset position. This returns a camera to a default PTZ location when
the manual PTZ controls are not used for the idle length of time.
Procedure
Step 1 Go to the cameras PTZ configuration page.
a. Click Cameras.
b. Click a location or Media Server and select a camera.
c. Click the Image tab and then click Pan/Tilt/Zoom.
Step 2 Click PTZ Advanced Settings.
Step 3 Use the following settings to define if the camera should return to a selected Home position
when idle for a specified number of seconds.
Camera PTZ Advanced Settings

Setting Description
When manual PTZ idle for The number of seconds the camera can be idle (no PTZ commands) before the
camera returns to the home PTZ preset or continues a PTZ tour
Note
By default, the idle time is defined by the Media Servers Camera Control Lockout setting.
Use the When manual PTZ idle for field to override the server setting for the current camera.
PTZ Tourthe number of seconds after a manual PTZ movement or event

action before the PTZ tour can resume. The timer is reset whenever the
camera PTZ controls are used by an operator or event action.
Return to Homethe number of seconds after a manual PTZ movement or

event action before the camera returns to the Return to Home preset position.
The timer is reset whenever the camera PTZ controls are used by an
operator or event action. You can also display a countdown and cancel
option on the users screen
User PTZ control (priority lockout or camera controls lockout)the number

of seconds that a lower priority user has to wait before being able to move the
camera after a higher priority user stops using the PTZ controls.
Enable Home Preset If enabled, the camera will move to the Return to Home preset location if idle for the
number of seconds in the When manual PTZ idle for setting.
De-select this option to disable the Return to Home feature.
Usage Notes
If a PTZ tour is enabled, then the Return to Home setting is ignored.
Configure at least one PTZ preset.
Return to Home Select the PTZ preset used as the Home position.
Step 4 Click OK to accept the advanced settings.
Step 5 Click Save to save the PTZ changes on the camera.

Configuring a PTZ Return to Home Countdown
Use the Advanced Settings to return a camera to a default PTZ location when the manual PTZ controls
are not used for a specified length of time.
If the Return To Home feature is enabled for one or more cameras, you can optionally display a
warning on the monitoring workstation before the camera returns to the home PTZ position. This warning
also allows users to cancel the operation and keep the camera at the current position, if necessary.
Return To Home Warning
This option is configured on each client workstation by editing the following setting using the
computers Registry Editor. The message appears 60 seconds before the camera returns to the home
position. This value can also be (optionally) modified.
Note
If a PTZ tour is enabled, then the Return to Home setting is ignored and uses the PTZ tour presets.
The PTZ Return to home warning message may not be displayed on workstations running
Windows 8 with the IE 10 browser or Windows 8.1 with the IE11 browser. In IE 11, run IE as an
administrator and uncheck the "Enable Protected Mode" option, then restart IE.
Tip
The following process edits the Cisco Multi-Pane Video Surveillance Client that is installed on the workstation when
you first access the Cisco VSM Operations Manager or the Cisco Video Surveillance Safety and Security Desktop
application (Cisco SASD). This Multi-Pane client is the ActiveX utility installed on each client machine to enable
video viewing and controls.
Note
You must edit the setting for both the 32-bit client and the 64-bit client (if installed). The 64-bit client is used for 64-
bit IE browsers and the Cisco SASD application.
Procedure
To configure a Return to Home countdown on the monitoring workstation.
Step 1 Go to Start > Search, and enter regedit.
Step 2 Select regedit from the results to open the Registry Editor utility.
Edit the Registry Editor Entry On Each Workstation
Step 3 Enable the 32-bit multi=pane client (which is used for the browser).
a. Select to HKEY_CURRENT_USER > Software > Cisco Systems, Inc. > Cisco Multi-Pane
Video Surveillance Client 32 bit.
b. Add an EnablePTZRTHWarning entry.
c. Enter 1 in the Value Data field.
1=the warning is on
0=the warning is off
d. Click OK.
Step 4 Repeat these steps for the 64-bit client:
a. Select HKEY_CURRENT_USER > Software > Cisco Systems, Inc. > Cisco Multi-Pane
Video Surveillance Client 64 bit).
b. Add an EnablePTZRTHWarning entry.
c. Enter 1 in the Value Data field.
d. Click OK.
Step 5 (Optional) Change the number of seconds the message will appear before the camera returns to the
home position. The default value is 60 (seconds).
a. Add a PTZ_RTHCountdownSecond entry (Figure 9-26).
b. Enter a decimal value in the Value Data field. This number is the number of seconds.
c. Click OK.
(Optional) Edit the Number of Countdown Seconds
Step 6 Close the Registry Editor window.
Step 7 Restart the monitoring windows by closing and re-launching any Operations Manager windows
or the Cisco SASD application.
Step 8 Test the monitoring workstation to verify that the warning message appears.
a. When 60 seconds remain in the countdown, a message appears: Camera returning to home
position in <X> seconds [Click here to cancel].
b. If the user clicks Cancel, the cameras stays in the current position and the return to home
timer is reset.
Configuring Motion Detection
Cameras that support motion detection can trigger actions or record video when motion occurs in the
cameras field of view. For example, a camera pointed at the rear door of a building can record a motion
event if a person walks into the video frame. A motion event can also trigger alert notifications, a
cameras PTZ controls, or a URL action on a third party system.
Motion detection is supported for analog cameras only if the encoder supports motion detection.
Motion detection is supported only for the primary (Stream A) video.
Motion can be detected for a cameras entire field of view, or for specified areas. If the camera
or encoder supports exclusion areas, you can also exclude areas where motion should be
ignored.
Motion detection must be configured for each camera (motion detection is not defined by camera
templates). Use Bulk Actions to locate cameras without motion detection and add motion
detection for the cameras entire field of view.
Alerts can be configured for motion events, contact closures, analytic events, or soft triggers.
Always configure these features carefully to avoid overwhelming operator(s) with an excessive
number of alerts. If an excessive amount of alerts are generated, the system may ignore new
alerts while deleting old entries.
Be sure to successfully save or revert your changes while still in the motion configuration
window.
Clicking out of the window before changes are successfully saved or discarded can cause a
configuration mismatch to occur on the camera Status page (the error will not include any
additional details).
If a camera configuration is changed to a template that has different resolution settings, all
motion detection windows are deleted and you must re-configure them. Use the following
instructions to apply motion windows to cameras, or import the motion window settings for
multiple cameras.
Motion Detection Overview

Cameras that support motion detection display a Motion tab under the camera Image settings

To enable motion events, you must define the areas in the camera image that should detect motion. You
can define the entire field of view, or use the Include Area to draw a box where motion will be detected.
Motion outside of the include box(es) is ignored. Add exclude areas within include boxes to also ignore
motion in a portion of the included areas.
Motion Detection Settings

Use the settings described in Table to define the portions of the camera image to include or exclude, and
how sensitive the included areas should be.
Motion Detection Settings

Setting/Field Description
Include Area Drag and drop the Include Area box onto the image to define a
window where motion should be detected.
Exclude Area Drag and drop the Exclude Area box onto the image to exclude
portions of the included area.
For example, if the include area covers an entire room, you can exclude
an area where regular motion occurs, such as a clock or fan. Exclude
areas are used to reduce unwanted motion events.
Persistence The amount of time that motion must occur (within the selected
window) for a motion event start to occur.
The recommended value is 0 (default): motion of any duration results in
a motion start event. Select a higher number if the motion duration
should continue longer before a motion event is triggered.
Stop Trigger Time Determines how many milliseconds to delay when a motion event is
considered to have stopped (after the actual motion has ended).
Recommended value is 0 (default): the event stops immediately when

the motion ends. Select a higher number to define a motion event delay.
This setting prevents multiple motion events from being triggered
when motion reoccurs in a short period of time. Select a time that will
result in only one event for the burst of motion activity.
Window Name The name of the selected motion window.
Click an include or exclude area, and enter a meaningful name.

Detection Threshold and (Include Areas only)
Sensitivity
Detection ThresholdThe size of object needed to trigger a
motion start.
SensitivityDetermines the degree of susceptibility to motion.
The more sensitive, the less motion is needed to trigger a
motion start.
These values are set by default based on the recommended settings for
the camera model. For example:
Cisco 26xx: Threshold = 10, Sensitivity = 80
Cisco 29xx: Threshold = 10 Sensitivity = 80
Cisco 45xx: Threshold = 10 Sensitivity = 80
Cisco 60xx: Threshold = 1, Sensitivity = 85
(The maximum value is 100. The minimum value is 0.)
Motion Detection Settings (continued)
Setting/Field Description
Save Motion Configs Saves the changes to the cameras motion detection settings.
Restore Motion Configs Restores the settings to the previous saved values.

Procedure
Step 1 Verify that the camera or encoder supports motion detection.
You must belong to a User Group with permissions for Cameras
Step 3 Verify that you are using a compatible browser (such as Internet Explorer) with the ActiveX
player installed.
Step 4 (Optional) Complete the Motion Detection on All Existing Cameras (Bulk Actions)
Step 5 Open the camera configuration page:
a. Click Cameras.
b. Select the cameras location, Media Server or template.
c. Select the camera from the list in the lower left column.
Step 6 Click the Image tab.
Step 7 Click the Motion tab.
The current camera image appears
Step 8 Add green Include Areas (windows) where motion should be detected in the image.
a. Drag the green Include Area box onto the video image.
b. (Optional) Enter a name in the Window Name field.
c. Move and resize the motion window.

To move the window, click and hold within the window, then use the move cursor
to drag the window to a new location.
To resize the window, click and hold the corner or edge to change the size and shape.
d. Repeat these steps to create additional Include Areas in the video frame.
Step 9 Define the motion detection settings for each Include Area.
a. Click the motion window to select it.

b. Change the motion detection settings, as necessary.
Step 10 (Optional) Add a red Exclude Area box within an include box to define where motion should be
ignored
Note
All areas outside of the include boxes are ignored by default. Add exclude areas within include
boxes to also ignore motion within the included areas.
a. Drag the red Exclude Area box onto the video image (Figure).
b. (Optional) Enter a name in the Window Name field.
c. Move and resize the motion window.
Step 11 Click Save Motion Configs.
Tip
Click Restore Motion Configs to return the settings to the previously saved value.
Note
Be sure to successfully save or revert your changes while still in the motion configuration window. Clicking out of
the window before changes are successfully saved or discarded can cause a configuration mismatch to occur on the
camera Status page (the error will not include any additional details).
Step 12 (Optional) Configure motion event recordings for a camera or template.
Step 13 (Optional) Configure actions that are triggered when a motion event occurs.
Enabling Motion Detection on All Existing Cameras (Bulk
Actions)
Use the Bulk Actions feature to discover all cameras where motion detection is unconfigured, and add a
default motion window that includes the entire field of view
This process selects the entire camera view to be included in the motion window. Use the camera
configuration page to make further refinements or define excluded areas
Bulk Actions
Procedure
Step 1 Click Cameras to open the camera configuration page.
Step 2 Click Bulk Actions.
Step 3 Expand Issue Type and select Motion Unconfigured.
Step 4 Click Search.
Step 5 Select the cameras from the listed results.
Step 6 Select Bulk Actions > Camera Settings, and select the Default Motion Window option.
Step 7 (Optional) Use the camera configuration page to refine the motion detection areas and
sensitivity for each camera.
Replacing a Camera
Replacing a camera allows you to exchange the physical camera hardware while retaining the
configurations, associations and historical data of the original device. The replacement camera also uses
the original camera name and device unique ID (used in API calls).
After the camera is replaced, only the hardware-specific details are changed, including the device MAC
address, IP address, and camera make and model.
Camera Attributes That Are Retained

For example replacing a network or analog camera allows you to use new hardware while retaining the
following:
Existing recordings are retained.

The new camera continues to stream video using the original camera name.
Alert and audit records are retained.
The camera association in maps, Views and locations is retained, allowing users to continue to
access the camera based on the users access permissions and available features.
Configurations That Must Be Reapplied On the New Camera

When a network or analog camera is replaced, you must re-configure the contact closure, PTZ preset and
motion detection settings. Analog cameras must also reconfigure the serial connection. You can apply the
settings manually, or use the preset Camera Settings Feature. Analog cameras must also reconfigure the
serial connection:
Replacement Options
In Release 7.5 and later, you can replace a camera with an existing camera (a camera that was previously
added to Cisco VSM), or with a new camera. If replacing the camera with an existing camera, the camera
must have been previously added to the Operations Manager.
Usage Notes
Both network and analog cameras can be replaced (network cameras require the username and
password configured on the device).
Any network (IP) camera can be replaced by any other network (IP) camera, even if the devices
are a different make and model (be sure to select the appropriate template for the new camera
model). Network (IP) cameras cannot be replaced by an analog camera or encoder (or vice-
versa).
Addressing Camera Collisions
When you attempt to replace a camera when a device id-collision exists, the replacement will fail and you
must first clear the collision.
For example:
If you attempt to replace CameraB with CameraA, but the devices are in id-collision.
You attempt to replace Camera A with a newly added CameraB, but a cameraC is already in the
system that is colliding with cameraB.
In these situations, the Operations Manager will not proceed with the replacement, stating that
the camera is already in collision, and you must first clear the collision using one of the following
methods:
Soft-delete or delete one or more of the cameras (such as the camera already in the system).
The camera may be in the Pending camera list or elsewhere.
Replace one camera with the other (merge the devices to eliminate the collision).
Note
An IP collision occurs when two devices are configured with the same IP address.
Camera Replacement Procedure

Step 1 Open the camera configuration page for the existing camera (the camera to be replaced).
Step 2 Select Device Settings > Replace Camera (Figure).
Replace Camera
Step 3 Select Existing Camera if the device was previously added to the Operations Manager.
a. Click the Camera Name field.

b. Select a camera from the pop-up window (the remaining fields are automatically
completed).
c. Click Replace.
d. Modify the camera settings, if necessary:
Existing Camera: Replacement Settings
Setting Description
Camera (Read-only) The name of the existing camera
Replace With
Camera Name (Required) Select the new (replacement) camera.

The replacement camera must be in either pre-provisioned or Enabled
state (cameras that are soft-deleted or blacklisted are unavailable).
The name, historical data, unique ID and configurations of the existing

camera will be transferred to the replacement camera. Only hardware
information such as MAC ID, IP address and make and model will be
changed in the camera configuration.
Username/ Password (Required for IP Cameras Only) Enter the credentials used to access the
replacement camera on the network.
These fields are populated if defined when the replacement camera
was added.
You can modify the username and password, if necessary, but the
entries must match the credentials that were configured on the camera.
This field is required for IP cameras only. Analog cameras do not
require a password since they are connected to an encoder.
Template (Required) Select the camera template.
The template is populated if defined when the replacement camera
was added.
You can choose a different template, if necessary. Select a template that
is appropriate for the new make and model.
Camera Settings Apply a set of camera settings for features such as the motion detection
window and sensitivity, tamper settings, and NTP server and timezone used by
the device.
New Settingdefine a new set of configurations. Enter a name to save

the Camera Settings, so they can be applied to other cameras.
e. Wait for the job to complete.
Tip
When the page returns, the new camera will appear with the same name as the old camera, and will include all
configurations, recordings, and event histories. Associations with locations, maps, and Views are also the same.
Step 4 Select New Camera if the device is not in the Operations Manager configuration.
a. Enter the basic device configuration:
IP address
Username
Password
Model
Template
Camera Settings
b. Click Replace.
c. c. Wait for the job to complete.
Tip
When the page returns, the new camera will appear with the same name as the old camera,
and will include all configurations, recordings, and event histories. Associations with
locations, maps, and Views are also the same.
Step 5 Re-configure the contact closure, PTZ preset and motion detection settings, if necessary.
Bulk Actions: Revising Multiple Cameras
Bulk Actions allows you to change the configuration or take actions for multiple cameras. For example,
you can enable, disable, or delete the devices. You can also change the template, repair the
configurations, change the location or change the password used to access the device.
To begin, filter the devices by attributes such as name, tags, model, Media Server, location, status, or
issue. You can then apply changes to the resulting devices.
Requirements
Users must belong to a User Group with permissions to manage Cameras.
Only super-admin users can apply the Change Password option using Bulk Actions.
Non-super-admins must use the device configuration page to change one device at a time.
Procedure
Step 1 Select Cameras > Cameras.
Step 2 Click Bulk Actions (under the device list) to open the Bulk Actions window
Bulk Actions Window

Step 3 Select the filter criteria
Bulk Action Filters
Filter Description
Search by Name Enter the full or partial device name.
For example, enter Door or Do to include all device names that include Door.
Search by Tag Enter the full or partial tag string and press Enter.
Make/Model Select the device model(s).
For example, Cisco HD IP Camera 4300E Series.

Encoder Filters Click to select the encoder(s).
Server Select the Media Server associated with the devices.
Install Location Select the location where the devices are installed.
Template Select the templates assigned to the device.
Overall Status Select the administrative states for the devices. For example:
Enabled (OK, Warning or Critical)The device is enabled, although it may

include a Warning or Critical event.
DisabledThe device is disabled and unavailable for use. The configuration
can be modified, and any existing recordings can be viewed, but cameras
cannot stream or record new video.
Pre-provisionedThe device is waiting to be added to the network and is not
available for use. A pre-provisioned camera can be modified, but the camera
cannot stream or record video until you choose Enable from the Device
Settings menu.
Soft DeletedThe device is removed from Cisco VSM but the recordings
associated with that device are still available for viewing (until removed due to
grooming policies).
Issue Type Select the issues that apply to the device. For example:
Configuration Mismatchthe camera configuration on the Media Server is

different than the camera configuration in the Operations Manager.
Tip
Always use the Operations Manager to configure cameras. Changes made directly to the camera
are unknown to Cisco VSM and can result in incorrect behavior.
Capability Mismatchthe capabilities on the camera do not match the Cisco

VSM configuration.
Identity Collisionthe camera has an IP address or hostname that is the same
as another device.
Motion Unconfiguredmotion is not configured on the camera.
Category Select the issue categories that apply to the device. For example, hardware issues or
configuration issues.
Step 4 Click Search.
Step 5 (Optional) Click the icon to view and edit the device status and configuration settings.
Step 6 Select the devices that will be affected by the action.
Choose the Select All check box to select ALL cameras matched by the filters, including the
devices not shown in the grid.
Use CTRL-CLICK and SHIFT-CLICK or to select multiple items.
Step 7 Click an Action button.
Camera Bulk Actions

Action Description
Delete Deletes the selected devices from the Operations Manager configuration.
Enable Enable the selected devices.
Disable Disable the selected devices.
Repair Configurations Synchronizes the configuration for the selected devices.
Replace Configurations Replaces the configuration on the Media Server with the version in the
Operations Manager, even if there is a difference.
Change Template Changes the template assigned to the devices
Change Location Change the location for the selected devices.

Change Pointed To Location Change the location for the selected servers.
Change Media Server Change the Media Server that manages the camera
Change Password Change the password for the devices.
Note
Only super-admin users can apply the Change Password option using Bulk Actions.
Camera Settings Apply a set of camera settings for features such as the motion detection
window and sensitivity, tamper settings, and NTP server and timezone used by
the device.

New Settingdefine a new set of configurations. Enter a name to save
the Camera
Settings, so they can be applied to other cameras.
Format SD Card Format the SD cards that are installed in the cameras.
Step 8 Follow the onscreen instructions to enter or select additional input, if necessary.
For example, Reapply Template requires that you select the template.
Step 9 Refer to the Jobs page to view the action status.

Lesson 6
Viewing Video
Overview
The following topics describe how to view live and recorded video using a
supported Cisco Video Surveillance application, such as the Cisco Video
Surveillance Safety and Security Desktop (Cisco SASD) application or the
Cisco VSM Operations Manager.
Understanding the Video Viewing Options
Live and recorded Cisco Video Surveillance video can be viewed using a Cisco -provided application, as
summarized in Table, or a third-party application that supports ActiveX controls.
Summary of Cisco Video Viewing Options

Viewing Tool Application Description
Desktop monitoring Cisco Video Surveillance Allows simultaneous viewing of up to
application Safety and Security Desktop 25 cameras per Workspace, and up to
(Cisco SASD) 26 48 cameras per workstation.
Create Video Matrix windows for
display in separate monitors.
View Video Walls.
Create unattended workstations.
View and manage alerts.
View cameras, video, and alerts based
on a graphical map.
Web-based Cisco Video Surveillance Allows simultaneous viewing of multiple
configuration and Operations Manager video panes:
monitoring tool (Operations View up to 4 cameras with the 32-bit
Manager) version of Internet Explorer.
View up to 25 cameras with the 64-bit
version of Internet Explorer.
Create the Views and Video Walls
available in the desktop Cisco SASD
application.
Configure the camera, streams and
recording schedules.
Desktop video clip Cisco Video Surveillance Simple player used to view video clip files.
player Review Player (Cisco Review
Player)
Web-based server Cisco Video Surveillance Provides basic viewing features for a single
console Management Console stream (Stream A) from a single camera.
(Cisco VSM Management

Console)
Using the Monitor Video Page
Open the Monitor Video window to view video using the Cisco VSM Operations Manager.
Procedure
Step 1 Log on to the Cisco VSM Operations Manager.
Step 2 If prompted, complete the on-screen instructions to install or upgrade the Cisco Multi-Pane
client software on your computer.
This application is an Active X client that enables video playback and other features.
Video will not play unless the Cisco Multi-Pane client software is correctly installed.
Step 3 Click Monitor Video.
Step 4 (Optional) Select View Menu to select a video grid of multiple cameras.
Selectselect a blank layout.
Select Viewsselect a pre-defined View.
Step 5 Expand the location tree and drag a camera from the list onto a viewing pane.
Enter a partial or complete camera name in the Find field to display matching cameras.
You can also select a video pane by clicking in it, and then double-click the camera
name.
Step 6 To use the video playback controls.

Selecting a Multi-Pane View
To view video from more than one camera, select an option from the View Menu, as described i n Table
Video Layouts
Table View Menu

Menu Purpose Description
Select Layout Blank layouts Choose Select Layout to select a blank layout (Figure), and
then select cameras for each pane.
Current View Reset the currently displayed Choose Current View > Reset to reload the last view or
layout. layout and discard any changes.
Related information
Creating Video Views.
Select View Display pre-defined views Choose Select View to select a pre-defined multi-pane view.
Views can be configured to rotate video from multiple
cameras to provide a virtual tour of a building or area. The
video panes can (optionally) rotate video from different
cameras to provide a virtual tour of a building or area.
Related information
Creating Video Views
Setting the Default View
Set Default View Define the view that is The Default View is defined by each user and is
automatically loaded automatically loaded when they click Monitor Video.
1. Create one or more Views

2. Select View Menu > Set Default View.
3. Select a View from the pop-up window and click Select.
Note
The Default View is saved as a cookie in the browser and is unique
to each user/PC. The Default View is not displayed if using a
different workstation.
Related information
Setting the Default View.
Tip
To change the video in a View pane, drag and drop a camera name onto the pane.
To create Views, go to System Settings > Views.
Views can be accessed using either the browser-based Operations Manager or the Cisco Video
Surveillance Safety and Security Desktop (Cisco SASD) application. The Operations Manager can display
a maximum of 4 video panes using the 32-bit version of Internet Explorer, and up to 16 panes when using
the 64-bit version. Cisco SASD can display up to 16 panes.
Double-click a video pane to fill the screen with that video. A preview of the other video panes is shown
in a smaller grid at the bottom of the screen. Double-click the video pane again to return the grid to
normal size.
Enlarge a Video Pane

Controlling Live and Recorded Video
Each video viewing pane in a Cisco Video Surveillance monitoring application supports the following
controls and features.
The features available on your workstation depend on the following:
The camera and system configuration.

Your user account access permissions.
The features supported by the video monitoring application.
Overview
To view live and recorded video, log on to the monitoring application and drag and drop camera names
onto the available viewing panes (you can also select a pane and double-click the camera name). Use
Views to view multiple panes in a single window.
For example, shows a multi-pane view using the Cisco Video Surveillance Safety and Security Desktop
(Cisco SASD) application.
Multi-Pane View using the Cisco Video Surveillance Safety and Security Desktop
Application
Each viewing pane includes various controls that allow you to do the following:
Switch between live and recorded video.

Select the playback timespan.
Pause, play, or skip forward and back.
Create and save video clips from recorded video
Mute or un-mute the audio (if available).
Synchronize the playback of multiple recordings.
Control the Pan Tilt and Zoom (PTZ) movements of a camera (if supported by the camera).
Additional options are available by right-clicking the image. Options include synchronizing
multiple viewing panes, recording live video, expanding the image to fill the screen, creat ing a
snapshot image, and configuring smooth video options to improve playback performance when
network performance is poor.
Note
The available controls depend on the camera model and system configuration. For example, pan -tilt-zoom (PTZ)
controls are available only on cameras that support PTZ. Recording options are available only if the camera is
configured to record video. Synchronized playback is available for recorded video (not live video).
Viewing Live Video

Live video is displayed by default when you log in to the viewing application. Figure summarizes the
controls available in each viewing pane.
Video Pane Controls

1 Camera nameThe source of the displayed video
2 Indicates the quality of the primary live video stream. If the live video quality is poor. , an alternative secondary or
iFrame video stream can be automatically applied.
3 Indicates live or recorded video (recorded video displays a time stamp such as ).
4 Range BarUsed with recorded video.

5 SeekUsed with recorded video to choose a playback time
6 The green icon indicates live video. Click the icon to switch to the recorded view .
7 Live video playback controls.
Pause the video playback.

Play the video forward at normal speed.
Note
The other playback controls are used with archived video only
8 Click the triangle to pin the control bar to the screen, or auto -hide the bar when the cursor is moved.
Note
The control bar and audio icon will not display if your workstation monitor is set to 16-bit color setting. Change your monitor
color setting to 32-bit.
9 Video image.
10 Camera menu.
Right-click the image to open the menu and select an option. Options not supported by the camera are disabled
(shown in gray)
11 Control icons.
Audio. The audio icon appears if the camera supports audio. Click to enable or mute live audio
volume. This control does not affect recorded video.
Privacy Mask. Click to enable or disable the Privacy Mask.
PTZ. Click to enable or disable the Pan, Tilt and Zoom (PTZ) controls.
The Synchronizing Video Playback in Multiple Panes.

Note
The control bar and audio icon will not display if your workstation monitor is set to 16 -bit color setting. Change your monitor
Usage Notes
Some firewall policies on enterprise PCs can block live video streams from cameras. If this
occurs, add the camera IP address to the firewall trusted list.
To maximize the video screens, move the new workspace to a separate monitor and double-click
a pane to fill the entire browser window. To fill the entire monitor screen, right -click the image
and select Full screen mode.
To control the playback in multiple video panes, Shift-Click or Ctrl-Click to select the panes.
The borders of all selected panes turn to orange. Controls and actions performed in one pane
also affect the other selected panes. To deselect panes, select a single pane, or use Shift -Click or
Ctrl-Click to deselect the panes
Live video may be delayed 1-2 seconds. Live video can be further delayed if the smooth video
option is enabled.
Soft-deleted cameras (shown with a icon) are cameras that were removed from the system
but still allow access to the cameras recorded video. You cannot display live video from soft-
deleted cameras.
The control bar and audio icon will not display if your workstation monitor is set to 16 -bit color
setting. Change your monitor color setting to 32-bit.
Viewing Recorded Video

You can view recorded video from a continuous loop, for a motion event, or from a video clip. The
camera must be configured to support each of these options, and you must have access to a video
viewing application that supports these functions (some applications are used for viewing only).
For example, a camera can be configured to record the following:
Continuous recordings that include video from a set amount of time, such as the past 60
minutes.
Motion event recordings that are triggered whenever a motion event occur s. Video is recorded
when the motion occurs, and for a configured number of seconds before and after the event. Use
a video viewing application (such as the Cisco Video Surveillance Safety and Security Desktop)
to view motion event video
Viewing Recorded Video
1 Camera NameSource of the recorded video.

2 Indicates the video quality, which can be affected by network and system performance. The icon turns red if the
video quality is poor .
Note
This icon is for informational purposes only when displayed with recorded video (the Smooth Video options do not apply).
3 Pop-up menu options.
4 Timestamp for the currently displayed video image. For example: .
Note
Changes to when live video is displayed.
5 Range BarThe span of video to work with.
The entire range bar represents the entire span of available recorded video. Slide the range bar selectors to
shorten the range (see below).
The lower (green) seek bar represents the selected range (see below).
6 Range Bar selectorsDrag the range bar selectors to narrow the timespan of video you want to review.
For example, drag the selectors to create a 10 minute range. You can then drag that range left or right to the
appropriate place in the recorded span.
In the following example, the entire range of recorded video is selected (the range bar selectors are to the far right
and left). To display the timestamps, click a selector.
Click and drag the range bar selectors to choose a shorter period of time. In the followi ng example, the range bar
selectors are used to select approximately 10 minutes of video. Drag the selected range left or right to locate the
desired range of recorded video.
Tip
The green seek bar represents the selected span. If the span in the top range bar is 10 minutes, then the green seek bar
represents 10 minutes of video. Slide the seek bar selector to choose the playback time (see below).
Double-click a range bar selector to playback the video from the beginning of that range.
7 Seek Bar Represents the video range, and is used to select a playback time.
For example, if the range is 10 minutes, then the seek bar represents 10 minutes of video.
Tip
Right-click the seek bar and select Seek to... to select a specific date and time.
Note
Gaps in the recorded video are shown in gray. Recording gaps occur if recording was manually started or stopped, if recording
was stopped by a schedule, or if video was unavailable due to network connectivity issues, device malfunctions, or other even ts.
8 Seek Bar selectorDrag the selector to play video from the selected time (as indicated by the timestamp).
Note
When you move the scroll bar for a video pane that is synchronized, that pane becomes the new synchronization master pane. Th e
other synchronized panes play video according to the master pane.
9 BookmarksCreate bookmarks to save a video clip or a repeating segment.
To create a bookmark, Ctrl-Click-drag the seek bar. The bookmark span is shown in orange.
10 Bookmarks menuRight-click the seek bar to display the bookmark menu. You can save the bookmarked video as a
clip in one of the supported formats, remove all bookmarks, or create a repeating segment.
11 Indicates live or recorded video. Click the icon to switch between live and recorded video.
Live video is displayed.

Recorded video is displayed.
Tip
The first time you select a cameras recorded video, the playback begins slightly behind the live (current) time.
When you toggle between live and recorded, recorded video returns to the previously selected timestamp .
12 Recorded video playback controls.
Step Reverse button(Archived video only) Pauses the playback and steps back one frame at a time.
Play Reverse button(Archived video only) Plays the video archive in reverse at normal speed.
Pause buttonPause the video playback.
Play Forward buttonPlay the video forward at normal speed.
Step Forward button(Archived video only) Pauses the playback and steps forward one frame at a time.
Variable Speed Playback
Right-click the Play Reverse or Play Forward button to play the video slower or faster.
For example, select 0.50X to play the video at half speed (for ward or reverse). Select 4.00X to play at 4 times the
normal rate (forward or reverse).
13 Click the triangle to pin the control bar to the screen, or auto -hide it when the cursor is moved.
Note
The control bar and audio icon will not display if your workstation monitor is set to 16-bit color setting. Change your monitor
14 Camera feature icons. For example:
or Audio is supported by the camera and enabled or disabled in the viewing pane.
The synchronization icon appears in video panes that play synchronized video.
Note
The PTZ icons are enabled only for live video
The control bar and audio icon will not display if your workstation monitor is set to 16 -bit color setting. Change your monitor
color setting to 32-bit
Usage Notes
Multi-pane video clips can also be saved to your desktop and played using the Cisco Video
Surveillance Review Player.
If a camera is soft-deleted, you can still access the cameras recorded video but cannot display live
video. Recordings are retained on the system until removed according to the recording retention settings.
Click the icon to toggle between live and recorded video. The icon appears when recorded
video is displayed.
The first time you select a cameras recorded video, the playback begins slightly behind the live
(current) time. When you toggle between live and recorded, recorded video returns to the previously
selected timestamp.
To maximize the video screens, move the new workspace to a separate monitor and double-click a
pane to fill the entire browser window. To fill the entire monitor screen, right -click the image and select
Full screen mode.
To control the playback in multiple video panes, press Shift-Click to select multiple concurrent
panes, or Ctrl-Click to select individual panes. The borders of all selected panes turn to orange. Controls
and actions performed in one pane also affect the other selected panes. To deselect panes, select a single
pane, or use Shift-Click or Ctrl-Click to deselect the panes.
Using the Privacy Mask
When the Privacy Mask is enabled on a compatible camera all live video from that camera is blocked
and cannot be viewed by any operator or monitor, or recorded by the Cisco Video Surveillance system.
This feature is typically used with the Virtual Sitter feature for health care providers, allowing
operators to temporarily block video from a Cisco Video Surveillance camera when the patient requires
privacy. Figure shows the icons used to enable or disable the Privacy Mask.
Note
You must belong to a User Group with Control Privacy Mask access permissions to use this feature.
Privacy Mask Controls
Note
The function of the privacy mask icons was reversed in Cisco VSM release 7.5. Click the privacy icons
to turn the video on or off:
Click the privacy icons to turn the video on or off
Icon Purpose Description

Turn the Privacy Mask off
Click to enable normal video streaming, monitoring, and recording.
(Default)
Turn the Privacy Mask on Click to block the cameras entire field of view and display a blank (blue)
screen
Live video is not transmitted and cannot be viewed by any workstation
or monitor.
Recorded video displays the blank (blue) or flashing screen.
A Privacy Mask Timer causes the screen to flash after a period of
time, which reminds the operator to disable the Privacy Mask. The
default timer is 15 minutes and can be modified using the Operations
Manager (System Settings > Settings> Privacy Mask Timer).
Note
The Privacy Mask is not disabled automatically; an operator must disable the
Privacy Mask by clicking the icon to allow live video to be transmitted,
viewed and (optionally) recorded.
For example, when you click the icon, the video frame for that camera is blank
The same blank (blue) screen is recorded (if recording is configured).
Privacy Mask Enabled
When the Privacy Mask Timer expires, the video frame flashes to remind the operator that the mask is
still on. To display video, click to turn the Privacy Mask off and display and record video normally.
Note
If the camera reboots due to a power cycle or other reason, the camera will power up with the Privacy Mask in the
state it was before the reboot. For example, if the mask was enabled and there was 5 minutes remaining on the
timer, the camera will remember the state after the reboot.
Enabling the Privacy Mask Controls

The Privacy Mask controls (icons) are displayed only for users who belong to a User Group with Control
Privacy Mask access permissions. This operator permission is de-selected by default, so you must create
a user role, user group, and use that includes Privacy Mask:
Step 1 Log is as a admin or other user who has Users & Groups access permissions.
Step 2 Create a Role that includes Control Privacy Mask access permissions.
Step 3 Create a user group and assign the new role to the group.
Step 4 Create users and assign them to the user group.

Related Information
Supported cameras can also be configured with Privacy Zones that block portions of the video image
at all times, even if the Privacy Mask is disabled. See the camera documentation for instructions to
define Privacy Zones.
For more information about Cisco Virtual Patient Observation, see the following:
White PaperVirtual Patient Observation: Centralize Monitoring of High-Risk Patients with

Video.
At-A -Glance OverviewBenefits of Virtual Patient Observation.
Ten Use CasesReal-life scenarios for using video surveillance in hospitals.
Solution Blog PostNew Solution: Cisco Virtual Patient Observation.
Cameras that Support the Privacy Mask

See the Release Notes for Cisco Video Surveillance Manager for the cameras that support the privacy
mask feature in your release.
Lesson 7
Backup and Restore

Overview
Refer to the following topics to backup the server configuration and video
recording files.
Backup and Restore
Server backups can be performed for a single server, or for multiple servers.
Use the Backup & Restore tab in the server configuration page to backup a single server.
Use the server Bulk Operations feature to backup multiple servers.
You can schedule automatic backups, or perform an immediate one-time backup. Each backup creates:
A separate backup file for each server service running on that server (such as the Media Server
and Operations Manager).
A backup file for the CDAF (Management Console) service.
To restore a backup, you must restore the files for each server service, and restore the CDAF backup file.
Note
We recommend backing up all servers on a regular basis to ensure configuration and event data is not lost if a
hardware failure occurs. Backups are also used to restore configurations and historical data when upgrading or
moving to a new system. Backup files can be saved to the server (local) or to a valid FTP/SFTP server.
You can backup two types of data sets:
Configuration OnlyIncludes the user-defined configuration, device settings (for cameras,

encoders, and Media Servers, user accounts, and other attributes. Also includes installed
licenses.
Configuration Plus Historical Data(Default) Includes the configuration for the server
service, data plus events, health notifications, logs, and other information regarding the status,
use and health of the system.
Note
Recordings are backed up using a Long Term Storage server
Usage Notes
Each backup includes a separate backup file for each active service on the server, plus a file for
the CDAF service.
CDAF runs on all servers and provides the Cisco VSM Management Console user interface and
features. CDAF backups include the server database, system information, console jobs and other
data. The CDAF service must be restored along with the other server services or information
may be missing and system errors can occur.
The maximum number of allowed backups are:
o Map server service1 manual and 1 automatic backup.
o All other server services5 manual and 3 automatic backups.
When the maximum number of backups is reached, an existing backup file must be deleted to
make room for the new backup file. Automatic backups will automatically delete the oldest
backup file. To perform a manual backup, you must manually delete an existing backup file.
Use Bulk Operations to set the schedule for multiple servers.
The Media Server configuration data is backed up automatically to the local server every day by
default (and cannot be disabled). Automatic backups must configured for the other server
services.
Each Cisco VSM server can be configured with a single FTP or SFTP server. The same FTP or
SFTP server can be used by multiple Cisco VSM servers using the Bulk Operations feature.
Manual backups can be triggered for a single server, or for multiple servers (using Bulk
Operations). Bulk action is supported for Media Servers only. The Bulk Action feature does not
support Map or Metadata servers.
Server restore can be performed for a single server only. Bulk server restores are not supported.
Failed backup(s) are only visible for a single server (on the Server Management page). There is
no bulk filtering or display of failed backups in the Bulk Operations page.
Prior to Cisco VSM release 7.5, automatic backups to local storage could include configuration
and historical data. In release 7.5 and later, however, automatic backups to the local disk
support configuration data only. When upgrading from release 7.2 or earlier to release 7.5 or
later, any automatic backups will be changed to the configuration only option.
Backup Settings
Automatic Backups
Server Backup Settings
Field Description
Enable Select the check box to enable or disable the automatic backup schedule.
Destination Select where the backup file will be stored
On Local(Default) Saves the backup file to the server hard drive.

On RemoteSaves the backup file to a remote storage network server.
Type Select the type of data to back up:
Configuration OnlyBacks up the user-defined configuration,

including device settings (for cameras, encoders, and Media Servers),
user accounts, and other attributes.
Configuration Plus Historical Data(Default) Backs up the configuration
plus events, health notifications, logs, and other data containing information
regarding the status, use and health of the system.
Frequency Define how often backups will occur (Daily, Weekly, or Monthly).
On Select the day of the week or day of the month when automatic backups will occur.
Note
This field is disabled for daily backups. Select the time from the At field.
At Enter the time of day the backups will occur.
Remote Storage
Note
These settings define the remote server used to store backup files if the Remote option is enabled. Click Test to
verify the settings are correct and the remote server can be accessed.
Enable Select the check box to enable or disable the remote network storage option. If enabled,
backups will be saved to the remote destination.
Protocol Select the type of remote server: FTP or SFTP.
Address Enter the server network address.
Username Enter the username used to access the server.
Password Enter the server password.
Path Enter the directory path where the backup file will be stored
Backup File Format
Backup files are saved using the following formats:
Backup File Formats

Backup Data File Name Format
Config and Historical Service_HostName_backup_yyyyMMdd_HHmmss.tar.gz
Config Only Service_HostName_backup_config_yyyyMMdd_HHmmss.tar.gz
ServiceThe service acronym that defines the data stored in the file. For example:
VSOM=Operations Manager, VSMC=Management Console, VSF=Federator, etc.
HostNamethe host name of the server running the Cisco VSM Operations Manager service.
yyyyMMdd_HHmmssthe date and time when the backup file was created.
For example, if the PSBU-ENG14 server configuration and historical data was backed up on August 17,
the resulting filename would be: VSOM_psbu-eng14_backup_20130817_174250.tar.gz
Backup File Information

Each backup file saved on the server displays the following summary information:
Backup Files Stored on the Server

Backup Files
Column Description
Path The server directory path where the backup files are stored.
File Name The file name.
Creation Time The date and time when the backup file was created.
Size The size of the backup file.
Service Type The server service types included in the backup. For example:
VSOM (Operations Manager)
VSMS (Media Server)
CDAF (Console)
Geoserver
Metadata
Type Configuration or configuration plus historical data.
Source Automatic or manually triggered backup.
Disk Usage for Backups

The Disk Usage graph in the Restore From Backups tab displays the total amount of disk space used to store
backups, and the number of backup files on the system:
AutomaticThe amount of storage used for automatic backups. The number of backups available
on the system is shown in parenthesis ().
Manual and TransferredThe amount of storage used for manual backups. The number of backups
available on the system is shown in parenthesis ().
Disk Usage for Backup Files Stored on the Server

Failed Backups
The failed backup fields in the Restore From Backups tab displays information about the failed manual or
automatic backups.
Failed Backups
Tip
Click an entry to view additional details about the failure reason.
Manually Backup a Single Server

To trigger an immediate one-time backup, use the Backup & Restore tab in the server configuration page:
Procedure
Step 2 Select the Backup & Restore tab.
Note
When the maximum number of backups is reached, an existing backup file must be deleted to make room for the new
backup file.
Step 3 Select the Manage Backup tab.
Step 4 Click Backup Now and select To Remote or To Local.
Step 5 From the pop-up, select the destination and backup type .
Step 6 Click OK.

Step 7 Backup files are saved to the selected destination.
A separate file is created for each server service, plus an additional file for the DDAF server.
If saved To Local, the backup files are saved on the server (in the Restore From Backup tab).
Failed backups are displayed in the Failed Manual Backups field.
Backup Now
Automatic Backups (Single Server)

To schedule recurring backups for a single server, do the following:
Note
The Media Server configuration data is backed up automatically to the local server every day by default (and
cannot be disabled). Automatic backups must configured for the other server services.
When the maximum number of backups is reached, an existing backup file must be deleted to make room for
the new backup file. Automatic backups will automatically delete the oldest backup file.
Only the Configuration option is supported when the automatic backups are stored on the Local server.
If a scheduled backup fails, a health notification is sent.
Procedure
Step 1 Select System Settings > Servers
Step 3 Select the Manage Backup tab.
Step 4 Select Enable in the Automatic Backups section
Step 5 Enter the backup settings.
Step 6 Click Save.
Step 7 Backup files are saved to the selected destination.
A separate file is created for each server service, plus an additional file for the DDAF server.
If saved To Local, the backup files are saved on the server (in the Restore From Backup tab).
Automatic Backups
Restoring a Backup for a Single Server

Restoring a server backup requires that you restore the backup file for each service running on that
server, and the CDAF service.
Note
The CDAF service provides the servers Management Console functionality, including the server database, system
information, console jobs and other data. If the CDAF service is not restored at the same time as the other services,
information may be missing and system errors can occur.
For example, if the server is running Operations Manager (VSOM) and Media Server (VSMS) services, a
separate backup file is created for each service plus the CDAF (Console) service. You must restore each
service backup file, one service at a time.
Caution
Restoring a backup deletes any existing configurations, settings and historical data.
Procedure
To restore the server configuration from a backup file, do the following.
Step 1 Select System Settings > Servers
Step 3 Select the Restore From Backup tab (default).
Step 4 (Optional) Select Restore System Config to exclude the server configuration from the restore
operation.
The server configuration is the non-Cisco VSM portion of the backup data that includes OS-related
settings, such as the server network configuration. Excluding the system configuration can be used to
replicate a server configuration on additional servers: create a backup from the original server and restore
it to a new server while selecting the Restore System Config option.
Step 5 (Optional) If the backup file does not appear in the list, you can copy a backup file stored on a
PC or remote server.
a. Select Add > From Remote or From PC.
b. Select a backup file stored on a PC or remote server.
Note
You must first enter the Remote Storage settings in the Manage Backup tab before you can transfer a file from a
remote server..
c. Click Save.
d. Repeat these steps to upload the backup file for each service, plus the CDAF (Console) service.
Step 6 Select the backup file for the service you want to restore.
The Service Type displays the server service: For example: VSOM (Operations Manager),
VSMS (Media Server), CDAF (Console), Geoserver, or Metadata.
Step 7 Click Restore.
Step 8 Click Yes to confirm the backup and server restart

Step 9 Click OK when the restore process is complete.
Step 10 Re-login to the server.
Step 11 Repeat these steps to restore the configurations and data for additional service on the server.
Step 12 Repeat these steps to restore the backup for the CDAF (Console) service.
Restore Backups
Deleting a Backup File

Deleting a backup file permanently removes the file from the system. The file can not be used to restore
the database.
To archive the backup for later use, save the backup file to your PC or a remote server before deleting it
from Operations Manager.
Procedure
Step 3 Select the Restore From Backup tab (default).
Step 4 (Optional) To first save the file to a PC disk or remote server, click Transfer and then To
Remote or To PC.
To PCselect the location for the backup file.
To Remotethe file will be transferred to the location specified in the Remote Storage section
of the Configure tab.
Step 5 Click Delete (bottom left).
Step 6 Confirm the operation, when prompted.

Lesson 8
Monitoring System and

Device Health
Overview
Refer to the following topics for information to monitor the health of the
system or a device, to view the status of user-initiated jobs, a record of user
actions (Audit Logs), and other features.
Events and alerts reflect changes to system and device health, or security events that occur in the system.
These events and alerts can be viewed in a monitoring application, such as the Operations Manager or Cisco
SASD, or be used to generate notifications, or trigger additional actions.
Refer to the following topics for more information:
Overview
Events represent incidents that occur in the system and devices. Alerts aggregate (group) those events
together for notification purposes. For example, if a camera goes offline and comes back online repeatedly,
the individual events for that issue are grouped under a single alert, which results in a single notification. This
prevents operators from being flooded with notifications for every event that occurs for the same issue.
Note
unreachable and the streaming status is Critical, the alert is Critical. When the camera becomes reachable again, and the
streaming status normal event occurs, and the alert severity is changed to INFO.

1. Events are generated by cameras, encoders and Media Servers.
2. The Cisco VSM Operations Manager aggregates the events into alerts:
3. The browser-based Operations Manager can be used to view events, send notifications, or
(optionally) perform actions that are triggered by security events (such as motion detection).
4. Additional monitoring applications can also be used to view events and alerts:
The Cisco Video Surveillance Safety and Security Desktop (Cisco SASD) application can be
used to view alerts, related events, and related video. You can also change the alert state, add
comments, close the alert, and perform other management options.
Custom applications can be written gather information, change the alert status, add comments, or
trigger actions when an event or alert occurs.
Note
Custom applications can also subscribe to ActiveMQ topics to receive notifications about device and system
changes. For example, the Alerts topic notifies subscribers when any alert occurs in the system. The custom
application can use the ActiveMQ message contents to optionally trigger additional notification or actions.
Event Types
Cisco VSM generates two types of events: device health events and security events:
Health Events are generated when a device health change occurs, such as reachability, fan speed, file
system usage, or other device-related issues. Critical health events generate alerts by default.
from an external system can be configured to generate alerts, or perform other actions. Security
events do not generate alerts by default.
Triggering Actions Based on Alerts and Events

The Operations Manager includes the following built-in features to trigger notifications and other actions:
Triggering Actions
Action Description
Critical health notifications Use the Health Notifications feature to send notifications when a critical
device error occurs. Critical errors are health events that impact the device
operation or render a component unusable. For example, a Media Server that
cannot be contacted on the network, or a camera that does not stream or record
video.
Motion event notifications Click Alert Notifications in the camera template to enable or disable
the alerts that are generated when a motion event stops or starts.
Trigger actions when a Use the Advanced Events feature (in the camera template) to trigger a
security event occurs variety of actions when a security event occurs. For example, you can send
alerts only on motion start, on motion stop, stop or start video recording,
record video for a specified length of time, invoke a URL, move a camera
position to a specified PTZ preset, or display video on a Video Wall.
Monitoring Device Heath Using the Operations Manager
The Health Dashboard displays a summary of all device errors in your deployment, allowing you to
quickly view the health of all cameras, encoders and Media Servers. You can also click a link for any
affected device to open the device status and configuration pages.
Monitoring Features
Monitoring Feature Location Description
Health Dashboard: Operations > Health Dashboard Open the Health Dashboard to view a summary
Device Health Faults on of Warning or Critical errors for all configured
an Operations Manager devices. Click on an entry to open the device
status and configuration page and further
identify the issue.
Device Status: Cameras > Status Click the Status tab in the device configuration
Identifying Issues for a page to view the specific type of error for a
System Settings > Server > Status
Specific Device device. The status categories show where the
System Settings > Encoder > Status error occurred.
Click the Status History to view the
alert messages for the device.
Click the Affecting Current Status
radio button to view only the alerts that
are causing the
Sending Alert Emails Operations > Health Notifications Send emails to specified recipients when a critical
(Notification Policies) device error occurs.
Reports Operations > Reports Generate and download information about the
Cisco Video Surveillance user activity, device
configuration, and other information.
Synchronizing Device Device configuration page. If a configuration mismatch error occurs, you can
Configurations. click the device Repair button to replace the
Click the Repair or Replace Config
configuration settings on the device with the
button. settings in Operations Manager.
Viewing the Server Operations > Management Console Displays logs, hardware status, and system trend
Management Console information for the Cisco Video Surveillance
Status and Logs. server. The Management Console is a separate
browser-based interface that requires a separate
localadmin password.
Understanding Jobs and System Settings > Jobs Displays a summary of current and completed
Job Status jobs triggered by user actions.
Viewing Audit Logs Operations > Audit Logs Displays successful configuration changes. You
can sort or filter the results by user, device, and
other categories.
Health Dashboard: Device Health Faults on an Operations
Manager
Use the Health Dashboard to view a summary of the critical or warning faults that are occurring on
servers, encoders and cameras.
For example, select from the Monitor Video page to open the Health Dashboard
window. Choose a location that displays a Health icon . Click the number next to a category (such as
Configuration) or Issue type (such as Motion Unconfigured) to display additional details about the
issue(s) and device. Click the icon to open the device status and configuration page.
Tip
To view the health issues for multiple Operations Managers,
Health Dashboard
1 Click a tab to view the device issues by the following:
By CategoryDisplays the number of health issues for the location grouped into categories such as
Configuration, Reachability, Hardware and Software. Click the number next to the device type (such as
Servers) to display the issues for all categories.
By IssueDisplays the number of health issues for each type of issue. For example, server issues can
include hardware problems such as temperature or fan speed. Cameras issues can include items such as
Motion Unconfigured.
Note
The number represents the total number of issues for all devices at that location, based on the selected category or issue.
2 The Health icon is displayed if a location or any of its sub-locations includes an issue.
Click a location to view the device issues for the location and its sub-locations. If a sub-location has a device with a
health issue, the Health icon is also displayed for the parent location(s).
3 The device type (such as Servers, Encoders, or Cameras) where the issues occurred.
Click a number to display a list of critical or warning faults for the category, issue type, or device
type. For example, click the number 23 next to Hardware to display a list of the hardware issues for all
servers (multiple issues can occur for a single device).
If issues did not occur, a number is not displayed.

The number represents the total number of issues for all devices at that location, based on the selected
category or issue.
4 Last UpdateRefresh the Health Dashboard page to view updated results. The dashboard does not automatically
refresh.
5 The specific health issues that occurred for the selected category or issue type.
All issues are listed. Multiple issues can be displayed for the same device
Click the icon to open the devices status and configuration page
Tip
Device errors are cleared automatically by the system or manually cleared by an operator using
the Cisco SASD or another monitoring application. Refresh the page to view the latest
information. Some alerts cannot be automatically reset. For example, a server I/O write error
event.
If the system or server is performing poorly, use the diagnostic tools available in the server
Management Console to view performance, hardware and system information.
Understanding Warning and Critical Faults
Warning and Critical Faults
Icon Error Type Description
Warning Warnings are based on activity that occurs without incapacitating a component, for example,
interruptions in operation due to packet losses in the network. These activities do not change the
overall state of the component, and are not associated with up and down health events.
Critical Critical errors are health events that impact the device operation or render a component
unusable. For example, a server or camera that cannot be contacted on the network, or a
configuration error.
Components in the critical state remain out of operation (down) until another event restores
them to normal operation (up). Critical errors also affect other components that depend upon
the component that is in the error state. For example, a camera in the critical error state cannot
provide live video feeds or record video archives.
Procedure
Complete the following procedure to access the Health Dashboard and view device health issues:
Step 1 Click Operations > Health Dashboard.
Step 2 Choose a location to view a summary of the health issues at that location, including its sub-
locations.
Locations (or sub-locations) with health issues display a Health icon .

If a sub-location has a device with a health issue, the Health icon is also displayed for the
parent location(s).
Step 3 Click the By Category or By Issue tab.
Step 4 Click a number to display the specific issues for the device type, category or issue type.
The number represents the total number of issues for all devices at the selected location and its
sub-locations (the number is the consolidated sum of issues in that location and its sub-
locations).
Step 5 (Optional) Click the icon to open the device status and configuration pages.
Step 6 Continue to the Device Status: Identifying Issues for a Specific Device.
Step 7 Take corrective action to restore the device to normal operation, if necessary.
Step 8 For example, if a configuration mismatch occurs.

Device Status: Identifying Issues for a Specific Device
Cameras, encoders, and Media Server include a Status tab that displays health information for the device
and associated servers. While the Overall Status summarizes the device health, the status categories
specify if an error has occurred with the network connection, configuration, hardware, or other category.
Click the Status History tab to view device events, including any specific events that are affecting the
device status.
Understanding the Overall Status

Click the device Status tab to view the overall operational state
Overall Status Camera Device Status
Overall Status
Status Color Color Description
Enabled: OK Green The device is operating normally.
Enabled: Warning Yellow A minor event occurred that did not significantly impact device
operations.
Disabled Yellow The device is disabled and unavailable for use. The configuration can be
modified, and any existing recordings can be viewed, but the camera
cannot stream or record new video.
Enabled: Critical Red An event occurred that impacts the device operation or renders a
component unusable.
Status Color Color Description
Pre-Provisioned Brown The camera is waiting to be added to the network and is not available for
use. A pre-provisioned camera can be modified, but the camera cannot
stream or record video until you choose Enable from the Device
Settings menu.
Soft Deleted Grey The device configuration is removed from the Operations Manager but
(Keep Recordings) the recordings associated with that device are still available for viewing
(until removed due to grooming policies).
To view the recordings, select the camera name in the Monitor Video
page. Soft-deleted cameras are still included in the camera license count.
Hard Deleted None None The device and all associated recordings are permanently deleted from
(Delete Recordings) Cisco VSM.
Note
You can also choose to place the camera in the Blacklist
Note
Devices states can change due to changes in the device configuration, or by manually changing the status in
the device configuration page
Device Status
Understanding Device Status
From the device configuration page, click the Status tab to locate the category where the error occurred
(such as configuration or hardware), and the alert messages that provide additional details regarding the
cause of the error.
For example, if a critical configuration error occurs, the Configuration entry displays a Critical message
in red. If a configuration mismatch occurs (where the device configuration is different than the Operations
Manager configuration), click the icon to view additional details in a pop-up window.
To resolve the issue, revise the device configuration, or select Device Settings > Repair Configurations
or Replace Configurations to replace the device configuration with the Operations Manager version.
Device Status Summary
Table describes the status categories. The categories are different for each type of device. For example, Media
Servers include a Software category to indicate the health of server processes. An encoder does not include
streaming or recording categories.
Device Status Categories
Category Devices Description

Overall Status All Devices The aggregated status of all categories included for the device
Note
The Associated Servers status does not impact the Overall Status. For example, if the
associated Media Server or Redundant Server is down, but the camera Network status is
Enabled: OK, then the camera Overall Status is also Enabled: OK.
Device Status
Reachability All Devices Indicates the health of the network connection.

For example, a warning or critical event indicates that a device is unreachable on
the network.
Streaming Cameras only Indicates if the Media Server can stream live video from the camera
Recording Cameras only Indicates if the Media Server can successfully record video from the camera.
Configuration Media Servers Indicates if the configuration was successfully applied to the device, and that the
Cameras device configuration is the same on the Media Server and in Operations Manager.
Encoders Configuration errors also display an icon. Click the icon to view additional
details about the error
For example, if a template is modified in the Operations Manager, but the

configuration is not applied to the camera configuration, a synchronization
mismatch occurs.
Hardware All Devices Status of the physical device components, such as temperature.
Software Media Servers Indicates the status of services hosted by a Media Server.
only
Jobs in Progress All Devices Indicates if the device has one or more Jobs running.
Event Suppression Cameras Indicates if the camera is in Event Suppression mode.

Mode
Associated Servers
Note
The status of Failover, Redundant and LTS servers does not affect the overall status of a device.
Server Cameras and Indicates that the device can communicate with a Media Server.
Encoders only
Failover Server HA server Indicates the state of the Failover Media Server, when HA is enabled.
configurations only
Failover Status HA server Indicates if the HA servers are in failover mode.
configurations only
Redundant HA server Indicates if a Redundant server is available for streaming live video.
Streams Server configurations only
Long Term Storage HA server Indicates if a server is available to store recorded video beyond a
Server configurations only specified date for archiving purposes.
Viewing the Status Error Details and History
If a device error is displayed in the Status page do one of the following:
A Configuration error indicates that a configuration mismatch occurred (the configuration on the
device is different than the Operations Manager settings). Click the icon to view additional
details
Click the Status History tab to view the specific events that determine device status.
Tip
Click Affecting Current Status to view only the items that are currently affecting the summaries in the Device
Status tab.
Use the information in these entries to take corrective action.
Camera Status History

Viewing Camera Events
Use the Camera Events tab to view the security events that occurred on the camera for a period of time.
For example, all motion start events or camera app events over the past 12 hours.
Camera Events
Lesson 9
Safety and Security Desktop

Overview
This lesson to describes how to use the Cisco Video Surveillance Safety and
Security Desktop (Cisco SASD) desktop software to monitor live and recorded
video from the Cisco Video Surveillance Manager (Cisco VSM).
Understanding the Cisco SASD Application Suite
The Cisco Video Surveillance Safety and Security Desktop (Cisco SASD) is a suite of applications that
allow Cisco Video Surveillance users to monitor live and recorded video. The application suite includes
the following components:
Tip
All applications in the suite are installed using the Operations Manager browser-based interface
Cisco SASD Applications

Application Description
Cisco SASD A full-featured monitoring application that provides access to the
cameras and video from a single Operations Manager.
Cisco SASD includes the following workspaces and features:
Video workspace
Wall workspace
Alert workspace
Maps workspace
Forensic Analysis Tools
Cisco SASD Advanced An advanced monitoring application that includes the following
Video Player monitoring workspaces:
Video workspace
Wall workspace
Cisco SASD Wall Launches a monitoring application for unattended workstations.
Launcher Unattended mode allows video monitoring windows to display
Video Walls without access to the Cisco SASD configuration
interface. The unattended screens can remain open even is the
keyboard and mouse are disconnected, and can (optionally) re-
appear when the workstation is rebooted.
Cisco SASD Wall A utility for adding and modifying the video Walls that can be selected and
Configurator displayed in the monitoring workstations.
Cisco SASD Federator A monitoring application that allows Federator users to monitor
video from multiple Operations Managers.
Main Features of the Cisco SASD Application
The Cisco Video Surveillance Safety and Security Desktop application (Cisco SASD) is the main
application in the Cisco SASD suite, allowing you to monitor live and recorded video surveillance using a
variety of tools. For example:
View a list of available cameras based on the camera location or camera name.
View the cameras and related video on a map.
View system alerts and the camera that generated the alert.
View multiple cameras in a grid.
Create multiple viewing windows and drag them onto additional monitors connected to the PC
workstation.
Create Video Walls to display the same pre-defined set of viewing panes on multiple
workstations.
Use Unattended Mode to automatically open the Video Walls on workstations that do not have a
mouse or keyboard.
Use the Forensic Analysis tools to locate recorded video, search for motion events, and locate
video clips.
Overview of the Cisco SASD Features
1 The Cisco Video Surveillance system (and optional Site) to which you are logged in.
2 Select a menu to logout, launch forensic analysis tools, or open help documents.
File
LogoutLog out of the application and disconnect from the Operations
Manager. Unattended screens will still be displayed on the workstation, if
configured.
Forensic Analysis
Thumbnail SearchUse Thumbnail Search to quickly locate specific scenes or events
in recorded video without fast-forwarding or rewinding. Thumbnail Search displays a
range of video as thumbnail images, allowing you to identify a portion of the recording
to review.
Clip ManagementUse Clip Management to view, download and delete MP4 clips.
that are stored on the server.
Motion AnalysisUse Motion Analysis to view a summary of motion events for
recorded video.
HelpView additional information and documentation.
3 The video monitoring workspaces:
VideoUse the location tree to select a camera or search a camera by name. Select a View to
view multiple cameras in a a grid.
WallDisplay video from multiple cameras in a simple grid that maximizes the viewing
area. Drag the window to a separate monitor, if necessary.
AlertView and modify system alerts, including the alert video (if the alert is associated with
the video)
MapDisplay maps of the Cisco VSM locations, including the camera and alerts at those
locations. Single-click a camera icon to display a dragable icon, or double-click the icon to
view video in a pop-up window.
Duplicate Click to create a duplicate workspace window that can be dragged to a
separate monitor.
4 Click the triangle to display or hide the side panel.
5 SearchEnter the full or partial name of a camera to display matching camera names.
6 Side PanelSide panels include the controls and search options for the workspace (side
panels vary for each workspace).
For example, select a location to display the cameras for that location (cameras from
sub-locations are not displayed). Then drag a camera onto a viewing pane.
7 Playback Controls
8 Viewing Pane and control icons
9 Multi-Pane Grid
LayoutsCreate a blank matrix from the available layouts and drag cameras onto
each viewing pane.
Select ViewSelect a pre-defined matrix of cameras. The cameras can be
configured to automatically rotate.
10 NotificationsNotify errors, such as task or software exceptions
11 Performance MeterDisplays the workstations CPU performance based on available
memory and bandwidth.
Green indicates that the workstation is meeting the demands of the Cisco SASD
activities.
Yellow is a performance warning.
Red indicates that the workstation performance is poor and processing delays may
occur.
Tip
Hover your mouse over the meter network and memory usage details.
Requirements
Cisco Video Surveillance Safety and Security Desktop (Cisco SASD) requires the following.
At least one Cisco VSM server must be installed on the network with the following services
enabled:
o Cisco Media Server
o Cisco VSM Operations Manager
Additional services are required to enable features such as the location maps and Video Motion
Search.
At least one camera physically installed and configured on Cisco VSM Operations Manager
The IP address or hostname of the Cisco Video Surveillance system (same as the Operations
Manager).
A valid Cisco Video Surveillance username and password.
Workstation Requirements:
o A PC or laptop running Windows 7 64-bit operating system.
o The Microsoft .NET Framework 4.0 (full setup) must be installed on the client PC.
o A standard Windows 7 user account.
Note
Logging in with a Guest account can prevent video streaming and result in an error to be displayed
in the video pane: Cannot create RTSP connection to server. Check network connection and
server health status.
Cisco Multi-Pane Video Surveillance client software, an Active X client that enables video
playback and other features.
Note
You will be prompted to install this utility when installing or updating the Cisco SASD application.
Complete the on-screen instructions, if prompted. You must have administra tive privileges on
the PC workstation to install the software.
Note
You will be prompted to install this utility when installing or updating the Cisco SASD application.
Complete the on-screen instructions, if prompted. You must have administrative privileges on the PC
workstation to install the software.
Installing the Application Suite
Procedure
Step 1 Verify that the system and workstation requirements are met.
Step 2 Install the Microsoft .NET Framework 4.0, if necessary.
Step 3 Log in to the Cisco VSM browser-based Operations Manager.
a. Launch the 32-bit or 64-bit version of Internet Explorer 8 on your Windows 7 computer.
b. Enter the URL for the Cisco VSM Operations Manager.
c. Enter your username and password.
d. From the Domain menu, choose the default localhost if your account was created using the
Operations Manager. Select a different Domain only if you are a user from an external database
(Active Directory LDAP domain) and are instructed to do so by your system administrator.
e. Enter a new password if prompted.
Note
You must enter a new username the first time you log in, or when your password periodically expires.
Step 4 Select the Operations
Installing the Cisco SASD using the Operations Manager
Step 5 Click Safety and Security Desktop (under the Software heading).
Step 6 Follow the onscreen instructions to complete the installation.
Step 7 Complete the on-screen instructions to install or upgrade the Cisco Multi-Pane Video Surveillance
client software on your computer. This application is an Active X client that enables video playback and
other features. Video will not play unless the Cisco Multi-Pane client software is correctly installed. You
must have administrative privileges on the PC workstation to install the software.
Tip
To access the application on your workstation, double-click the Safety And Security Desktop icons on your desktop,
or go to Start > All Programs > Cisco Safety And Security Desktop.
You can save the installer file and use it to install the application on multiple workstations, if
necessary. Users must have a valid Cisco VSM username and password to access the system.
An error appears if the Microsoft .NET Framework 4.0 is not installed. Go to
http://www.microsoft.com/en-us/download/confirmation.aspx?id=17851 to download the
installer, then repeat this procedure.
Logging In
Log in to the Cisco SASD application using the username and password supplied by your administrator.
Note
The first time you log in, you must use the browser-based Cisco VSM Operations Manager to change your password
(you will be prompted to change a new password on first login).
Users are configured using the Operations Manager.
You must log in with a standard Windows 7 user account. Logging in with a Guest account can prevent video
streaming and result in an error to be displayed in the video pane: Cannot create RTSP connection to server. Check
network connection and server health status.
Procedure
Step 1 (First log in only) Log in to the browser-based Operations Manager and change your initial
password.
a. Launch the Internet Explorer web browser on your PC and enter the IP address or hostname of the
Operations Manager server.
b. Enter your username and password (provided by your system administrator).
c. Complete the form to enter a new password.
d. Log out of the Operations Manager.
Step 2 Launch the Cisco SASD application:

Double-click the Safety And Security Desktop shortcut on your desktop, or select Start Menu
>Programs > Cisco Safety And Security Desktop.
Step 3 Enter the login information
ServerThe IP address or hostname of the Cisco VSM Operations Manager.

DomainSelect localhost if your account was created using Cisco VSM, or select another
option if logging in from an external database (Active Directory LDAP domain).
UsernameEnter the username provided by your system administrator.
PasswordEnter the password you selected using the browser-based Operations Manager.
Login to Cisco SASD

Note
The first time you log in, you must use the browser-based Cisco VSM Operations Manager to change your
password (you will be prompted to change a new password on first login).
You must log in with a standard Windows 7 user account. Logging in with a Guest account can prevent
video streaming and result in an error to be displayed in the video pane: Cannot create RTSP connection
to server. Check network connection and server health status.
Step 4 Select a Site, if prompted
Users with Site access are prompted to select a Site. Users with no Site access are not prompted
for a Site.
To change your Site, you must log out and log back in.
Step 5 If prompted, ask your manager or other administrator to enter their Approver Login.
Approver Login
This second login is required only if configured.

If the approval is not successfully submitted within the time-out period, the login is denied.
Understanding Sites
Sites are designated location hierarchies (a location and its sub-locations) where network connectivity
between the cameras and servers is good. These Sites, however, may have low-bandwidth connectivity to
cameras, servers and users outside the Site.
If the system is configured with Sites, and you are a member of a User Group that is assigned to a Site
location, you will be prompted to select a Site when you log in (Figure).
Users with Site access are prompted for a Site. Users with no Site access are not prompted for a
Site.
Users who do not select a Site, are not assigned a Site, or select Not in Any Site will receive
video from a Dynamic Proxy server for cameras in any Site where Dynamic Proxy is enabled.
To change your Site, or log in to Lot In Any Site, log out of Cisco SASD and log back in.
Understanding Login Approval
Dual Login requires that a second user (such as a manager) approve a users access by entering their
credentials. When the user logs in, a second prompt appears for the managers credentials (Figure). This
optional feature appears every time the user logs in.
Login Approval
To enable Dual Login for a user
Default User Accounts and Passwords

Cisco SASD includes two default users: the super-admin account and an operator account.
Default User Accounts

Default Account Default Username and Password Access Privileges
admin username: admin Super-admin privileges with full rights to
configure, view and manage all system
password: admin settings and features.
operator username: operator Ability to view live and recorded video,
control PTZ movements, push views to a
password: operator Video Wall, and export recordings.
Log in to the browser-based Cisco VSM Operations Manager and click on your username to change your
password
Procedure
Step 1 Launch the Internet Explorer (IE) web browser.
Step 2 Enter the same IP address/hostname used to access Cisco SASD.
Step 3 Enter the same username and password used to access Cisco SASD.
Step 4 Click your username in the upper right corner of the Cisco VSM Operations Manager.
Step 5 Enter and reenter your new password.
Changing Your Password Using Operations Manager

Video Workspace
Use the Video workspace to monitor video from one or more cameras based on the camera location or
camera name. You can also monitor multiple cameras in a grid layout.
Procedure
Step 1 Select the Video workspace.
Step 2 Select a blank Layout or click Select View to select a pre-defined layout and set of cameras.
Step 3 (Optional) Select a video source (camera) for each pane:
a. Search for a camera name or select a location.
b. Drag-and-drop camera names onto the available viewing panes (you can also highlight a
pane and double-click the camera name).
Step 4 Use the video playback controls.
Step 5 (Optional) Double-click a video pane to fill the Cisco SASD viewing area with that video. A
preview of the other video panes is shown in a smaller grid at the bottom of the screen.
Double-click the video pane again to return the grid to normal size.
Tip
To fill the screen, right-click the image and select Full screen mode.
Step 6 Click to create a duplicate workspace window that can be dragged to a separate monitor.
Viewing Camera Video in a Multi-Pane Grid
Use the Video or Wall workspace to view video in a grid.
Procedure
Step 1 Select the Video or Wall workspace.
Step 2 Select a blank Layout or pre-defined View
Step 3 Drag cameras onto the available panes to change the video source.
Views Menu in the Camera Centric Workspace
Note
Unattended video walls are backed by the SASD Monitor windows service. If a wall is closed or
stop streaming, it will be bring up automatically. However, this feature is only possible if the PC
is rebooted. SASD walls will not be backed up if user log off then log in.
Displaying a Duplicate Workspace on a Separate Monitor
A duplicate workspace is an additional window that does not include menus or links to other workspaces.
Duplicate workspaces maximize the video viewing area and can be dragged to another screen to monitor
multiple workspaces or video grids at a single time. You can create a duplicate of any workspace (Video,
Wall, Alerts or Maps) available in your monitoring application.
To create a duplicate workspace, click the duplicate icon . You can then select a layout, view, map or
alert to view video, and drag the window to another monitor, if necessary.
Creating a Duplicate Workspace
Tip
Closing the Cisco SASD or Cisco SASD Advanced Video Player window also closes the duplicate
workspace windows. Logging out of the application also closes all windows.
To maximize the video screens, move the new workspace to a separate monitor and double-click a pane to
fill the entire browser window. To fill the entire monitor screen, right-click the image and select Full
screen mode.
Wall Workspace
Video Walls are pre-defined Views that can be displayed on multiple workstations or viewed by
unattended workstations.
Overview
Video Walls are pre-defined Views that can be displayed on multiple workstations (Figure). All
workstations that display the Video Wall will display the same set of pre-defined panes. Walls can be
modified and published to the other workstations viewing the wall, and used as unattended
workstations that can be monitored without user input or control.
For example, a Lobby Door Video Wall includes cameras in buildings 1 through 4. Each workstation
that selects the Lobby Door Wall will display the same set of cameras. If an attendant at one
workstation changes the camera for a pane, they can click Publish To Wall to display the modified scene on
all other workstations that display that Wall.
Tip
Walls can also be displayed on unattended workstations using the Cisco SASD Wall Launcher.
Note
The operator must have access permissions to use the Wall feature.
Video Walls
1 The Wall Workspace.
Tip
Click to create a duplicate workspace window that can be dragged to a separate monitor. This allows you to view multiple
Walls at the same time.
2 The selected Wall.

3 The video panes displayed by the selected Wall.
Tip
Drag and drop cameras onto the video panes to change the displayed video. Click Publish To Wall to
display the modified Wall on all workstations that are viewing the Wall (the Wall reverts to the default
view after the rollback time defined in the Operations Manager).
4 Publish To WallClick to display a View or modified Wall on all other workstations and
monitors that are viewing the Wall.
Usage Notes
Video Walls are configured by system administrators using the Cisco Video Surveillance
Operations Manager browser-based administration tool.
Video Walls can display a populated View or a blank matrix.
Viewing and Publishing Video Walls

Procedure
To view, modify or publish a Video Wall, do the following:
Step 1 Select the Wall workspace tab.

Step 2 (Optional) Click to create a duplicate workspace window that can be dragged to a separate
monitor.
Step 3 Click Select Wall and choose a Wall from the list
Step 4 (Optional) Change the displayed video:
Drag cameras onto the available panes.
Select a different View.
Note
When a pane is updated, all panes in the Video Wall will refresh, which can cause a loss of video for a few
seconds.
Step 5 (Optional) Display a different View on all instances of the selected Video Wall (such as other
workstations that display the same Video Wall).
a. Change the displayed video.

b. Click Publish to Wall.
Tip
The Wall reverts to the default view after the rollback time defined in the Operations Manager.
The Publish to Wall option is enabled only when you change the video displayed in the video
panes.
You must have access permissions for Publish to Wall.

Using the Cisco SASD Wall Configurator
Overview
The Cisco SASD Wall Configurator defines the Video Walls that will appear on unattended workstations.
An unattended workstation is a PC that is used to monitor Video Walls without user input or interaction.
Unattended workstations can be operated without a mouse or keyboard, and do not have access to the
Cisco SASD or Cisco SASD Advanced Video Player interface.
For example:
Once the unattended workstation is configured, you can exit all other Cisco SASD applications
(such as the Cisco SASD Wall Configurator or Cisco SASD Advanced Video Player). The
unattended screens remain open and will (optionally) re-appear when the workstation is
rebooted.
If the keyboard and mouse are removed, the operator can view video, but cannot interact with the
video playback. The workstation can also be placed out of reach (such as below a desk or in a
cabinet).
If the keyboard and mouse remain connected, the operator can interact with the video, and close
and reopen the unattended screens (using the Cisco SASD Wall Launcher).
You can create multiple unattended windows for display on different monitors. For example, one
monitor can display a Video Wall of all Lobby Doors, and a second monitor can display a Video
Wall that rotates the panes among all side entrances.
Unattended mode can be set to launch automatically when the workstation is rebooted (it does
not re-launch when a user logs off and logs back on). You can also use the Cisco SASD Wall
Launcher (installed on the desktop) to relaunch the unattended screens (the Launcher closes any
open unattended windows, and re-launches the unattended Video Wall windows configured on
the PC).
If an unattended Video Wall is shutdown (for example, the application crashes or is closed), or if
all panes in the wall are not streaming video, the unattended Video Wall will re-start
automatically.
If the workstation is rebooted, the same unattended windows will automatically reappear on the
monitor(s) in the same position (unless the monitor resolution was changed).
Unattended video walls are backed by SASD Monitor windows service. If a wall is closed or stop
streaming, it will be bring up automatically. However, this feature is only possible if the PC is
rebooted, not log off then log in.
Figure describes the main features of the Cisco SASD Wall Configurator.
Using Cisco SASD Wall Configurator to Define Unattended Video Walls
1 AddClick to add a Video Wall that will appear on the workstation in unattended mode, and
then select the Wall Name.
Video Walls are configured using the Operations Manager.

The Video Walls will appear when you save and exit the Cisco SASD Wall Configurator,
when you launch the Cisco SASD Wall Launcher, or (optionally) when you restart the
workstation.
2 Launch on Startup
Select to automatically launch the Walls in unattended mode when the workstation is
restarted.
Deselect to manually launch the unattended walls using the Cisco SASD Wall Launcher.
3 Wall NameSelect the Video Wall(s) that will appear when the workstation is restarted or when
Cisco SASD Wall Launcher is launched.
Note
The Video Walls are configured using the Operations Manager.
4 Window StateDefines the size and location of the Video Wall when the workstation is restarted
or when Cisco SASD Wall Launcher is launched.
NormalThe Video Wall window appears in the size and location defined using the Cisco
SASD Wall Configurator.
MinimizedThe Video Wall window is minimized on the monitor.
MaximizedThe Video Wall window fills the entire screen.
5 PositionThe size and location of the Video Wall in Normal window state.
Move the Video Wall on the screen to automatically change the settings, or enter the coordinates
manually.
6 Launch/ShutdownOpen or close the Video Walls for testing and positioning in the Cisco
Launch. Opens the Video Wall so you can resize and re-position the window.
Shutdown. Closes the Video Wall window.
Tip
All Video Walls will appear when you save and exit the Cisco SASD Wall Configurator, when
you launch the Cisco SASD Wall Launcher, or (optionally) when you restart the workstation.
7 Delete. Removes the Video Wall from unattended mode. The Video Wall window will not
launch.
8 SaveSave the configuration.
9 CloseQuits the Cisco SASD Wall Configurator and launches the Video Walls in unattended
mode.
Requirements
The following are required to use the Cisco SASD Wall Configurator to configure unattended
workstations:
Administrative user privileges on the Windows workstation.

You must belong to a Cisco VSM User Group with access permissions for Video Walls.
At least one Video Wall must be configured on the system (using the Operations Manager
interface).
Video Walls cannot be configured by users who are in a user group with access to multiple Sites.
Only users with access to a single Site (and who are not prompted to select a Site) can configure
Video Walls.
All Video Walls used in unattended mode should be configured with a Default View in the
Operations Manager. If a Video Wall without a Default View is selected, all video panes will be
blank
If all video panes are blank (no camera was selected as a video source in the Operations
Manager), then the unattended window will be repeatedly re-start since video streaming is not
available
Note
Video Walls are configured using the browser-based Operations Manager.
Usage Notes
If the admin account password is changed on the monitoring workstation, then the unattended
windows must be re-configured.
To change the video displayed in the Video Wall panes (such as changing the camera source),
revise the Video Wall configuration using the browser-based Operations Manager. The
unattended windows revert to the Video Walls Default View when the system is rebooted.
Unattended configuration applies only to a single Cisco Video Surveillance system. If you log
into a different Cisco Video Surveillance system on the same workstation, you cannot revise the
existing unattended windows.
Unattended SASD Wall can be changed by remote or local user who is running SASD main app,
SASD ADP, and publish a different view to the wall, or a different camera to a pane.
The unattended mode will repeatedly restart if video to all panes is lost. This can be caused by
network or system issues, or if a Video Wall without a default view is selected. This allows
unattended mode to recover when the problem is resolved. For example, if the video streams for
all panes are provided by a single Media Server, and that Media Server goes down, then the
unattended mode will restart until communication with the server is reestablished. If the Media
Server fails over to another server, then the new server will provide video streaming and the video
will be displayed.
If the video stream is lost for one (but not all) of the video panes, unattended mode will not
restart and the pane will display an error message and icon. The video will automatically re-
appear only if the video is in unattended mode and the camera is enabled for failover.
Configuring Unattended Workstations

Use Cisco SASD Wall Configurator to select the Video Walls that will be displayed in unattended mode on
a workstation.
Once the unattended windows are defined, you can close the Cisco SASD Wall Configurator application.
The unattended windows will be automatically re-launched.
Procedure
Step 1 Before you begin, create one or more Video Walls.
a. Log on to the Operations Manager.

b. You must belong to a User Group with permissions for Video Walls.
c. Create one or more Views.
d. Add one or more Video Walls (System Settings > Video Wall).
Step 2 Connect a keyboard and mouse to the workstation.

Step 3 Launch Cisco SASD Wall Configurator and log in to the application.
Step 4 Click Add (Figure).
Step 5 Select a Wall name.
The Video Wall should include a Default View.
Step 6 Select the Window State:
NormalThe Video Wall window appears in the size and location defined using the Cisco
MinimizedThe Video Wall window is minimized on the monitor.
MaximizedThe Video Wall window fills the entire screen.

Step 7 Click to launch (display) the Video Wall.
Step 8 Position the Video Wall window(s) on the workstation monitors.
The window will re-display in the same position if you selected the Normal window state.
Step 9 Repeat Step 4 through Step 8 to select a Video Wall for each unattended window and position
the window on the workstation display(s).
Step 10 Select or deselect Launch on Startup to launch unattended mode when the workstation is
restarted.
Tip
If deselected, the unattended windows will not appear when the workstation is restarted. Use the
Cisco SASD Wall Launcher to open the unattended windows.
Step 11 Click Save to save the configuration.
Step 12 Close the Cisco SASD Wall Configurator window to quit the application and launch the Video
Walls in unattended mode.
Note
If all video panes are blank (no camera was selected as a video source in the Operations Manager), then
unattended window will be repeatedly re-start since video streaming is not available
Step 13 (Optional) Move the Video Wall windows to display any unattended mode windows placed
directly behind each other, if necessary.
Step 14 (Optional) Remove the keyboard and mouse.
If the keyboard and mouse are removed, the user can only view video.
Leave a mouse (and/or keyboard) attached to allow the user to control video playback
Launching the Unattended Windows

To display the Video Walls on the workstation in unattended mode, do one of the following:
Launch Options
Launch Option Description
Save and exit the Cisco SASD Wall The Video Walls are launched automatically when the Cisco
Configurator SASD Wall Configurator closes.
Launch the Cisco SASD Wall The Cisco SASD Wall Launcher opens all Video Walls in
Launcher unattended mode that were added in the Cisco SASD Wall
Configurator.
The Launcher also closes any open unattended windows, and
re-launches the unattended Video Wall windows configured
on the PC.
Restart the workstation (Optional) If the Launch on Startup option is selected in the
Cisco SASD Wall Configurator, the Video Walls will launch
in unattended mode when the workstation restarts. .
Removing a Video Wall From Unattended Mode

To remove one or all Video Walls from unattended mode, do the following.
Note
The Video Walls will no longer appear when the unattended windows are launched
Step 1 Launch Cisco SASD Wall Configurator and log in to the application.
Step 2 Click Delete to remove a Video Wall from unattended mode.
Step 3 Click Save.
Step 4 Close the Cisco SASD Wall Configurator application.

Understanding Offline Mode
Offline mode allows unattended screens to continue to display video if the network connection to
Operations Manager is lost, but the connection to the cameras Media Servers is still available. This can
occur due to a network failure, or when the Operations Manager used to configure the system is located at
a remote location.
Note
If the window is in Offline mode, changes by another user to the Video Wall or View not updated until the window
returns to Online mode.
Offline appears in the window title bar when the unattended window is operating in offline mode.
If the network connection to the Operations Manager is lost, the unattended windows will
relaunch in offline mode.
If the Operations Manager is unavailable when the unattended windows launch, the unattended
windows will restart in offline mode.
Transition Times
The Unattended windows periodically check for Operations Manager connectivity, and automatically
switch between online and offline mode, if necessary. The system performs this check periodically to
avoid switching back and forth if a intermittent network issue occurs (such as a jitter).
Online/Offline Transition Times

Transition Description
Online to Offline If the Operations Manager connection is lost for 4 minutes, the unattended
windows will switch to Offline mode.
Offline to Online If the Operations Manager connection is restored for 12 minutes, the
unattended windows will switch to Online mode.
Alert Workspace
Events represent incidents that occur in the system and in devices (such as cameras or camera encoders).
Events are aggregated (grouped) into alerts for notification purposes. For example, if a camera goes
offline and comes back online repeatedly, all events for that issue are grouped under a single alert, which
triggers a single notification. This prevents operators from being flooded with notifications for multiple
occurrences of the same issue.
Cisco VSM generates two types of events:
Health Events are generated when a device health change occurs, such as reachability, fan
speed, file system usage, or other device-related issues. Critical health events generate alerts by
default.
from an external system can be configured to generate alerts, or perform other actions (security
events do not generate alerts by default). Security alerts can also be forwarded to the Federator
(if installed).
Note
When a camera is configured for stream redundancy (for example, stream 1 to the primary Cisco Media
Server and stream 2 to a redundant server), events from both streams are added to the same alert.
Alert Workspace Overview
Select the Alert Workspace, to view alerts and events related to that alert. You can also take numerous
action depending on the alert or event type. For example
Right-click an alert to acknowledge, close, re-open, or comment on the alert.

Double-click an event or camera icon to view live or recorded video (if available).
Alert Workspace
1 Alert Workspace tab.
The Alert Workspace is available in the Cisco SASD and Cisco SASD Federator applications
only. Alerts are not included in the Cisco SASD Advanced Video Player.
Click to create a duplicate workspace window that can be dragged to a separate monitor.
2 SearchDisplay alerts in a static list based on the filter criteria (including a time span).
The alerts already displayed on the search result table are auto updated if their status changes.
However, the search result table itself is not auto refreshed (new alerts are not inserted, the table
is auto re-sorted etc.). Re-search the alerts to view current results.
Dynamic FilterDisplay alerts in a auto-updating list based on the filter criteria (such as
location, alert type and severity). Click the lock icon to stop or start auto-updates
When unlocked , new alerts will be added to the list as they occur.
When locked , dynamic updating is paused and only the currently displayed alerts are
shown. Unlock the display to refresh the results.
3 Click the triangle to display or hide the side panel.
4 Filter criteria. Select the criteria described below and click Apply.
Tip
If a filter criteria is not selected, the all alerts for that filter are displayed.
LocationClick to select a specific location where the alert(s) were created. Only alerts
from that location will be displayed.
DeviceClick to select a location and a specific device (camera). Only alerts from that
device will be displayed.
Time(Search only). Select a span of time. Only alerts that were generated during that time are
displayed. For example, Today or Month.
Alert TypeHealth or Security.
SeveritySelect CRITICAL, MAJOR, MINOR, WARNING, or INFO.
Note
unreachable and the streaming status is Critical, the alert is Critical. When the camera becomes reachable again,
and the streaming status normal event occurs, and the alert severity is changed to INFO.
Note
INFO requests also display CRITICAL alerts.
StatusAcknowledged, Closed or New.

Acknowledged ByEnter the full or partial name of the user who acknowledged the alert.
Closed ByEnter the full or partial name of the user who acknowledged the alert.
5 Select an alert to view the events related to that alert.

Right-click an alert to take the following actions:
Change the alert status (acknowledge, close or re-open the alert).
Add a comment to the alert or mark it as a false alarm.
Send the alert to the Cisco VSM Federator
6 Events associated with the alert (multiple events for the same issue are grouped under a single
alarm).
7 If the URL icon appears, right-click the event to open a new web browser window with
additional information or images
8 Click the column headers to sort the displayed alerts.

Only headings with an arrow are sortable.
The Time column sorts alerts with the newest alert at the top.
The Severity column sorts alerts with the most severe alert at the top (in the
order of CRITICAL, MAJOR, MINOR, WARNING, INFO).
9 Select the number of items that are displayed on a page, or navigate through the available pages.
10 The camera icon appears if video is available for the event. Double-click the event to
open a a 2-pane pop-up playback window. The left pane displays live video, the right pane
displays the recorded video (starting from the event trigger point). This popup window can be
enlarged and dragged to another monitor for better viewing.
If video is not available (for example, if the video was automatically deleted after the duration
defined by the camera retention rules), an error message appears when attempting to view the
video.
Video is available for the following event types:
Motion start/stop
Contact closure open/close
Soft trigger
Analytics
11 Select the orientation of the results:

Display the alerts and events results side-by-side.
Display the alerts above the events.
Dynamic Updates of Alert Results
By default, new alerts are dynamically added to the Dynamic Filter results as they occur. New alerts will
appear at the top of the list if the results are sorted by time, or in the middle of the list if the results are
sorted by severity.
Click the lock icon to stop or start auto-updates
The Search tab results do not dynamically refresh. The alerts displayed remain static unless you perform
another search.
Viewing Event URLs

Alerts can also include a custom URL. Right-click the event and select the URL to open a window with
additional information, such as a web page, image snapshot, or video clip.
Selecting a Soft Trigger Event URL in the Cisco SASD Monitoring Application
1 Select a soft-trigger alert that was customized to include an additional URL.

2 Right-click the URL icon for the event.
3 Select the URL.
4 View the information, image or video in the pop-up window.
Common Tasks
Common tasks that are performed with alerts.
Common Alert Tasks
Task Description
Narrow the list of displayed alerts Click the tabs at the top of the alert list to filter the displayed alerts:
Search keywords
Dynamic Filter (narrow the results based on alert type, status, or
severity, time, location, and/or device).
Tip
Any filter criteria that is not selected will return all alerts for that filter.
Display the events associated with Select an alert to view the associated events.
the alert
Acknowledge the alert Right-click an alert and select Acknowledge.
Close, re-open, or flag the alert as a Right-click an alert and select an option.
false alarm
When an alert is closed, no new events can be added (unless the alert
is reopened by a user). Any new events for the same device and issue
are added to a new alert entry.
Users can still modify closed alerts, including the following:
Add a comment (the alert state is not changed).
Re-open the alert. New events for that device and issue will be
added to the alert.
Add a comment Right-click an alert and select Comment. Add the comment and click Apply.
View event video (motion and The camera icon appears if video is available for the event. Double-click
analytics alerts only) the event to open a playback window.
View alerts on a larger location Open the Map Workspace.
map
Impact of Device Location Changes on Alerts

Because device locations rarely change, the alert location will normally be the same as the device
location. However, if the device location is changed, the following will occur:
New events show the new location, but are added to the existing (and open) alert at the old
location.
When the alert is closed by an operator, any new events create a new alert at the new location
(the location reference in the alert is now consistent with the device location in the event).
For example:
1. Events are added to Alert 1 at the original Location 1

Alert 1 Location 1 Device 1
Event 99 Location1 device1
Etc.
2. The device location is changed to Location 2.

3. New events generated for an existing (and open) Alert 1 are added to the alert using the new
Location 2, but the alert is still associated with the original Location 1.

Etc.
4. An operator closes the alert (by right-clicking on it).
5. New events are associated with a new alert in the new Location 2 (the location reference in the
alert is now consistent with the device location in the event).
Etc.
Map Workspace
Overview
The Map Workspace displays maps of the region, city, building or other areas where the Cisco VSM is
deployed Figure. Use maps to view a physical representation of the camera locations in your deployment,
or as an alternative way to locate cameras and drag and drop them onto a Video Wall.
For example, click a location to view the associated map(s). Cameras at that location are represented by a
camera icon . Single-click the icon to display a dragable icon, or double-click the icon to view video in a
pop-up window.
Tip
Maps can include an aerial view of the camera location (such as a street map or satellite view), or an image of the
physical location, such as a building layout, floor plan or other image).
Note
The Map Workspace is available in the Cisco SASD application only. Maps are not included in the Cisco SASD
Advanced Video Player or Cisco SASD Federator applications.
Note
When upgrading to Release 7.5 from Release 7.2 or lower, you must migrate the map images from the
previous system and reconfigure the map image layers. The Cisco VSM mapping system has been
replaced with GIS map support which is not compatible with the earlier map support. Accessing cameras on
maps now requires the use of a Cisco VSM Map Server
Map Workspace
1 Map Workspace tab.
Cisco SASD application only. Maps are not included in the Cisco SASD Advanced Video Player or
Cisco SASD Federator applications.
Click to create a duplicate workspace window that can be dragged to a separate monitor.
2 Locations. Select a location to display the maps for that location and its sub-locations.
3 Map for the selected location.
Double-click anywhere on the map to zoom the map image.

4 Camera icons.
A number is displayed when multiple cameras are present and the map is too small to display
individual icons. Zoom in to view the individual icons.
Single-click a camera to view video and alerts from that device. Click anywhere on the map to dismiss
the video feed.
Double-click a camera icon to view video from the camera in a pop-up window. Click anywhere on
the map to dismiss the video feed.
Right-click the icon and select Filter Alert by Camera to view the alerts for that device.
The camera icon color represents the device status:
GreenEnabled: OK
YellowEnabled: Warning
Enabled: Critical
5 Video playback window for the selected camera.

6 Alerts for the selected location.
Right-click an alert to take an action (such as close, comment, acknowledge or send to Federator).
Click the Time or Severity column headers to sort the displayed alerts.
Only headings with an arrow are sortable.
The Time column sorts alerts with the newest alert at the top.
The Severity column sorts alerts with the most severe alert at the top (in the order of
CRITICAL, MAJOR, MINOR, WARNING, INFO).
7 Dragable icon. Single-click a camera icon to display a dragable icon. Drag and drop the icon onto a duplicate
Video or Wall workspace.
8 Map provider selector.
Click the selector icon to choose a map provider (such as a MapQuest or OpenStreetMap).
The provider displays the map (such as the street or satellite view) for the selected location.
Tip
A selector icon is also used to choose image layers (such as floor plans in a building)
9 Click the triangle to hide or show the alerts related to the location or camera.
Requirements
The following requirements must be met to use the Cisco SASD Maps workspace:
Requirements
A Cisco Maps Server must be installed and added to the Operations Manager configuration.
Note
The location maps and image layers configured in Operations Manager are available for use in the Cisco SASD Maps
workspace.
Internet Explorer (IE) 9 or 10 must be installed on the monitoring workstation:
Note
Do not install IE 11 on the monitoring workstation. Cisco SASD Maps workspace uses IE to communicate
with the Operations Manager Maps Server service and configuration. IE 11 can cause incompatibility issues.
The Cisco SASD desktop application installed in the monitoring PC.
Note
The Maps workspace is not supported on the Cisco SASD Federator or Cisco SASD Advanced Video
Player applications.
Working With Image Layers
Image layers (Figure) represent additional details on a location map. For example, if a location map
shows an aerial view of a building, image layers can show images of each floor in that building.
Click the selector icon to display and select the image layers available for a location. Camera icons
represent the real-word location of cameras in each image, allowing you to view video and alerts from
specific cameras.
Working With Image Layers
Image layers (Figure) represent additional details on a location map. For example, if a location map
shows an aerial view of a building, image layers can show images of each floor in that building.
Click the selector icon to display and select the image layers available for a location. Camera icons
represent the real-word location of cameras in each image, allowing you to view video and alerts from
specific cameras.
Image Layers
1. Image layer (represented by a green box).

The number indicates the number of cameras available in the image.
Click the box to display an enlarged image.
2. The enlarged image layer.

Select a camera to view video and alerts from that device.
Click the selector icon to display the available image layers (such as each floor in a
building).
3. Camera icon.
Select a camera to view video and alerts from that device.
Right-click the icon and select Filter Alert by Camera to view the alerts for that device.
The color represents the device status:
o GreenEnabled: OK
o RedEnabled: Critical
4. Video playback window for the selected camera
5. Dragable icon.
Single-click a camera icon to display a dragable icon.
Drag and drop the icon onto a duplicate workspace (icons cannot be dragged onto an
unattended Video Wall).
6. Image Layer selection.

Click the selector icon to choose an image layers (such as a building floor plan).
7. Location map selection.

Click the selector icon to choose a map provider (such as a MapQuest or
OpenStreetMap).
The provider displays the map (such as the street or satellite view) for the selected location.
Summary of Map Workspace Options

Procedure
To view video from cameras using map images, do the following:
Step 1 Select the Map Workspace (Figure).
Step 2 Expand the location hierarchy and select a location from the list.
Step 3 (Optional) Click the selector icon to choose a map provider (such as a MapQuest or
OpenStreetMap).
Step 4 (Optional) Click a image layer to display an enlarged version of the image.
Step 5 (Optional) Click the selector icon to choose an image layers (such as a building floor
plan).
Step 6 (Optional) Double-click a camera icon to view video for that camera in a pop-up window.
Step 7 (Optional) Single-click a camera icon to display a dragable icon, then drag and drop the icon
to a Video Wall.
Step 8 (Optional) Right-click an alert to change the status or enter a comment.
Step 9 (Optional) Right-click the icon and select Filter Alert by Camera to view the alerts for that
device.
GLOSSARY
Alarm The action or event that triggers an alarm for which an event profile is logged.
Events can be caused by an encoder with serial contact closures, a motio n detected
above defined thresholds, or another application using the soft-trigger command
API.
Alarm Trigger The action or event that triggers an alarm for which an event profile is logged.
Events can be caused by an encoder with serial contact closures, a motion detected
above defined thresholds, another application using the soft-trigger command API,
or a window or door opening/closing.
Alert The action or event that triggers an alarm for which an event profile is logged.
Events can be caused by an encoder with serial contact closures, a motion detected
above defined thresholds, or another application using the soft-trigger command
API API.
Application Programming Interface
Archive A place in which records or historical documents are stored and/or preserved. An
archive is a collection of video data from any given proxy source. This enables a
feed from a camera-encoder to be stored in multiple locations and formats to be
viewed at a later time. There are three types of archives: Regular, where the
archive recording terminates after a pre-set time duration lapses and is stored for
the duration of its Days-to-Live. Loop, where the archive continuously records until
the archive is stopped. Loop archives reuse the space (first-in-first-out) allocated
after every completion of the specified loop time. Clip, the source of the archive is
Archive Clip extracted
The sourcefrom onearchive
of the of the previous two types
that is extracted andone
from is stored
of thefor the two
other duration
typesofand
its
Days-to-Live.
stored for the duration of its Days-to-Live.
Archive Server Programs which receive incoming video streams or loops, interprets them, and
takes the applicable action.
Archiver An application that manages off-line storage of video/audio onto back-up tapes,
floppy disks, optical disks, etc.
Camera Permits users to change the camera lens direction and field view depth. Panning
Controls
a camera moves its field of view back and forth along a horizontal axis. Tilting
commands move it up and down the vertical axis. Zooming a camera moves
objects closer to or further from the field of view. Many of these cameras also
include focus and iris control. A camera may have a subset of these features such
as zoom, pan, or tilt only
Camera Drivers Responsible for converting standardized URL commands supported by the
module into binary control protocols read by a specific camera model.
Child Proxy An agent, process, or function that acts as a substitute or stand-in for another. A
proxy is a process that is started on a host acting as a source for a camera and
encoder. This enables a single camera-encoder source to be viewed and recorded
by hundreds of clients. There are three types of proxies:
A direct proxy is the initial or direct connection between the edge camera-
encoder source. By definition at least one direct proxy exists for a given video
source.
A parent proxy is the source of a nested or child proxy. Parent proxies may be
from remote or local hosts. Proxies are nested in a hierarchy with inheritance
rights.
A child proxy is the result of a nested or parent proxy. Child proxies run on the
Clip local host.
A place Proxies
in which are nested
records in a hierarchy
or historical with are
documents inheritance rights.preserved.
stored and/or A child proxy
An
has the issame
archive resolution,
a collection quality,
of video and
data media
from any type
givenofproxy
its parent,
source.but
Thiscan have a
enables
lower framerate
feed from for motion JPEG.
a camera-encoder to be stored in multiple locations and formats to be
viewed at a later time. There are three types of archives:
Regular: where the archive recording terminates after a pre-set time duration
lapses and is stored for the duration of its Days-to-Live.
Loop: where the archive continuously records until the archive is stopped. Loop
archives reuse the space (first-in-first-out) allocated after every completion of
the specified loop time.
Clip: the source of the archive is extracted from one of the previous two types
and is stored for the duration of its Days-to-Live.
D
Direct Proxy An agent, process, or function that acts as a substitute or stand-in for another. A
by hundreds of clients. There are three types of proxies: A direct proxy is the
initial or direct connection between the edge camera-encoder source. By
definition at least one direct proxy exists for a given video source. A parent
proxy is the source of a nested or child proxy. Parent proxies may be from remote
or local hosts. Proxies are nested in a hierarchy with inheritance rights. A child
proxy is the result of a nested or parent proxy. Child proxies run on the local host.
Proxies are nested in a hierarchy with inheritance rights. A child proxy has the
DVR Digital Video Recorder/Recording:
same resolution, broadcasts
quality, and media type ofonitsa parent,
hard disk drive
but canwhich
have can then
a lower
be played
frame rateback at a later
for motion time
JPEG.
J
J2EE Java 2 Enterprise Edition
JPEG JPEG (pronounced jay-peg) stands for Joint Photographic Experts Group, the
original name of the committee that wrote the standard. JPEG is designed for
compressing full color or gray-scale images of natural, real-world scenes. JPEG is
lossy, meaning that the decompressed image is not exactly the same as the
original. A useful property of JPEG is that the degree of lossiness can be varied by
adjusting compression parameters. This means that the image maker can trade off
file size against output image quality. The play rate is the number of frames-per-
second or fps.
K
Kbps The rate at which the source is being recorded. For motion JPEG sources, the play
rate is the number of frames-per-second or fps. For MPEG sources, the play rate is
the number of megabits-per-second or Mbps and kilobits per second or Kbps.
The geometric description of one or more video panes.

Layout
Lightweight Directory Access Protocol
LDAP
Loop A loop is a hardware or software device which feeds the incoming signal or data
back to the sender. It is used to aid in debugging physical connection problems.
Mbps The rate at which the source is being recorded. For motion JPEG sources, the play
A device that processes multimedia applications.

Media Server
MPEG (pronounced em-peg) stands for Moving Picture Experts Group and is the
MPEG name of family of standards used for the compression of digital video and audio
sequences. MPEG files are smaller for and use very sophisticated compression
techniques. The play rate is the number of megabits-per-second or Mbps and
kilobits per second or Kbps.
N
NTSC National Television System Committee

P
Pan-Tilt-Zoom Permits users to change the camera lens direction and field view depth. Panning a
camera moves its field of view back and forth along a horizontal axis. Tilting
Controls commands move it up and down the vertical axis. Zooming a camera moves objects
closer to or further from the field of view. Many of these cameras also include focus
and iris control. A camera may have a subset of these features such as zoom, pan, or
Parent proxy tilt only.
An agent, process, or function that acts as a substitute or stand-in for another. A
initial or direct connection between the edge camera-encoder source. By definition
at least one direct proxy exists for a given video source. A parent proxy is the
source of a nested or child proxy. Parent proxies may be from remote or local
hosts. Proxies are nested in a hierarchy with inheritance rights. A child proxy is
the result of a nested or parent proxy. Child proxies run on the local host. Proxies
are nested in a hierarchy with inheritance rights. A child proxy has the same
Proxy resolution, quality, and
An agent, process, media type
or function thatofacts
its parent, but can have
as a substitute a lower for
or stand-in frame rate for
another. A
motionisJPEG.
proxy a process that is started on a host acting as a source for a camera and
Proxy Command A URL-based API that is neither application-platform nor programming language
resolution, quality, and media type of its parent, but can have a lower frame rate for
specific. Commands are sent to dynamically loaded modules (e.g. info.bwt,
motion JPEG.
command.bwt, event.bwt, &c.) using arguments in the form of name-value pairs.
Proxy Server An agent, process, or function that acts as a substitute or stand-in for another. A
resolution, quality, and media type of its parent, but can have a lower frame rate for
motion JPEG.
Proxy Source An agent, process, or function that acts as a substitute or stand-in for another. A
source of a nested or child proxy. Parent proxies may be from remote or local hosts.
Proxies are nested in a hierarchy with inheritance rights. A child proxy is the
result of a nested or parent proxy. Child proxies run on the local host. Proxies are
PTZ: Pan Tilt Zoom nested
Permitsinusers
a hierarchy
to changewith inheritance
the rights.
camera lens A child
direction proxy
and fieldhas thedepth.
view same Panning
resolution,
a
quality, and
camera movesmedia typeofofview
its field its parent, butforth
back and can along
have aa lower frame
horizontal rateTilting
axis. for motion
JPEG.
commands move it up and down the vertical axis. Zooming a camera moves objects
closer to or further from the field of view. Many of these cameras also include focus
and iris control. A camera may have a subset of these features such as zoom, pan, or
tilt only.
Rate The rate at which the source is being recorded. For motion JPEG sources, the play
Record Rate The rate at which the source is being recorded. For motion JPEG sources, the play
Recording A place in which records or historical documents are stored and/or preserved. An
archive is a collection of video data from any given proxy source. This enables a feed
from a camera-encoder to be stored in multiple locations and formats to be viewed
at a later time. There are three types of archives: Regular, where the archive
recording terminates after a pre-set time duration lapses and is stored for the
duration of its Days-to-Live. Loop, where the archive continuously records until the
archive is stopped. Loop archives reuse the space (first-in-first-out) allocated after
every completion of the specified loop time. Clip, the source of the archive is
Recording Archive extracted
An archivefrom
whoseonestate
of the previous two typesAand
is running/recording. is stored
running for the
regular duration
archive of its
gathers
Days-to-Live.
additional data and increases in size. A running loop archive gathers more data
and reuses its allocated space. Regular archives that have not reached their
duration and loops that are still recording are running. Running archives have a
Days-to-Live value of v-1 which does not update until they have stopped.
Repository A central place where data is stored and maintained. A repository can be a place
where multiple databases or files are located for distribution over a network, or a
repository can be a location that is directly accessible to the user without having to
travel across a network.

Cipvsv1 SG Ip Video Vigilancia Cisco

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Cipvsv1 SG Ip Video Vigilancia Cisco

Caricato da

Copyright:

Formati disponibili

IPVS

Cisco IP Video Surveillance

The following sample topology illustrates this model:

In general, distributed architectures can be classified as a small, medium or large deployment

The modularity of the design is important for the following reasons:

The enterprise campus hierarchical model consists of the following layers:

In general, network devices at this layer provide the following features:

In general, network devices at this layer provide the following features:

Route filtering limits route advertisements to access devices

! Configure the VLAN database

The link between SW6 and SW4 is configured as a Gigabit EtherChannel:

interface range gi1/0/23 24

Consider the following sample topology:

Open Shortest Path First (OSPF)

Considerations for EIGRP and OSPF

A defined set of IP addresses by which multicast groups are identified

A mechanism by which hosts can join and leave multicast groups

A routing protocol for efficient delivery of multicast traffic to group members

Internet Group Management Protocol (IGMP)

Multicast Distribution Trees

Protocol Independent Multicast (PIM)

PIM exists in four variants:

Sparse-Dense Mode provides support for operating in DM or SM on the same interface

Bidirectional (bidir-PIM) an extension to PIM-SM that addresses its limitations in scaling to

Virtual Switching System

Sequence of Frames in an Encoded Video Stream

Bidirectional Predictive Frames

Typical MJPEG Stream Profile

H.264 stream profile, showing I-frames and P-frames:

Common Stream Resolutions

H.264 Frame Rate Reduction Example

Quantization Settings For Two Stream Profiles

Media Flow Considerations

Media Server Data Flow and Components

Data Flow Sequence

Media Transport Protocols

Real Time Streaming Protocol (RTSP)

Simplified Finite-state Machine

illustrates the client request:

Real-Time Transport Protocol (RTP)

illustrates the composition of the RTP packet:

Real Time Control Protocol (RTCP)

RTP over UDP

UDP Traffic Patterns

Illustrates the session establishment and video streaming over UDP:

UDP Session Establishment and Video Streaming

media-server:~# lsof c umsdevice i@10.200.42.12 a | awk

media-server:~# lsof p 24160 i a n P

RTP over TCP

TCP Streaming Traffic Patterns

TCP Session Establishment and Video Streaming

media-server:~ # lsof -i@10.101.0.10 -n -P

Illustrates the flow pattern:

Media Server-to-Client Flow Pattern

Media Server-to-Client Session Establishment

media-server:~ # lsof -c MediaOut -i -a -n -P | grep EST

! Set the time zone information in global configuration mode

Default gateway address

DHCP Client Connection

a. IP address (Option 50)

The DHCP relay agent can be configured as shown below:

The IOS DHCP server can be configured as shown below: