Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Overview
This module summarizes high-level design recommendations and best
practices for implementing Cisco Video Surveillance on the enterprise network
infrastructure. In some instances, existing network equipment and topologies
have the necessary configuration and performance characteristics to support
high-quality IP Video Surveillance. In other instances, network hardware
might require upgrading or reconfiguration to support increased bandwidth
needed to support video. Quality-of-service (QoS) techniques are important for
any design because video has similarin some instances, more stringent
requirements than VoIP for loss, latency, and jitter.
Table of Contents
Course Introduction
Module1
Lesson 1 Architectural Framework
Lesson 2 Network Video
Lesson 3 Media Flow Considerations
Lesson 4 Network Services Considerations
Lesson 5 Network Performance Considerations
Lesson 6 Quality of Service Considerations
Lesson 7 Network Management Considerations
Module 2
Lesson 1 VMS.
Lesson 2 Deployment Scenario
Lesson 3 Determining the Required Resources
Lesson 4 Securing VMS
Lesson 5 Video Recording Options
Lesson 6 Server and Camera Network Configuration
Lesson 7 Understanding NTP Configurations Server
Lesson 8 Server high Availability
Lesson 9 Bulk Camera Configuration and Deployment
Lesson 10 Controlling User Access Permission
Lesson 11 Using Locations to Limit User Acces
Lesson 12 Using Using Events to Trigger Actions
Module 3
Lesson 1 Configurations VMOS
Lesson 2 Creating the location
Lesson 3 Add user and User groups
Lesson 4 Configuring Servers.
Lesson 5 Adding and managing camera
Lesson 6 Viewing Video
Lesson 7 Backup and Restore
Lesson 8 Monitoring System and Device Health
Lesson 9 VSM Safety and Security Desktop
IPVS
Course Introduction
Overview
Cisco IP Video Surveillance (IPVS) provides an opportunity to learn about a broad range of the
components and options that should be considered when designing and implementing a Cisco VSM
deployment.
Course Objectives
After completing this course, the delegates will be able to install, configure, operate and maintain Cisco
IP Surveillance components such as Stream Manager, VSM, VMOS as well as analogue and digital
cameras. In addition delegates will learn how to archive streams and operate live and playback
operation.
Prerequisites
CCNA Certified Network Associate (CCNA) or equivalent knowledge
Couse Flow
AM PM
Day 1 Course Introduction Considerations
Architectural Framework Network Performance Considerations
Network Video Quality of Service Considerations
Media Flow Considerations Network Management Considerations
Network Services
Day 2 VMS. Understanding NTP Configurations Server
Deployment Scenario Server high Availability
Determining the Required Resources Bulk Camera Configuration and Deployment
Securing VMS
Video Recording Options
Server and Camera Network Configuration
Day 3 Controlling User Access Permission Creating the location
Using Locations to Limit User Acces Add user and User groups
Using Using Events to Trigger Actions Configuring Servers
Configurations VMOS
Day 4 Adding and managing camera Monitoring System and Device Health
Viewing Video Safety and Security Desktop
Backup and Restore
Module 1
Network Considerations
Overview
This module summarizes high-level design recommendations and best
practices for implementing Cisco Video Surveillance on the enterprise network
infrastructure. In some instances, existing network equipment and topologies
have the necessary configuration and performance characteristics to support
high-quality IP Video Surveillance. In other instances, network hardware
might require upgrading or reconfiguration to support increased bandwidth
needed to support video. Quality-of-service (QoS) techniques are important for
any design because video has similarin some instances, more stringent
requirements than VoIP for loss, latency, and jitter.
Lesson 1
Architectural Framework
Overview
The IP Video Surveillance architectural framework refers to a set of building
blocks that are used as a guiding tool when designing and evaluating a Cisco
video surveillance solution. Based on the customer-stated business and
technical requirements, and the application of industry standards and best
practices, the right IP Video Surveillance solution can be developed and built
for an organization.
Architectural Framework
The enterprise IP Video Surveillance environment is built on a solid foundational framework that is
composed of a stack of four horizontal building blocks that define the solution architecture, as well
as a vertical services overlay that enables its successful implementation and sustenance.
Each block in the stack has a significant and integral role to play in the solution architecture to be
developed and should thus be exhaustively addressed to produce a scalable and resilient solution.
The enterprise architectures block defines the structure of the network deployment e nvironment on
which the IP Video Surveillance solution will be implemented. In general, there are three main
architecture models: centralized, branch and distributed. Each architecture model has unique
requirements and considerations, though there are areas of overlap.
The infrastructure platforms block describes the major infrastructure components that comprise the IP
Video Surveillance environment. This layer includes the Local Area Network (LAN) and Storage Area
Network (SAN) that form the building blocks of the network design, as well as the Unified Computing
System (UCS) and Multiservice Platform (MSP) appliances onto which all applications are hosted.
The management instrumentation block defines the system tools and processes that enable the scalable
management and flexible monitoring of the IP Video Surveillance solution. These tools leverage
embedded instrumentation within IOS, NXOS and MSP devices to extract relevant data points for
assessing the total health of the solution, as well as for fault iso lation and rapid resolution.
The endpoints and applications block sits at the very top of the stack, leveraging the infrastructure and
management capabilities offered by the lower layers. This layer defines the sources and consumers of
video data, including Video Surveillance Manager Server applications that manage these endpoint
devices as well as video traffic on the network.
The services block comprises the service offerings that support the IP Video Surveillance architecture.
These include security, business continuity and optimization services. Security services are composed
of the features and technologies necessary for securing the infrastructure and application environments.
Security policies could be applied on the network devices, servers and end points. Business continuity
focuses on maintaining an organizations IP Video Surveillance systems during and after a disruption,
and consist of both high availability and disaster recovery strategies. Optimization services provide
features that enhance the performance and intelligence of applications and the network environment,
including load balancing and caching. These services are not only related but dependent on each other,
supporting a fully functional solution architecture.
The solution framework forms the basis of the design and architecture of the IP Video Surveillance
environment, and as such it is important to understand its relevance. The following sections describe
these considerations in further detail.
Design
Network design considerations for IP Video Surveillance solutions are easy to overlook, and often are,
because it is assumed that the underlying network should be able to handle any type of traffic while
delivering acceptable performance.
While this may be true for very small deployments, it is most certainly a recipe for problems for
relatively larger deployments, and also for the time in the future when this small deployment needs to
grow. An IP Video Surveillance network that has not been designed in a systematic fashion will
invariably run into problems from the beginning of the implementation stage.
Network design is as much about developing the most appropriate solution given a set of requirements,
as much as it is about documenting these requirements, design decisions and pro posed architecture.
This allows new team members to easily understand what problems the design solves, how the system
operates and how to extend and expand the network when needed
Enterprise
This chapter discusses the considerations that need to be taken into account when designing the
enterprise IP Video Surveillance network.
Enterprise IP Video Surveillance architectures are characterized based on the following factors:
Network model (LAN/MAN or WAN)
Location of the VSM servers
Number of Operations Manager servers
Number of Media Servers
The following sections describe the different architecture models that can be adopted in terms
of their characterization and principles of design.
Centralized Architecture
The centralized IP Video Surveillance architecture is characterized by the existence of a single
Operations Manager server that manages one or more Media Servers at the same organizational and
geographical region. A campus with one or more locations that are interconnected by a Local Area
Network (LAN) or Metropolitan Area Network (MAN) defines this region.
In general, centralized architectures are classified as medium-sized deployments, which consist of 20
or fewer media servers, 1000, or fewer video endpoints and 20 or fewer active client endpoints, in a
single location.
In the figure above, the network spans two campuses that are interconnected
over a LAN or MAN. This implies that the campuses are within the same
general geographic area with the network providing a high-speed back-haul,
e.g. 1Gbps, 10Gbps or 40Gbps. The VSM servers can be located at either or
both campuses Building A and Building 1.
Design Principles
Compute
Computational resources for VSM servers, primarily CPU and memory, are provided either by MSPs
in a physical environment or UCSs in a virtualized environment. The provisioning of these resources
for VSM appliances should be guided by the expected workload from video endpoints, server
processing activities and servicing requests from client endpoints.
Cisco provides recommendations for sizing virtual environments in the VSM o n UCS Deployment
Guide
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6918/ps9145/ps9152/data_sheet_c78 -
712809.html.
MSPs that support Cisco Video Surveillance are equipped with up to a single -socket, quad-core
processor and 2GB of RAM. They provide a simple and standardized platform for deplo ying VSM in
centralized architectures. By that same token, the caveat that presents itself is that computational
resources cannot be grown to adapt to growth in workloads over time. So either the initial sizing will
need to be over-provisioned in anticipation of future resource demands, or multiple appliances would
be required to drive the same workload.
For VSM instances that are virtualized on the UCS platform, these concerns are addressed due to the
ability of UCS appliances to handle larger CPU and memory capacities. VSM virtual appliances can be
hosted on B-series hosts that provide a dense deployment environment serviced by up to two-socket, 6-
core processors and up to 384GB of RAM. C-series servers can be provisioned with up to two-socket,
8-core processors and up to 384GB of RAM. Therefore, these VSM virtual machines can be
provisioned with more memory and processor capacity flexibly when required.
Network
For simple deployments, the network should be designed with traffic localization in mind. The VSM
media servers should be placed as close as possible to video endpoints from which streams are sourced.
This will allow relatively higher quality video to be recorded locally, without being required to traverse
the network, which could result in additional latency and higher potential for packet loss.
Sophisticated networks that have end-to-end QoS deployed, with the recommended per-hop behavior
(PHB) applied to the video traffic class, allow video traffic to traverse the network to a centralized
location. For example in the data center where the associated VSM media server is located.
Cisco recommends that video traffic should be placed in a separate local VLAN for easy identification
and classification. The VLAN should not span multiple switches. Similarly, Ethernet storage and
management traffic should be placed in separate VLANs.
A logical and consistent IP addressing scheme should be adopted that allows for simplified
management, scalability and route summarization.
Cisco recommends that a network readiness assessment should be carried out to ensure that the
network has sufficient capacity to meet the performance requirements for delivering video between
endpoints and servers.
Storage
Video traffic requires a significant amount of storage space for recording and as such is the most
dominant factor to consider when designing IP Video Surveillance environments. Both MSP and UCS
appliances can provide local and remote storage capabilities.
Local storage on the MSP platforms can scale up to 24TB of raw capacity per server, when using the
standard 2TB disks in a 12-bay 2RU CPS chassis. The UCS C240 M3, on the other hand, can handle up
to 36TB raw capacity per appliance, when using 3TB disks in a 12-bay 2RU chassis.
External storage is supported using fibre channel SAN devices. These devices can scale up in excess of
100TB per appliance. Multilayer directors can be used to provide zoning and other advanced features
where multiple hosts and storage devices exist.
In general, virtualized appliances leverage external storage to take advantage of high availability
(which requires shared storage), storage scalability and high performance. Local storage on MSPs is
suitable for simple deployments that look for an all-in-one solution for recording and management.
Management
A single Operations Manager server that is located in the central data center manages video endpoints
and media server resources. A single VSOM instance can scale management of up to 10,000 video
endpoints and up to 250 media servers. For deployment environments that exceed these endpoints and
servers, such as city-wide deployments, multiple VSOM instances can be provisioned to provide load-
balancing.
Branch Architecture
Characteristics
The IP Video Surveillance branch architecture is characterized by the existence of a single Operations
Manager server that manages one or more Media Servers at the same organizational and geographical
region. This region is defined as an autonomous campus with one or more locations that are
interconnected by a Local Area Network (LAN).
In general, branch architectures are classified as small-sized deployments which consist of 5 or fewer
media servers, 100 or fewer video endpoints and 5 or fewer active client endpoints, in a single location.
Multiple such branches can exist in the organization; however, each is characterized as being managed
independently of each other.
Design Principles
Compute
Computational resources at the branch environment are provided either by an MSP appliance for
physical environments or the UCS E-series blades for virtual environments. The UCS E-series blade is
a Cisco ISR G2 router service module that provides the functionality of a compact, power-optimized,
multipurpose x86 64-bit blade server.
The E-series offers a single-socket, up to 6-core processor option with up to 48GB of RAM. These
specifications best the MSP appliances, while providing the flexibility of a virtualized environment and
functionality of a branch-in-a-box. The caveat to consider is that the ISR G2 is a required component,
which could add to the cost factor. However, this could also be an advantage to be leveraged if the
router exists already or is to be used to provide other services for the branch.
The MSP is a viable alternative where simplicity is key, and the solution requirements fall within the
fixed configuration options available.
Network
The small office/branch office network is typically a flat, switched environment with relatively few
endpoints and traffic generated. Video traffic is not expected to traverse long distances from the
endpoints to the VSM server; however, Cisco recommends that QoS is implemented to provide
differentiated services from other traffic types, especially during periods of relatively higher than
normal use. Depending on the size of the environment, all devices may be placed into a single VLAN
and IP addresses sourced from a single subnet. If the IP address space is subdivided for different
functions, Cisco recommends that video traffic should be placed in its own VLAN for easy
identification and classification.
Storage
MSP appliances can provide local on-board storage for recording video. E-series blades, on the other
hand, do not have sufficient storage capacity to meet most solution recording needs. The blades provide
up to 3TB raw capacity for SATA drives. If RAID arrays are created for fault tolerance, this available
capacity is further diminished. As a result, whenever E-series blades are required, external storage
options will need to be evaluated.
In particular, iSCSI SAN devices are appropriate for this environment to provide the needed storage
scalability and at the same time leverage existing Ethernet infrastructure, which lowers the total cost of
ownership. The E-series has in-built optimizations for iSCSI, specifically TCP/IP Offload Engine
(TOE) and iSCSI hardware offload. These enhancements offload the processing of packet headers to
hardware ASICS which translate to a significant performance improvement for VSM applications.
Management
The Operations Manager centrally provides management of the video surveillance environment. As
noted earlier, the Cisco Physical Security Multiservices Platform (CPS MSP) appliances provide out-
of-band management capabilities through Intelligent Platform Management Interface (IPMI). The UCS
E-series blade server has an integrated Emulex Baseboard Management Controller (BMC) that provides
for management via IPMI as well as through the Cisco Integrated Management Controller (CIMC)
interface.
In addition, the VSM virtual appliances can be managed using the vSphere client interface. This
capability is especially important in remote branch environments where IT staff may not be available at
every site for monitoring or troubleshooting.
Distributed Architecture
Characteristics
The distributed IP Video Surveillance architecture is characterized by the existence of a single
Operations Manager server that manages one or more Media Servers across multiple organizational and
geographical regions. These regions are typically composed of a central campus and one or more
remote campuses interconnected by a private Wide Area Network (WAN) or the public Internet over a
secure virtual private network.
Network
The network connectivity between the branch and central campus could either be over a private WAN
service such as Multi-Protocol Label Switching (MPLS) or Frame Relay, or over the public internet,
typically over a secure Virtual Private Network (VPN) service such as IPsec VPN, Dynamic Multipoint
VPN (DMVPN) or GET VPN.
Remote users can gain access to IP Video Surveillance resources, such as the Operations Manager
instance, through an ezVPN or Secure Sockets Layer (SSL) VPN connection.
Bandwidth is typically a limiting factor as traffic traverses the WAN. Users also need to balance the
need to record high-fidelity, evidence-quality video with monitoring live video from remote locations.
Cisco recommends that in such cases secondary streams of lower resolution and bit rate or frame rate
should be considered. The lower quality stream is used for live viewing across the WAN from remote
branches to users at the central site, for example, while the higher-quality stream is recorded locally for
later retrieval should the need arise.
Cisco recommends that network readiness assessments should be carried out across the central campus
to multiple remote locations to determine the appropriate stream settings at which the network can
sustain acceptable video performance.
Management
Network management tools should be leveraged to monitor the health of video traffic as it traverses the
enterprise network. This is especially important for distributed architectures due to the physical
separation and often the lack of trained IT staff at remote locations to assist with troubleshooting and
remediation measures.
IOS embedded instrumentation that is leveraged by the Medianet architecture should be employed to
provide proactive and reactive monitoring capabilities across the enterprise IP Video Surveillance
network. These tools should be used in conjunction with management capabilities available within the
campus environments.
Campus Network Design
Understanding and designing the structure of the network design is crucial to creating scalable and
available campus architectures. This section describes the building blocks of the enterprise campus
model as well as considerations for designing the IP Video Surveillance network structure.
Hierarchical Model
The hierarchical model of network design simplifies the architecture of campus networks into modular
components, each representing a functional service layer within the campus hierarchy. A hierarchical
design is also important as it avoids the need for a fully meshed node network.
Power over Ethernet (PoE) provides power to PoE-capable edge devices such as IP cameras.
QoS trust boundary traffic flows are typically marked at this layer on ingress at the
switchport.
Link aggregation high availability is provided to the distribution layer through Etherchannel
or 802.3ad Link Aggregation Control Protocol (LACP).
IGMP snooping helps control multicast packet flooding for multicast applications.
Security services various security features are typically configured at this layer such as
DHCP snooping, 802.1x, port security, Dynamic ARP Inspection and IP source guard.
Distribution Layer
The campus distribution layer acts as the services and policy boundary, connecting both access and
core layers. Network devices in this layer typically participate in Layer 2 switching on downstream
access trunks and Layer 3 switching on upstream core links.
Redundancy through Virtual Switching System (VSS) for Catalyst 6500 series switches or
first-hop redundancy protocols such as Hot Standby Routing Protocol (HSRP), Virtual Router
Redundancy Protocol (VRRP)
Route summarization summarizes routes from the access layer to the core
Policy-based routing controlled routing decisions and packet manipulation is carried out at
this layer, and also forms the boundary between static and dynamic routing protocols
Layer 2 boundary VLANs are terminated at this layer and traffic is subsequently routed
between VLANs or to the core for external networks
Core Layer
The campus core layer acts as a high-speed backbone for fast and efficient movement of packets across
multiple networks. This layer provides a limited set of services and is designed to be highly available
and reliable to allow for rapid adaptation to network changes, for instance rerouting of traffic when
network failure occurs.
For smaller campuses, the core can be combined with the distribution to form a collapsed core. In this
configuration, the collapsed core must be fully meshed to provide proper connectivity. However, the
setup is difficult to scale. Additionally, network changes to one part of the core/distributed layer can
result in network disruption in other layers as well. As such, while convenient for small environments,
these caveats should be carefully considered.
Layer 2 Design
The two over-arching design goals for the IP Video Surveillance Layer 2 network are high availability
and determinism. The optimal Layer 2 design should provide a measure of redundancy and alternate
paths to network destinations, and should also establish predictable patterns for video traffic on the
network.
The following features are important in ensuring a suitable Layer 2 design is formed. Considerations for
designing the IP Video Surveillance network with these features in mind are discussed in the following
sections.
LAN Switching
The goal of the Layer 2 switching or forwarding logic in IOS Catalyst devices is to deliver Ethernet
frames to appropriate receivers based on the destination MAC address. Physical switches can either be
statically configured with MAC addresses or they can be learned dynamically by inspecting the source
MAC address field of incoming frames.
If the MAC address is known, it would be present in the Content-Addressable Memory (CAM) table,
along with the associated VLAN ID, egress switchport and timestamp of when the MAC address was last
seen. This information will then be used to forward the frame.
If the MAC address is unknown, the forwarding behavior will depend on the type of address:
Unknown unicast the frame is flooded out all interfaces, except the interface on which the
frame was received
Broadcast the frame is flooded out in the same manner as unknown unicasts
Multicast the frame is flooded out in the same manner as unknown unicasts, except when
optimizations such as IGMP are implemented
For the switch to forward on the outgoing interface, the port must be the forwarding state in the STP
configuration. Spanning Tree Protocol enables switches overcome the possibility of bridging loops
occurring along redundant switching paths.
Virtual LAN
A virtual LAN (VLAN) refers to host devices linked to a subset of switchports that communicate as a
logical network segment. VLANs are used to limit the size of a broadcast domain, and to assist in
allocation and management of subnetworks. As such, VLANs form a critical component of hierarchical
and modular network designs, and they enable isolation of different traffic aggregates.
Cisco recommends that the following traffic aggregates should be separated by VLANs on the network:
Management traffic generally consists of to-the-box traffic. Examples include Secure Shell (SSH),
telnet, vSphere connectivity, Cisco Integrated Management Console (CIMC), Cisco Integrated
Management Console Express (CIMCE) and device-generated data traffic such as L2/L3 protocols.
Video traffic consists of traffic from camera endpoints to media servers, and on to client endpoints
Storage traffic consists of fiber channel over Ethernet (FCoE) and iSCSI storage traffic
This traffic separation provides for simplicity in managing and monitoring endpoints, and in applying
differentiated service levels for these traffic classes.
When traffic is received on an ingress switchport, the frames are tagged with a VLAN ID. By default,
VLAN 1 is the tag that is applied to all traffic; however, each switchport can be associated with a
different VLAN as shown below:
Per-VLAN Spanning Tree Plus (PVST+) is an enhancement to STP (802.1d) that provides for a separate
spanning-tree instance for each VLAN in the network. Rapid PVST+ (RPVST+) further improves the
convergence time of STP, while providing optimizations to the STP instance.
! PortFast: access ports enter the forwarding state immediately by skipping the
listening and
! Learning STP states
! Do not configure on trunk ports (will likely cause STP loops).
!
interface range FastEthernet1/0/5 switchport access vlan 19 spanning-tree portfast
!
! BPDU Guard: if BPDUs are seen on a switch port, the port goes into error-disable
state and
! must be manually recovered before traffic can pass through again
! Typically configured along with PortFast
!
interface range FastEthernet1/0/5 spanning-tree bpduguard enable
!
! Root Guard: if superior BPDUs are seen on a switch port, the port goes into error-
disable
! state to prevent the rogue switch from becoming the root. Automatically recovers the
port
! when the BPDUs are no longer received on the interface
!
interface range FastEthernet1/0/5 spanning-tree guard root
!
! UplinkFast: for access switches with redundant uplinks, optimized convergence and
failover
! to alternate links is achieved for direct link failures
! Configured globally on a switch
!
spanning-tree uplinkfast
!
! BackboneFast: when a switch learns of an indirect link failure independently, instead
of
! waiting for max_age timer to expire, it reduces convergence time by querying
neighbors
! Must be configured globally on all switches in order to be effective
!
spanning-tree backbonefast
!
Cisco recommends that these spanning-tree optimizations should be implemented as a best practice,
where appropriate.
Trunking
In order to transport information from more than one VLAN across the switch fabric, trunks between
participating switches must be configured.
Packets belonging to each VLAN are tagged with identifying information in the frame header using
either 802.1q or Inter-Switch Link (ISL) encapsulation; dot1q is standards-based and the most prevalent
in networks today.
Also, set the native VLAN to something other than the default (VLAN 1) for security purposes in order
to mitigate VLAN-hopping attacks.
!
! Configure trunking on the connected ports on both switches
!
interface GigabitEthernet1/0/24
switchport trunk native vlan 22
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 22 - 24
!
Etherchannels
EtherChannels allow multiple uplinks (up to eight Ethernet interfaces of the same type) to be combined
together and considered as a single link in the spanning-tree domain. All links are in the forwarding state
resulting in increased total bandwidth available. Without EtherChannels, only one link would be in the
forwarding state and all the others would be blocking in order to prevent STP loops.
EtherChannels also allow for load balancing between the configured link bundles based on the
EtherChannel hashing algorithm. Note that, while Cisco switches can, routers do not negotiate port
channels through LACP or PAgP, so the far end would need to be unconditionally on.
IP Addressing
The foundation of an efficient, scalable and manageable routing domain is the IP addressing scheme. A
properly designed IP addressing scheme allows the network to take advantage of route summarization.
Route summarization allows a Layer 3 device to only advertise summary routes to upstream devices,
thus reducing router workloads and resource consumption. This leads to faster convergence times,
reduces instability during high-traffic periods and promotes determinism.
Properly designed IP addressing schemes also make it easier to implement access control lists for
matching interesting traffic for security purposes or applying differentiated services.
The IP addressing scheme should also be scalable and account for future growth; this allows for new
switches, routers or endpoints to be added to the network without impacting the rest of the topology.
In this example, the IP address allocation scheme allows for up to 255 distribution groups each with up
to 255 possible local VLANs. Each local VLAN can have up to 254 hosts. More importantly, the
distribution switches can send summary routes up to the core and to each other over Layer 3 links which
enable efficiency and fast routing protocol convergence.
IP Unicast Routing
Unicast routing could occur either at the access or distribution layer, with high-speed hardware-based
switching reserved for the Campus core layer. In order for all participating hosts and routers to learn
about destinations within the network, an interior gateway routing protocol must be configured. For most
enterprise networks, the routing protocol of choice is either EIGRP or OSPF.
Enhanced Interior Gateway Protocol (EIGRP)
EIGRP is a classless, distance-vector routing protocol that is simple, scalable and fast. Classless
meaning subnet masks are included in route advertisements, and distance-vector meaning it shares all its
routing information but only to connected routes. The protocol is Cisco proprietary.
EIGRP provides multi-protocol support (IP, IPX, AppleTalk), sends some packets reliably
(acknowledgements required) using Reliable Transport Protocol (RTP), uses hellos to discover
neighbors and as a keep alive, and uses Diffusion Update Algorithm (DUAL) to select best paths and
feasible failover routes. A combination of bandwidth and delay (by default, and optionally load,
reliability and MTU) is used as the metric.
EIGRP achieves fast convergence through the concept of successors and feasible successors. A
successor route has the lowest metric to the destination prefix and is installed in the routing table. A
feasible successor has a higher feasible distance (metric to reach a destination) than the metric that its
neighbor reports that it, it satisfies the feasibility condition. The FS is stored in the topology table.
Should an input event occur (new route, failed route), local computation is triggered, the result of which
is that either the FS is promoted to be the successor or neighbors are queried for a valid route (i.e. the
route goes active). EIGRP also offers MD5 authentication to protect routing updates between neighbors,
as well as unequal-cost load balancing of traffic.
OSPF is a classless, link-state routing protocol that is fast and offers scalability to much larger networks.
Link-state routing protocols advertise information only about directly connected links, but they share
this information with all routers in their OSPF area. The protocol is an open standard developed by the
IETF.
OSPF employs the use of routing domains (areas) to subdivide the network in order to introduce a two-
level hierarchical framework that allows for scaling large and complex networks by containing the flow
of routing protocol traffic and thus reducing the impact on CPU and memory resources.
The two-level hierarchy consists of a backbone area (Area 0) and all other areas. If an OSPF design has
multiple areas, the Area Border Routers (ABRs) must connect to the backbone area in addition to its
own attached area. If not physically feasible, an OSPF virtual link can be created that traverses a non-
backbone area, to Area 0. Autonomous System Boundary Routers (ASBRs) inject external routes,
typically learned from an exterior protocol such as Border Gateway Protocol (BGP), into the OSPF
process. All OSPF-speaking routers in the same area have the exact same topological database.
For multi-access topologies, broadcast (e.g. LANs) and non-broadcast (e.g. Frame Relay), a Designated
Router (DR) and Backup Designated Router (BDR) are elected based on OSPF priority and/or router ID
in order to form adjacencies with all participating routers (DROther) on a segment. A DR/BDR
significantly lowers the number of neighbor relationships that need to be formed and as a result reduces
the volume of link-state advertisements (LSA) flooded in the domain. In selecting best routes to a
destination, OSPF uses a Shortest-Path First (SPF) calculation based on Dijkstras Algorithm. OSPF also
provides equal-cost load balancing as well as plain-text and MD5 authentication.
EIGRP is cisco proprietary hence only works on Cisco devices, whereas OSPF is an open standard that
will work on multi-vendor devices
Link-state routing protocols require greater CPU and memory resources relative to distance-vector
protocols because they process routing information locally from all participating routers in the domain,
not just connected routes
OSPF adapts well to larger, more complex networks due to its hierarchical architecture, fast convergence
and varied network topology support; EIGRP is much simpler to deploy for relatively smaller networks
with fast performance
EIGRP, as a distance-vector protocol, is more susceptible to routing loops and counting-to-infinity and
as such must implement avoidance measures such as split-horizon, route-poisoning, and hold-down
timers; OSPF is not subject to these routing issues
IP Multicast Routing
Multicasting involves sending packets to a designated group address. In the IP Video Surveillance
environment, multicasting is used to transfer video traffic from a single source, the video endpoint, to
the Video Surveillance Manager server.
Multicasting is useful for bandwidth consumption. Instead of sending multiple video streams to
individual receivers, the same stream can be sent to a strategically placed rendezvous point on the
network and all interested receivers can subscribe to the group to receive the stream. The current release
of VSM does not support multicasting to client endpoints.
For multicast traffic to be properly routed, the network must be multicast-enabled. A multicast-enabled
network is defined as a network where the following requirements are met:
Class D IP addresses in the 224.x.x.x 239.x.x.x range are reserved for multicast. Note that multicast
addresses always begin with 1110 as the first four bits and are not subject to subnetting rules because
these addresses are used to represent multicast applications, not hosts. Therefore, 28 bits (out of 32 in an
IPv4 address) are available for a total of 228 (268,435,456) multicast groups possible. However, there
are certain address ranges that have been reserved for specific use, for example 224.0.0.0/24 for
link-local addresses. Of note is the reserved Administratively Scoped range of 239.0.0.0/8, defined in
RFC2365. This range is designed to be used in private multicast domains and can be bound by filtering
for these addresses at the network edge as well as other defined points where the multicast traffic should
not traverse. It is therefore required to select multicast IP addresses, for IPICS in particular, from this
address range.
To join a group, a host sends a membership report message to the router. The router then identifies the
host as a group member and allows it joins the session. Periodically, the router sends a query to
determine if there are any remaining receivers in the subnet; group members receiving the query respond
with a report sent to the group address. Note that only one membership report is sent in a group per
subnet and its sufficient to inform the router that there are still members attached. To leave a group, a
leave message is sent to the All routers on subnet group address (224.0.0.2).
IGMP snooping is a standards-based switching feature that allows for identification of hosts that request
multicast traffic and therefore provide the ability to limit forwarding of group traffic to specific ports.
This feature is enabled by default.
These forwarding paths form the multicast distribution trees, and are of two types:
Shortest Path Tree (SPT) or source-based tree rooted at the source, with individual (S,G) pairs
recorded for each multicast source within the group
Root Path Tree (RPT) or shared tree rooted at a router designated as the Rendezvous Point
(RP), with only one (*,G) entry created for each group even if the RP has multiple upstream
sources
Dense Mode (PIM-DM) source-based trees are built by sending traffic to every DM router in
the network; if no hosts register on DM routers via IGMP, a prune message is sent back to the
host (i.e. flood-and-prune method). Recommended where theres a large number of recipients,
who are located on every subnet (dense) and bandwidth is plentiful (e.g. on a LAN).
Sparse Mode (PIM-SM) shared trees are only built for and traffic forwarded to hosts that have
sent an explicit join message to the RP. Note that PIM-SM can initiate a switch over from RPT
to SPT, therefore potentially improving the packet forwarding efficiency with a shorter route to
the source. Recommended where there are relatively small number of sources, with recipients
sparsely distributed on the network and bandwidth is constrained (e.g. over a WAN).
Boundary Design.
There are main models for designing the boundary of the Access Distribution block. Each method
optimizes for different requirements and has caveats as discussed in the following sections.
Layer 2 Distribution.
In this model, the Layer 2 Layer 3 boundary is placed at the distribution layer, as illustrated in the
figure below:
The distribution switches are interconnected via a Layer 2 trunk. This topology is considered suboptimal
due to the additional complexity and reliance on STP to maintain a loop-free topology. If a failure
occurs, convergence times are relatively slower.
In this topology its also important to ensure that the HSRP primary node and STP root bridge are
defined on the same switch so that as VLANs are load-balanced, the inter-distribution link is not used
consistently for transit traffic.
This topology is typically used when VLANs are spanned across access switches. Cisco recommends
that VLANs should not be spanned across switches whenever possible, particularly when a first-hop
router protocol such as HSRP is deployed. This topology could lead to asymmetric routing which can
cause unicast flooding whenever traffic is sent to a receiver and this is due to the difference in the aging
timers of the Content Addressable Memory (CAM) table and Address Resolution Protocol (ARP).
Layer 3 Distribution
In this model, the Layer 2 Layer 3 boundary is also placed at the distribution layer, but the inter-
distribution link is routed. The following figure illustrates this topology:
VLANs do not span across switches, but as in the previous model, the STP root is aligned with the
HSRP primary. All links on the distributed switches are in the forwarding state with HSRP providing the
first-hop redundancy.
This topology is considered optimal and provides the highest availability. At the access layer, Layer 2
switches can be used which saves on cost. The inter-distribution link allows for route summarization
between the distribution switches.
Layer 3 Access
In this model, the Layer 2 Layer 3 boundary is established at the access switch level, as illustrated
below:
VLANs do not span the access switches. Since a routing protocol is required on the switches, first-hop
redundancy protocols like HSRP are not required. This design also supports equal-cost load balancing on
all Layer 3 switch links.
This design is considered optimal because its relatively easier to implement and achieves the fastest
sub-second convergence due to the routing protocol convergence algorithms. However, multilayer
switches will be required for all access switches, which can drive up cost and may be prohibited due to
the existing architecture.
VSS 1440 is a system virtualization technology that combines a pair of Catalyst 6500 switches, deployed
in the datacenter, into a single logical network segment, as shown in the comparative illustration below:
The
benefits of VSS are that the need for first-hop redundancy protocols, like Virtual Redundancy Routing
Protocol (VRRP) and Hot Standby Routing Protocol (HSRP), is negated since the chassis-pair are pooled
and operate as a single network node. Only one IP address is required per VLAN.
Also, the need for Spanning-Tree Protocol (STP) is negated as port channels on uplinks connect to a
single device, forming a loop-free topology. Access switches can connect to and form a port channel
between two different distribution switches through the use of a multi-pathing technology Multichassis
Etherchannel (MEC).
A caveat to note with VSS designs is the fact that they must be deployed in pairs; its not possible to add
a third switch to a VSS to increase availability.
Lesson 2
Network Video
Overview
There are various considerations to be taken into account when transporting
video over an IP network. This section examines compression techniques as
well as factors that impact overall video stream quality.
Video Compression
Video endpoints consume a large amount of raw data from the scene in their field of view. This raw data
in its present form is unsuitable for transport over the network and for storage by the Media Server due
to its large footprint, so therefore must be intelligently compressed before transmission to the receiver.
Compression refers to the reduction of redundant and irrelevant signal data in a vid eo stream to lower
the network bandwidth and storage requirements.
Compression Algorithms
When compressing raw data, video codecs strive to strike a balance between intelligently reducing the
size of output data, while still maintaining image quality. There are three main algorithms or techniques
that are widely used for compression of video streams:
Chroma subsampling
This technique involves the reduction of color detail (chroma) in a video frame, in favor of variations in
its brightness (luma) levels. This approach takes advantage of the fact that the human eye is
comparatively less perceptive of subtle changes to color richness, in contrast to changes in the amount of
light in the image.
Depending on the field of view, this technique has the potential to achieve relatively modest reductions
in the average frame size.
Spatial compression
This technique involves the reduction of redundant data within a video frame, also referred to as
intra-frame coding. This technique leverages the property that pixels in a video frame are closely related
to their neighbors.
Therefore, a reduction in the number of pixels within a frame that contain very similar data, has the
potential to result in an appreciable 20 70% reduction in average frame sizes, depending on the scene
in the field of view.
Temporal compression
This technique involves the reduction of redundant data between successive frames, also referred to as
inter-frame coding. This technique exploits the property that, in general, sequential frames in a group of
pictures (GOP) contain areas with redundant data quite similar to those in preceding frames.
With this algorithm, average frame sizes can potentially be drastically reduced by 50 80% in scenes
with little to no motion as only the portions of the scenes that have changed are transmitted in
subsequent frames. In scenes with medium to high complexity, the gains in compression are capped as
more data must be transmitted in subsequent frames to represent scene changes in the field of view.
Group of Pictures
A Group of Pictures (GOP) is a sequence of frames in an encoded video stream. There are three types of
video frames as illustrated in Figure.
Intra Frames
These frame types consist of a complete picture, representing the complete scene in a field of view. The
image is coded without reference to other frames in the GOP. They are also referred to as I -frames. Each
GOP structure starts with this frame type. The I-frame interval is typically not directly configurable the
Media Server programmatically determines this value based on other stream options. I -frames are used
with both spatial and compression algorithms.
Predictive Frames
These frames are also referred to as P-frames. These frame types represent only the data within a field
of view that has changed. They are coded with reference to the preceding I -frame or P-frame in the
GOP. P-frames are used with temporal compression.
The following codecs are commonly used in VSM for camera configuration:
Motion JPEG
Motion JPEG (MJPEG) consists of a series of individual JPEG images. These images are coded as
individual I-frames therefore every frame that is produced by the codec is a complete reference frame
that is representative of the field of view.
The main advantage with this encoded format is that it provides a measure of robustness in stream
delivery. Any occurrence of packet loss in the network flow does not adversely affect subsequent
frames, since each frame is a complete image. In other words, if a frame is lost, the next frame clears up
any residual effects from the previous image (e.g. a frozen image on screen), since it has no missing
information.
The main drawback with MJPEG is that it has higher bandwidth and storage requirements. Average
frame sizes are relatively large due to the fact that it uses spatial compression that realizes fairly modest
compression ratios within frames.
MPEG-4
Video data encoded in this MPEG-4 (strictly MPEG-4 Part 2) format is composed of both I-frames and
P-frames in its GOP structure. Since this format uses temporal compression, in general bandwidth and
storage utilization is much lower than MJPEG, although this is also dependent on the amount of motion
occurring in the scene.
H.264
This encoding format, also referred to as MPEG-4 Part 10 or AVC, is based on the MPEG-4 standard but
achieves much higher predictive compression ratios when compared to both MJPEG (up to 80%) and
MPEG-4 Part 2 (up to 50%). This format delivers high compression at high bit rates, while resulting in
higher quality streams. This codec uses temporal compression.
Note
The relative bandwidth and storage efficiencies are largely dependent on the scene complexity high complexity
scenes result in very modest to no resource efficiencies when compared to MJPEG encoded data under similar
conditions, because each frame (I-frames and P-frames) will be coded essentially as complete frames in order to
represent the scene changes in the field of view. However, where these conditions are not sustained over long
periods of time, H.264 turns out to be far superior as an encoding format.
The main drawback with H.264 is the higher hardware (GPU, CPU, memory) and software (DirectX and other
software components) resource requirements to perform the encoding and decoding operations. This is
especially pronounced at the client endpoint, as it will impact the total number of H.264 streams that can be
rendered at any point in time.
Stream Quality
The perception of the quality of a stream to end users is affected by various factors as outlined below:
Resolution
Stream resolution describes the total number of pixels in each horizontal and vertical (x/y) dimension.
The following table defines some of the most common resolutions in use today:
Resolution
Analog QCIF 176 x 120
CIF 352 x 240
704 x 480
D1/480p 720 x 480
HDTV 720p 1280 x 720 (0.9 MP)
1080p 1920 x 1080 (2.1 MP)
Digital VGA 640 x 480
SXGA 1280 x 1024 (1.3 MP)
1400 x 1050 (1.5 MP)
UXGA 1600 x 1200 (1.9 MP)
1920 x 1200 (2.3 MP)
QSXGA 2560 x 2048 (5.2 MP)
The stream resolution directly influences the data-carrying capacity of each frame the higher the
resolution, the larger the amount of video data that can be encoded and transmitted resulting in a richer
and sharper image quality. For example, 1080p resolution has six times as many pixels per frame as
compared to D1 resolution.
Consequently, higher resolutions are typically paired with higher bitrate settings in a stream profile in
order to allow the codec to produce compressed data at a rate that mainta ins the same perceived quality
as at lower profiles. The corollary is that if comparatively low bitrate settings are used with high
resolutions, the image may appear to be of lower quality (e.g. grainy or blurry), since the codec cannot
not produce enough data to be represented by all available pixels as required to maintain the same
quality.
Processing of streams at higher resolutions is resource intensive thus imposes higher hardware
requirements particularly at the client since there is more pixel data to process per frame per unit time.
Therefore, in order to perform near real-time processing, higher-end GPU, CPU and memory is required.
Lower stream resolutions conversely have lower infrastructure resource requirements but also typically
result in relatively lower quality images. The choice of resolution will largely depend on the respective
use case.
Bit Rate
The stream bitrate describes the data transfer rate produced by a codec for transmission to receivers. A
stream profile can be defined with either of the modes below:
Variable Bit Rate (VBR) mode the data transfer rate is automatically varied by the codec to
match a desired image quality. The image quality is defined by the quantization level. In a
complex scene, the amount of data required to fully represent the field of view is typically
higher than in less complex scenes where theres little to no motion activity present.
Constant Bit Rate (CBR) mode the image quality is varied to match the target data transfer
rate. In this case the data transfer rate is fixed so the encoder has to produce sufficient data to
match the mean target rate, typically with a small standard deviation. With CBR, on average the
same amount of data is produced always.
VBR is generally used in instances where image quality is fixed and is desired to be maintained at that
level regardless of the scene complexity. CBR is generally used in instances where determinism in the
bandwidth utilization of video streams on the network is desired.
Frame Rate
The frame rate refers to the number of individual encoded video frames transmitted per unit time.
As a primary function, the frame rate directly influences the visual perception of continuous motion in a
scene (i.e. the smoothness) as observed by the end user. High frame rates (generally above 25 fps)
produce the best perception of smooth video, while low frame rates (generally below 5 fps) cause the eye
to perceive the apparent discontinuity in the rendering of the image stream.
In addition, the frame rate of a video stream indirectly influences its network bandwidth utilization.
When VBR mode is selected, the bit rate is automatically adjusted to match a desired quality or
quantization level, which results in the respective variation in frame rate and average frame s ize as the
amount of encoded data increases or decreases based on the scene complexity.
In CBR mode, the frame rate does impact bandwidth but to a smaller extent than in VBR mode.
Increasing the frame rate may result in an increase in data transferred but does not exceed the target
bitrate. In Figure of an H.264 stream at 768 Kbps CBR, reducing the frame rate by 80% from 30fps to
5fps, only resulted in a 30% drop in bandwidth, all else remaining constant.
Quantization Factor
The quantization level defines the compression level used by a codec to convert raw video data into an
encoded format. Typically, the reference scale varies by manufacturer e.g. 1-10, 0-100,
low/medium/high, etc. Lowering the quantization level on the respective reference scale increases the
compression level and lowers the image quality.
Lowering the image quality is appropriate in situations where bandwidth or storage resources are
limited, and the need for high quality images is not a top priority for users in the environment.
Since the quantization level lets one set the desired image quality le vel, it is only directly configurable
when VBR mode is used. When CBR mode is used, the quantization level is varied automatically by the
codec compression algorithm in order to match the target bit rate. Therefore, the direct programmability
of quantization and CBR mode are mutually exclusive.
Lesson 3
Overview
A media flow refers to the session that is established for media delivery
between a source host producing the video and a destination host receiving the
video, using an agreed-upon transport protocol and communicating between
two established ports.
This chapter examines these data flows, protocols mechanics and the
interaction between the servers and endpoints on the network
Data Flow
Once a stream profile, based on options such as resolution, bitrate, frame rate, quality, etc., has been
established, the media server can initiate the stream request for video endpoints that are in the Enabled
state. The media server logs into the video endpoint device and applies the configuration settings, and
once completed successfully, the requested video data begins streaming to the server.
All device management and streaming operations from particular camera endpoints are manag ed by
unique umsdevice processes on the server. The video stream from the endpoint is then made available to
internal processes that consume this data such as the recording process, analytics or can be
immediately served out live to client endpoints through the MediaOut subsystem.
Each client request for streaming of live or recorded video is managed by a MediaOut process on the
server.
When a client requests to view a particular stream, the server establishes the session to the client
endpoint and delivers the stream as it is available.
The end user will first be required to successfully authenticate their log -in credentials with the
Operations Manager (OM) server, using the web or desktop client application.
Step 1 The end user will first be required to successfully authenticate their log-in credentials with
the Operations Manager (OM) server, using the web or desktop client application.
Step 2 Following a successful login-in, the client application retrieves and displays the list of
configured cameras in the OM database that the user is authorized to access.
Step 3 When a particular stream is selected for viewing by the end user, the OM server identifies
the host Media Server (MS) that manages the requested endpoint device and redirects the
client to establish the media session directly with that MS.
Step 4 Once established, if the camera is in a streaming state or the recording is available, the live
or recorded media stream is served to the client application.
Note
The connection between the server and camera endpoint is always streaming, unless the stream is optimized through
the use of the economical streaming feature that only streams live from the video endpoint when requested by client
endpoints
RTSP maintains state between clients and servers when media sessions are active in order to correlate
RTSP requests with a video stream. The simplified finite-state machine is illustrated in Figure:
The RTSP state machine uses the following main protocol directives to control the multimedia session:
OPTIONS
After establishing the TCP connection to the server on port 554, the client issues an OPTIONS command
to request the list of supported options. The server then responds with a list of all the options that it
supports e.g. DESCRIBE, SETUP, TEARDOWN, etc.
DESCRIBE
The client issues a DESCRIBE command to notify the server the URL of the media file that its
requesting.
Illustrates the request made from the VSM server (acting as the RTSP client) to a Cisco 2611 IP
camera:
Stream Description
The parameters of the stream are defined in Session Description Protocol (SDP) format
Stream Parameters
SETUP
The client issues a SETUP command to indicate to the server the transport mechanisms to be used for
the session.
In this example, for media delivery the VSM server will use UDP port 16102 for RTP and 16103 for
RTCP. The IP camera then responds, acknowledging the clients port assignment and indicating its own
(5002 and 5003, respectively) as well as a session ID
IP Camera Response
PLAY
Once the client is ready to begin receiving video data, it issues a PLAY request to the server
PLAY Request
PAUSE
If a client wants to momentarily stop the delivery of video traffic, the PAUSE request can be issued.
This directive has the effect of stopping the media stream without freeing server resources. Once the
PLAY command is re-issued, the stream resumes the data flow.
TEARDOWN
If a client wants to permanently stop receiving video traffic, the TEARDOWN request is issued
TEARDOWN Request
RTP always selects even ports at the transport layer for both servers and clients. As described in the
previous section, during set up of the RTSP session the client first indicates its destination ports for
receiving video and then the server acknowledges and responds with the UDP ports that it will be using
to send the RTP data. Note that all RTP traffic is unidirectional from source to receiver only.
The RTP packet contains three important fields:
Timestamp used for ordering of incoming video packets for correct timing during playback
Sequence number used to uniquely identify each packet in a flow for packet loss detection
Source Synchronization used to uniquely identify the source of a media stream
Flow Characterization
RTP media flows could either use UDP or TCP as the transport protocol of choice. This section
describes the considerations for both approaches.
Video Endpoint-to-Media Server Flow
Media delivery between video endpoints and the media server by RTP could either be accomplished
using UDP or TCP as the transport protocol.
It is important to note that the availability either or both protocols for use when defining the stream
profile in the media server is entirely dependent on the capabilities of the camera driver built for a
particular device model. These capabilities are in turn influenced by the API provided by the device
manufacturer. Therefore, the sockets used for session establishment and media streaming are device
specific
The following sections examine the protocol mechanics of both methods, as well as techniques for
determining sockets that are being used by the VSM server to connect to IP video and client endpoints.
The management plane is a logical path in the network communication architecture that handles all
device management traffic between the endpoints and the VSM server, and between VSM servers. In
addition, this plane coordinates the function of the other planes. Traffic is transferred and encrypted over
Secure HTTP. The Openwire protocol is used by the ActiveMQ broker for real -time messaging between
VSM servers and between VSM servers and the SASD client. Stomp protocol is a simpler, lightwei ght
alternative to Openwire and is used between the VSOM server and the web client.
At the control plane, RTSP is used to provide signalling for the media streams. RTSP is implemented at
the segments between both endpoints. The source port at the sender is always TCP 554; the destination
port on the VSM server and at the client endpoint is negotiated during the TCP connection establishment
process.
At the data plane, the source and destination ports are both negotiated during the RTSP SETUP process.
The source ranges are defined and are configurable at the video endpoint web interface and at the media
server console, respectively. The media server UDP destination port range is statically defined to be in
the 16000 19999 range and is not configurable. Note that since RTP always transmits on even ports, at
any point in time an implied maximum of 2000 camera streams can be supported per media server.
However, this value is beyond the supported threshold at the time of this writing (250 Mbps stream IO).
Consult the current datasheets for up to date information on configuration maximums.
The implication of streaming RTP over UDP is that if the video traffic needs to traverse a firewall, all
ports in the range must be allowed for all video endpoints if the flow is in the outside-to-inside direction.
If the flow is inside-to-outside, a stateful firewall can be used to allow back returning control and
management traffic to the endpoint.
Client endpoints behind a firewall pose an even greater challenge since the UDP ports are assigned
dynamically so its difficult to determine which ports to open. In such a case, it would be recommended
to create a VPN tunnel to exchange traffic between the VSMs server network and the client endpoint.
The management and control plane are identical when transporting data over UDP and TCP.
At the data plane, RTP is interleaved onto the existing RTSP connection, which means that the RTP
stream is encapsulated and now transmitted over the same TCP connection that is being used for RTSP.
As a result, only one port is utilized to transport all media flows. This property is useful in environments
where the media flow needs to traverse a firewall only one deterministic port is required to be opened
for the RTP traffic to go through. The server also interleaves RTCP messages over the TCP connection.
Interleaving is enabled whenever a camera stream is configured for TCP. Cisco recommends that the
TCP option should only be used in the case where firewalls exist in the end-to-end path between servers
and endpoints; in all other instances, UDP should be used to allow for faster delivery of real-time video
traffic.
The following packet capture illustrates the session establishment and video streaming over TCP
The figure above (Figure) shows the connection establishment to the IP camera, this time over HTTP
(TCP/80). The RTSP (TCP/554) connection is established and the RTP video stream is interleaved over
the same RTSP connection; that is, over TCP 554.
Note: That in some instances, some camera models may establish the management and data plane over
HTTP as opposed to over RTSP. In effect, the video stream is transmitted over TCP/80. In particular,
this behavior is true for Cisco 29xx series cameras, as illustrated in the output below of a Cisco 2911
PTZ camera with IP 10.101.0.10:
Ilustrates the protocol mechanics in session establishment between the client and the server:
All outbound streaming from the media server is handled by the MediaOut subsystem. To examine
which ports have been opened for a particular streaming request from the client to the server, the
following commands can be executed:
Network Services
Considerations
Overview
The IP In designing the IP Video Surveillance network, there are various
essential IP services that are integral in supporting the solution.
.
Network Time Protocol
NTP is an internet standard protocol that is used to synchronize time on network machines to a defined
authoritative reference clock. Clock sources are organized in a hierarchical system of levels, where each
level is referred to as a stratum. The stratum number determines how many NTP hops the machine is
away from the authoritative time source.
Time synchronization is very important in an IP Video Surveillance environment because activities such
as recording, grooming, event correlation and troubleshooting are dependent on having correct time
across all participating servers and endpoints.
Among nodes on the network, time synchronization is also important in validating that predetermined
Service Level Agreements (SLAs) for the solution are being met. Without c orrect time synchronization,
network latency and jitter cannot be accurately determined.
Cisco recommends that all client endpoints, video endpoints, network nodes, media servers and
operations manager servers be configured to synchronize to a common NTP master server.
The NTP master could be configured on a Layer 3 IOS device on the network that is used for
management, or on an external time server that is reachable by all devices in the subnetwork.
Layer 3 IOS devices can be configured to act as an NTP master as follows:
NTP authentication can also be configured but one would need to ensure that all devices that will
synchronize to this time server can support authentication, otherwise the synchronization will fail.
It is also important to take into account that if the current system time on a device that is not
synchronized differs significantly from the time server, NTP synchronization will not succeed . As a
precaution, it is advisable to manually set the system time on the client device, and then enable NTP
synchronization.
Dynamic Host Control Protocol
DHCP is an internet protocol that provides a framework for the automatic assignment of reusable IP
addresses, as well as passing other network configuration attributes, to a client on a network. For the IP
Video Surveillance solution, these additional attributes include:
DHCP is important in the IP Video Surveillance environment because it cuts down deployment times for
IP video endpoints. Instead of having to manually configure each camera with required IP parameters,
they are automatically discovered and assigned.
The Medianet architecture, implemented in IP video endpoints through the embedded Media Services
Interface (MSI), allows for discovery of preconfigured media servers on the network for subsequent
auto-registration to VSM. The list of media servers is supplied to the IP video client through the DHCP
option 125.
As previously discussed, Cisco recommends the use of local VLANs as opposed to spanning VLANs
across the network domain. For ease of management, most organizations typically configure one DHCP
server to service multiple subnets. Since initial DHCP messages are broadcast on the subnet, and Layer
3 devices do not forward broadcasts as they form the boundary of the broadcast domain, DHCP relay
agents will need to be configured in order to forward the messages to the DHCP server on a different
subnet.
The following illustration shows the sequence of events when a DHCP client connects to the network:
1. The video endpoint sends a DHCPDISCOVER message as a broadcast to all subnets (source IP
0.0.0.0, destination IP 255.255.255.255) on UDP/67 (BootP server) to try reach a DHCP server
on the network.
2. The Layer 3 device that acts as the DHCP relay agent (in this case a distribution node)
intercepts the broadcast message and generates a new unicast DHCP message, inserting the IP
address of the interface on which the relay agent is configured in the gateway address (giaddr)
field of the DHCP packet, and then forwards the request to the designated DHCP server on the
network
3. Upon receiving the request, the DHCP server takes note of the giaddress field and examines the
configured DHCP pools to determine which subnet to allocate IP addresses from. The server
then responds with a DHCPOFFER as a UDP/67 packet that contains the configuration
parameters, or options. These options include:
4. The DHCP relay agent receives the offer and forwards it to the DHCP client as a unicast
message on UDP/68. The DHCPOFFER is not a guarantee that the specified address will be
allocated, but the server will typically reserve the assignment until the client responds
5. Upon receiving the DHCPOFFER, the IP video endpoint sends a formal request for the offered
address in a DHCPREQUEST message. This is a broadcast request to notify any other DHCP
servers that received the initial DHCPDISCOVER message and may have responded so that
they can reclaim their assigned offers.
6. Finally the DHCP server upon receiving the formal request, allocates the IP address and sends a
DHCPACK message back to the client
The following is sample output of the DHCP packet and event exchange between an IP camera and IOS
DHCP server:
SNMP manager the network management system (NMS) that monitors and controls the
activities of the network host using GET/SET operations and by use of notifications received
from the managed device
SNMP agent the software component on the managed device that maintains and reports device
information to the NMS
Management Information Base (MIB) the virtual information storage area for network
management information consisting of collections of managed objects and related objects
(modules)
The SNMP agent can generate unsolicited notifications to alert the NMS of device status and activities.
There are two types of notifications:
Informs alert messages sent reliably, that is, requiring an acknowledgement from the NMS of
receipt
Traps alert messages sent to the NMS but do not expect any acknowledgements. Less reliable
than informs but do not consume as much device resources.
We recommend configuring VSM server and IP camera endpoints to send traps to an NMS on the
network to provide higher visibility into device and network conditions for fault, administrative and
performance management. The VSM server only provides support for sending SNMPv2c traps. Most
Cisco IP cameras support both SNMPv2c and SNMPv3.
Network devices along the network path should also be configured for SNMP since they form an integral
part of the IP Video Surveillance solution. If the health of any of the network nodes along the path is
negatively affected, the quality of experience could be degraded.
!
! Traps will be sent to the NMS as 10.100.21.110
! with the set community strings
!
snmp-server host 10.100.21.110 traps version 2c public
snmp-server community public RO
snmp-server community cisco RW
snmp-server ifindex persist
snmp-server enable traps
!
Note that Cisco IP cameras by default use a read-only community string of public, while Cisco VSM
servers use a read-only community string of broadware-snmp in VSM 6.x and 7.0 versions. This in
effect means that MIB variables cannot the changed using GET/SET operations.
Lesson 5
Network Performance
Considerations
Overview
Service Level Agreement (SLA) refers to the minimum performance guarantees
that need to be met in order to ensure that the performance and quality of the IP
Video Surveillance solution is assured. The following sections describe the
main SLA considerations that need to be taken into account when designing the
solution.
Bandwidth
Bandwidth refers to the raw capacity available on a particular transport medium, and is dependent on its
physical characteristics and the technology used to detect and transmit signals.
The amount of available bandwidth on a network segment directly impacts the quality and performance
of the IP Video Surveillance solution and as such should be carefully considered. High -bandwidth, low-
delay networks typically do not encounter much performance degradation over time.
Low-bandwidth, low-delay networks on the other hand typically experience packet loss due to
congestion. High-bandwidth, high-delay networks (so-called Long Fat Networks), such as satellite links,
would typically experience significant performance degradation due to the latency.
It is important to note, however, that raw interface bandwidth is not synonymous with the actual data
transfer capacity that is realized on the network. In other words, video traffic wi ll not be transferred end-
to-end at the stated raw capacity; rather, the actual transfer capacity is measured as a function of the time
it takes for traffic to traverse the network end-to-end. This metric is known as throughput.
Throughput signifies the amount of data that could be transported along a network path over a given
time period. The time period refers to the network latency.
When TCP is selected as the transport protocol of choice for a media flow, the size of the sender and
receiver windows are a limiting factor to network performance. TCP windows reflect the amount of
buffer space available at the sender and receiver to process incoming packets.
During TCP connection establishment, the receiver notifies the sender of the size of its receive w indow,
also known as the advertised window (awnd). After connection establishment, the sender transmits data
conservatively setting its sender window, also known as congestion window (cwnd), initially to twice its
Maximum Segment Size (MSS) which is 536 bytes by default. As the data is received an acknowledged
back to the sender, the cwnd grows, first exponentially in slow-start mode then linearly in congestion
avoidance mode, until either packet loss is encountered or the awnd threshold is reached.
If packet loss is encountered, then the transmission rate is throttled back to slow -start mode where the
cwnd is set to 1MSS. Packet loss can be detected on the network either by reception of duplicate ACK
packets from the receiver, or expiration of the retransmission timeout (RTO).
If the awnd threshold is reached, it signifies that the receiver cannot accept any new packets because its
buffers are full. The receiver sends a window update indicating a window size of zero. The sender at this
point stops transmitting, but continuously probes for any new window updates.
At any point in time there can only be a finite amount of data in flight, whose value does not exceed the
receive window size (in bytes). This value is known as the bandwidth-delay product (BDP) and is
defined as:
Bandwidth-delay Product
()
() = ( ) (sec)
8
The design and optimization goal is to ensure that the BDP is as close to the size of the receive window
in order to maximize the data transfer rate, that is, throughput. Throughput can be calculated as follows:
Throughput
()
() =
()
The receive window size is 64KB by default. Since the RTT is guided by laws of physics and cannot be
changed, the throughput is almost always lower than the link bandwidth. The maximum bandwidth
available along the network path that video traffic traverses is equal to the bandwidth of the smallest
link.
The window size can be increased in order to approach the raw bandwidth; however, the following
caveats should be taken into account:
Unless Selective Acknowledgements (SACK) is implemented in the client TCP/IP stack, if any
packet loss occurs, the entire window will need to be retransmitted. The SACK option causes
the client to only retransmit the missing packets, but its typically not enabled by default
To contain the entire widow of unacknowledged data in memory, more buffer space will be
required on network routers
Video surveillance traffic encoded with variants of the MPEG standard (H.264 and MPEG4) is bursty in
nature and as such this characteristic needs to be accounted for in network provisioning.
Packet Loss
Packet loss refers to the dropping of packets between a defined network ingress po int and a defined
network egress point. Loss is detected by the reception of non-contiguous sequence numbers at the
receiver. Both TCP and RTP packets have a sequence number field in their respective packet headers for
this purpose.
Lower-layer errors bit errors, which might occur due to noise or attenuation in the
transmission medium
When RTP data is transported over UDP, the sender is not notified of the packet loss because the
connection is on-way, sender to receiver, and theres no concept of state. TCP, on the other hand,
notifies the sender through use of duplicate acknowledgements. The duplicate ACKs contain the
sequence number of the last contiguous packet received. If the lost packet did not make it to the receiver,
the sender discovers the packet loss when the retransmission timeout expires before the expected ACK is
received.
Therefore, TCP is more reliable than UDP as a transport protocol; however, UDP is more efficient
because of lower protocol overhead. For high packet loss and high latency networks, TCP should not be
used as the transport protocol as it will only exacerbate a bad situation, further inhibiting real-time
delivery of data. Whenever congestion is detected, TCP slows the transmission rate to adapt to the
change and mitigate packet loss; however, when loss does occur, then the throughput is significantly
impacted as slow-start mode is invoked.
Note that since a single Ethernet frame (1500 bytes) can carry more than one IP video packet as payload,
the loss of a frame can have significant effects on the quality of the decoded stream, typically manifested
as pixelated video streams and gaps in recordings.
In order to effectively measure packet loss, the IP Video Surveillance network needs to be preconfigured
to monitor and report on the status of all media flows from video endpoints to media servers, and media
servers to client endpoints. This method can be characterized as the passive approach, in that
performance measurements are taken without disturbing the data operation, and are achieved through the
deployment of Cisco performance monitor.
Performance monitoring allows network administrators to detect video degradation due to packet loss,
before it significantly impacts the performance of VSM. Whenever a predefined threshold is crossed, a
user can be immediately notified either through a syslog message or SNMP traps, allowing for quick
fault isolation and resolution.
Mediatrace can also be used to measure packet loss along a network path, and on an on -demand basis.
When degradation in the stream quality is visually observed, or reported by the performance m onitor, the
end-to-end path and the specific flow can be examined to determine which node along the network is
causing the loss. This is done by calculating metrics from values in the TCP, UDP and RTP headers at
each node. All nodes need to be configured as mediatrace responders.
More details on performance monitoring and mediatrace are discussed in the chapter on network
management.
Alternatively, packet loss along a network path can be measured on-demand through the use of synthetic
video traffic generated by IP SLA Video Operations probes. This is the active approach, since the IP
SLA VO probes emulate video endpoints by generating and sending realistic video traffic to receivers,
along the same network path that normal video traffic would take. As a re sult, the synthetic traffic is
exposed to the same path characteristics that real traffic would experience and therefore the packet loss
metrics collected are representative of the state of the network path
Typically, this tool is used for conducting pre-deployment assessments but can also be used to generate
synthetic traffic simulated endpoints. This is the advantage this tool has over mediatrace the fact that
the flow does not need to already exist in order to determine path characteristics; the path characteristics
are determined using synthetic traffic which generate results that are statistically very close to the real
observed values.
Lastly, one other method of detecting packet loss is by manually collecting packet captures of a network
stream and analyzing sequence numbers of RTP and TCP packets to determine gaps in continuity. Data
will need to be carefully captured using Switch Port Analyzer (SPAN) feature of IOS Catalyst switches
and loaded into a packet analysis tool, such as Wireshark. This approach is much more tedious but
provides a wealth of information for deep packet inspection using raw captured data.
Cisco recommends that in order to provide an acceptable quality of experience, the following mean
thresholds should not be exceeded:
Latency
One-way network delay, or latency, is characterized by the time difference between when an IP packet is
received at a defined network ingress point and it when its transmitted at a defi ned egress point.
There are four main factors that contribute to network delay:
Propagation refers to the time it takes for a packet to transit along the end -to-end network
path, from source to sink. The propagation speed depends on the medium that the electric
current travels on; data in fiber channel media travel at the speed of light while data in
unshielded copper travels at about 60% the speed of light.
Switching refers to the time it takes to forward packets from an ingress interface to the
respective egress interface of a network device. In general, these lookup operations take a very
short amount of time especially since modern routing protocols converge quickly and switching
is implemented in hardware.
Queuing refers to the time a packet spends in the output interface queue of a switch or router
awaiting to be de-queued. If the FIFO queue in the tx-ring begins to get full, software queuing
tools such as CBWFQ are required to manage packets and provide differentiated service.
Congestion on these queues can exacerbate network delay.
Serialization refers to the time it takes to send all bits of a frame to the physical medium for
transmission. Any bit errors that occur could impact the time it takes to place data on the wire.
It is also important to distinguish between image latency from command latency. Whereas image latency
defines the time difference for a scene change in a video stream, command latency measures the time it
takes a PTZ camera to respond to commands issued from the VSM server. However, command latency is
affected by image latency, since PTZ control movements can only be perceived on a scene change on
screen.
Cisco recommends that the one-way network latency, both image and command, should not exceed
150ms when UDP is the transport protocol in order to provide an acceptable quality of experience to
viewing clients. For TCP, the round-trip time (RTT) should not exceed 50ms.
Jitter
Jitter refers to the variation in one-way network delay between two consecutive packets, caused by
factors such as fluctuations in queuing, scheduling delays at network elements or configuration errors.
An appropriately sized de-jitter buffer can accommodate the maximum value of the network jitter so that
it does not play-out beyond the worst-case end-to-end network delay. The VSM media server serves this
purpose as both a proxy and a de-jitter buffer; however, excessive jitter can overwhelm the ability of the
media server to compensate for the delay variation, thus impacting the VSM server applicatio n.
Cisco recommends that the mean jitter threshold should not exceed 2ms, in order to ensure an acceptable
quality of experience.
Lesson 6
Quality of Service
Considerations
Overview
Quality of Service (QoS) refers to the ability of the network to provide special
or preferential service to a set of users or applications or both to the detriment
of other users or applications or both. Proper design of QoS in an IP Video
Surveillance environment is crucial as video transport places unique deman ds
on the network infrastructure to ensure that it is usable, reliable and available
to media servers and end-users.
The following sections describe the various considerations to take into account
when designing to provision QoS on the network.
.
QoS Processing
QoS processing of packets follows a specific set of steps, in an orderly fashion. The QoS tools available,
depends on the direction of the traffic flow.
On ingress on an interface:
Classification the packet is inspected to determine the QoS label to apply based on the
matching criteria defined, for example ACL, NBAR.
Policing the traffic rate is compared with the configured policer to determine whether the
packets conform or exceed the defined profile
Marking the packets are marked with a defined descriptor, based on whether policing is
configured and whether the packet is deemed conformant or non-conformant
Queuing and scheduling based on the QoS label, the packet is placed into one of the ingress
queues, and the queue is serviced based on the configured weights
On egress on an interface:
Queuing and scheduling this is the only set of QoS tools and actions available on egress
interfaces.
Differentiated Services Code Point (DSCP) the 6-bit (high-order 6 bits) in the Differentiated
Services (DS) field that replaced the ToS byte
Class of Service (802.1p) the 3 high-order bits of the Tag Control field when 802.1q trunking
is used, and the 3 low-order bits of the User field when ISL is in use.
IP Precedence
DSCP
CoS
QoS group ID
FR DE bit
MPLS EXP
To facilitate end-to-end QoS for any given packet, the IETF defined the IntServ and DiffServ models.
The IntServ model relies on Resource Reservation Protocol (RSVP) to signal and reserve the desired
QoS per network flow. A flow is defined as an individual, unidirectional data stream between two
applications, uniquely identified by the five-tuple: source IP, source port, destination IP, destination
port, transport protocol. However, per-flow QoS is difficult to achieve in an end-to-end network without
requiring introduction of significant complexity, in addition to scalability issues.
DiffServ, on the other hand, provides for grouping of network flows into aggregates (traffic classes),
then applying appropriate QoS for each aggregate. With this approach, the need for signaling is negated;
complexity is reduced and thus provides for a highly-scalable, end-to-end QoS solution.
As noted above, the DS field can be used for both traffic classification and marking. Each DSCP value
(codepoint) is expected to cause nodes (network devices) along an IP packet s path to apply a specific
QoS treatment and forwarding behavior, i.e. Per-Hop Behavior (PHB), to the traffic. Packets traveling in
the same direction, with the same DSCP values assigned, are referred to as a Behavior Aggregate (BA).
Nodes that are DS-compliant must conform and implement the specifications of the PHB.
Default PHB defines the codepoint 000000 and provides Best Effort service from a DS-
compliant node
Class Selector (CS) PHB defines codepoints in the form xyz000 corresponding to the classes
CS0 (000000 or 0) CS7 (111000 or 57); higher classes provide increasingly better service
treatment. Also provides backward compatibility with IP Precedence.
Assured Forwarding (AF) PHB provides four traffic queues with bandwidth reservations.
Codepoints are defined in the form xyzab0 where xyz is 001/010/011/100, and ab is ei ther
1 or 0 and corresponds to the drop probability
Expedited Forwarding (EF) PHB provides for low-loss, low-latency, and guaranteed, but
policed, bandwidth service treatment of traffic. Recommended DSCP value is 101110 or 46.
We recommend marking IP video packets with DSCP values, not CoS for two main reasons:
DSCP values are persistent end-to-end. Since CoS markings reside in the Layer 2 headers, they
are only preserved in the LAN; when a layer-3 device is encountered, the LAN header is
discarded and so this marking is lost
DSCP offers more granular and scalable marking with up to 64 classes of traffic; C oS only
allows for 8 traffic classes
Cisco recommends marking all traffic from IP video endpoints with DSCP 40 (which corresponds to
CS5) since a disproportionate amount of the traffic composition (video, voice and signaling), is video
traffic. However, users can also elect to differentiate these three traffic types through the use of
Network-Based Application Recognition (NBAR) protocol discovery.
When using NBAR, we recommend marking interactive voice bearer traffic (VoIP) with DSCP 46
(which corresponds to EF) and any signaling traffic (e.g. RTSP, SIP, and H.323) should be marked with
DSCP 24 (which corresponds to CS3). Note that if any video streams are using RTSP interleaving, then
RTSP streams should be marked with CS5.
The access-list for identifying video traffic could be configured more re strictively, such as matching the
camera subnet, or security could be enforced by applying the service policy to the ingress interface along
with a smart-port macro that uses device identification mechanisms, such as CDP to identify camera
endpoints.
For Catalyst 2960, 2970, 3560 and 3750 devices, switching is handled in hardware and since QoS tools
are software based, the command show policy-map interface gig0/0 does not show any hits on matched
packets. To gauge whether QoS marking is working correctly, the command show mls qos interface g0/0
statistics should be issued on the egress interface to the upstream device.
Software queue are associated with physical interfaces and created by software queuing tools
(e.g. CBWFQ) that implement various algorithms for scheduling and de-queuing packets
Hardware queue exists on the hardware NIC and implements strict First-In-First-Out (FIFO)
scheduling and also provide configurable queue lengths. Also referred to as transmit queue (Tx
queue) or transmit ring (Tx ring).
Cisco IOS provides congestion management and avoidance tools for both routers and switches as
discussed below.
Routers
There are three main queuing disciplines available on IOS routers:
Class-based Weighted Fair Queuing (CBWFQ) defines traffic classes to be assigned to each
queue with minimum bandwidth guarantees provided to prevent starvation. Up to 64 classes,
and therefore 64 queues, can be defined in addition to the default class-default queue that has
no bandwidth reservation; it uses any remaining bandwidth. By default, 75% of the total
interface bandwidth can be reserved by the various queues it is not recommended to change
this value.
Low-latency Queuing (LLQ) similar to CBWFQ but provides low-delay guarantees as well to
certain traffic types (e.g. VoIP) through the use of a strict priority queue. That is, it provides a
minimum bandwidth but does not exceed that if theres congestion (policing) priority traffic
will be dropped. LLQs can also have multiple priority queues, policed at different rates for
different traffic types.
So after routing decisions have been made on a router and there is no congestion on the egr ess interface
to the next-hop, the packet is placed directly on the hardware queue and immediately exits the interface.
However, if there is congestion, the packet is placed in the classified into a software queue based on its
marked traffic descriptor (e.g. DSCP), using either CBWFQ or LLQ. Packets are then scheduled and
de-queued to the hardware queue based on bandwidth resource assigned or priority, and based on the
congestion level of the hardware queue.
If the software queue fills up, packets are tail-dropped indiscriminately. This phenomenon can have
adverse effects on network traffic, particularly for TCP-based flows.
One of the ways that TCP provides reliability is through acknowledging data sent by a host or device.
However, data segments and acknowledgements can get lost, for instance due to being tail-dropped when
theres congestion. Congestion can be detected either by time-outs occurring or reception of duplicate
ACKs. A time-out occurs when the TCP retransmission timer expires (RTO) before an expected ACK is
received and TCP sends duplicate ACKs when expected packets are lost or received out -of-order.
When a segment is not acknowledged, TCP resends based on a binary exponential back -off algorithm,
i.e., the interval between retransmissions increases exponentially to a limit. Also, the current window
size (the smaller of the congestion and advertised window) is cut in half. If an ACK is later received,
slow start is engaged the congestion window is initially set to one segment, then doubles each time an
ACK for sent data is received. Multiple flows getting tail-dropped and going into slow-start
simultaneously could lead to wave-like congestion recurrence the TCP global synchronization
phenomenon. If no ACK is received, it gives up and sends a segment with the reset (RST) bit checked
that abruptly closes the session. Also, as TCP traffic gets throttled back, other non -TCP traffic types, e.g.
UDP and ICMP, fill up the queues leading to TCP starvation.
These behaviors affect IP video streams sent from the VSM media server to viewing clients as the stream
is based on TCP. To mitigate these effects, as the software queues begin to fill up, packets can be
dropped based on Weighted Random Early Detection (WRED).
WRED is a technique designed to monitor queue depth and discard a percentage of packets in the
software queue to reduce the offered load and thus alleviate congestion and prevent tail drop. WRED is
governed by three parameters:
Minimum threshold when the queue length is below this integer value, no packets are
dropped. Minimum value is 0.
Maximum threshold when the queue length is above this integer value, all new packets are
dropped (full-drop). Maximum output queue length is 40 packets.
Mark Probability Denominator (MPD) an integer value between the minimum and maximum
threshold values that indicates the probability of a packet being randomly dropped. The
relationship is characterized as being 1 of MPD (1/MPD), for example an MPD of 10 means 1
of every 10 packets is randomly dropped from the queue.
The packet drop probability is based on the minimum threshold, maximum threshold, and mark
probability denominator. When the average queue depth is above the minimum threshold, RED starts
dropping packets.
The rate of packet drops increases linearly as the average queue size increases until the average queue
size reaches the maximum threshold. The mark probability denominator is the fraction of packets
dropped when the average queue depth is at the maximum threshold.
WRED allows for packets to be characterized into a profile based on either IP Precedence or DSCP
markings. In this way, high-latency traffic and highly-aggressive (high-volume) traffic can be
differentiated.
It is not recommended to apply WRED to IP Video Surveillance or VoIP traffic as this could lead to
packet loss, delay or jitter which lowers the quality of experience for end users. It is however
recommended to apply WRED to lower traffic aggregates in order to lower t he chances of queues filling
up and therefore tail-drops.
If at all WRED must be applied, the IP Video Surveillance traffic aggregate should have a very high
MPD (35+) so that they are in fact the last traffic types to be considered for random drops. Such a
scenario should only occur as a temporal measure as the network architecture of the segment in question
is evaluated for opportunities for better design.
Cisco recommends that IP Video Surveillance traffic should be placed in the Low Latency Queue (LLQ )
to allow the delay-sensitive video traffic to be de-queued before other traffic types. Queuing for IP
Video Surveillance traffic could be implemented as shown below:
!
! Match all IPVS traffic and place in LLQ with 30% of interface bandwidth
! All other traffic is placed in the Weighted Fair Queue
!
class-map match-all CMAP-IPVS
match dscp cs5
!
policy-map PMAP-IPVS class CMAP-IPVS priority percent 30 class class-default
fair-queue
!
interface gig0/0
service-policy out PMAP-IPVS
!
LAN Switches
Multilayer IOS LAN switches (e.g. Catalyst 3560) implement both ingress and egress queuing based on
either CoS or DSCP markings.
Shared Round Robin mode bandwidth is shared between the queues according to the weights
configured; however, any queue can take up unused capacity in the other queue in order to
service packets if its own assigned bandwidth is depleted. This mode allows for maximum use
of available interface bandwidth and increases queue efficiency. This is the default mode, and
only mode available to ingress queues.
Shaped Round Robin mode fixed bandwidth is assigned to each queue and packets are sent at
an even rate (rate-limiting). This mode is useful in preventing some forms of denial-of-service
attacks that attempt to overwhelm an interface with traffic, denying other legit services access.
Also allows for configuring subrate packet speeds to prevent exceeding a configured percentage
of an interfaces bandwidth. This mode is only available for egress queues.
Ingress interfaces allow for up to 2 queues to be configured and only shared -mode dequeuing is possible.
One of the queues can be configured as a priority queue (by default this is queue 2) and will
subsequently be assigned traffic aggregates marked with CoS 5 and 10% of the interface bandwidth.
Egress interfaces allow for up to 4 queues and either shared or shaped mode to be configured. One of the
four queues can also be configured as the priority queue (this must be queue 1).
Cisco recommends the use of Shared Round Robin mode in order to allow the IP Video Surveillance
solution to make full use of all available interface bandwidth on the egress queue.
Traffic Shaping and Policing
Shaping is a type of traffic conditioning that addresses two problems:
Packets being dropped by a service provider because they exceed a predetermined bit rate, that
is, the Committed Information Rate (CIR) of the virtual circuit
Packets being marked-down or dropped due to a mismatch of ingress and egress interface
speeds or egress and far-side line rates. For example, 1Gbs ingress traffic exiting via 256Kbps
circuits.
Shapers will buffer traffic that is in excess of a prearranged policy (SLA) and transmit evenly at the
desired rate.
Policing also monitors the rate of traffic flow and takes action against non-conforming traffic either
marking down the packets QoS descriptor and then transmits (later, the packet can be dropped more
easily) or, more aggressively, discarding right away.
For both these traffic conditioning mechanisms, traffic rates are measured based on the token bucket
model. For a packet to be transmitted out an interface, a token needs to exist. At each time interval (Tc),
a certain number of tokens can be sent (Bc the committed burst size) according to policy or contract
with the service provider. On occasion when there are periods of little or no activity, more traffic that
typical (that is, higher than the Bc) can be sent the excess burst (Be).
In cases of networks with constrained bandwidth, policing of IP Video Surveillance traffic can cause
increased packet loss observed on the network. Traffic shaping can also lead to increased latency in the
delivery of video packets from the endpoints to the server.
In general, Cisco recommends as much as possible IP Video Surveillance and VoIP traffic be confined to
the LAN and that in the event this traffic needs to traverse the WAN, adequate bandwidth is available to
lessen the need to implement traffic conditioning, due to the adverse effects that these measures can have
on the user experience.
Lesson 7
Network Management
Considerations
Overview
In order to have an effective IP Video Surveillance solution that meet expectations,
the video endpoints, server applications and client endpoints need to be managed
on a common network framework, to allow for device and platform health
monitoring, fault isolation and resolution.
The device sensor infrastructure uses the following mechanisms for endpoint discovery:
When an endpoint is attached to an IOS switch, an event trigger is generated based on the discovery
mechanism. The device classifier then responds and gleans metadata from the dev ice to establish a
profile for the endpoint based on the type, model and class of the device.
For endpoint devices to be identified, they need to provide native support for these protocols. All Cisco
IP cameras, with the exception of the 2900 series, provide native support for CDP.
Macros require global activation on the IOS device before use. By default, ASP is globally disabled, but
is enabled on each interface. Since this feature may not be required for all switchports on the device, and
to avoid unintended consequences, it is recommended to first disable macro processing on all interfaces,
then manually enable only on the required interfaces, as shown below:
!
! First disable macro processing per interface, then enable globally
! Next, enable only on the interfaces where necessary
!
interface g0/1 24
no macro auto processing
!
macro auto global processing
!
interface range g0/1 10 macro auto processing
!
By default, a built-in shell function is defined in access switches for Cisco IP video endpoints, named
CISCO_IPVSC_AUTO_SMARTPORT. This macro automatically configures the following features:
Auto QoS automatically configures QoS on the switchport by establishing the DSCP trust
boundary, creates an egress priority queue, and modifies the SRR bandwidth and queue set. This
configuration option assumes that the appropriate QoS marking is performed upstream and is
suitable for classification purposes
Port security enables port security on the interface, allowing only one secure MAC address on
the switchport. Defaults to setting error-disable state if a security violation occurs, in addition to
sending SNMP traps and syslog messages to recipients, as configured on the network device.
Spanning-tree optimizations applies PortFast and BPDU guard STP optimizations to allow for
endpoints to quickly transition to the forwarding state and to guard against the transmission of
bridge protocol data units which should not be received on an access port, respectively
The only user configurable option is the access VLAN the switchport is a member of and is set when the
macro is applied with the command:
!
C3560(config)# macro auto device ip-camera ACCESS-VLAN=100
!
The default ASP for Cisco video endpoints, CISCO_IPVSC_AUTO_SMARTPORT, applies the
following configuration settings:
!
interface GigabitEthernet0/1
switchport access vlan 100
switchport mode access
switchport block unicast
switchport port-security
srr-queue bandwidth share 1 30 35 5
queue-set 2
priority-queue out
mls qos trust device ip-camera
mls qos trust dscp
macro description CISCO_IPVSC_EVENT
auto qos video ip-camera
spanning-tree portfast
spanning-tree bpduguard enable
!
Some of the QoS changes applied by the built-in ASP affect the switch global configuration, and as such
may lead to unintended consequences. In addition, some of the features, for example port security, may
not be required in all environments. To meet specific requirements, custom ASPs can be created.
The following ASP is executed whenever a CISCO_IPVSC_EVENT is triggered due to CDP after a
LINKUP event is detected:
!
macro auto execute CISCO_IPVSC_EVENT {
if [[$LINKUP -eq YES]]; then
conf t
interface $INTERFACE
macro description Custom IPC ASP
switchport access vlan 42
switchport mode access
switchport block unicast
spanning-tree portfast
spanning-tree bpduguard enable
service-policy PMAP-IPVS-IN in
exit
end
fi
if [[$LINKUP -eq NO]]; then
conf t
interface $INTERFACE
no macro description
no switchport access vlan 42
no switchport block unicast
no spanning-tree portfast
no spanning-tree bpduguard enable
no service-policy PMAP-IPVS-IN in
if [[$AUTH_ENABLED -eq NO]]; then
no switchport mode access
fi
exit
end
fi
}
!
The switchport is placed in access VLAN 42, port mode is set to access, unicast storms are blocked,
PortFast and BPDU guard STP optimizations are enabled and a policy map that is used for device
classification and DSCP marking is applied.
Whenever the video endpoint is detached from the switch, the macro removes the configuration. It is
important to be aware that ASPs replace existing interface configuration, therefore careful consideration
should be taken when enabling the macros.
Once the interface configuration is applied, the device can now begin data transmission over the network
segment to obtain an IP address.
A single DHCP server can be used to serve multiple endpoints across layer -3 boundaries. Once these
attributes have been learned by the endpoint, transmission of video traffic over the network can now
begin.
The MSI embedded within video endpoints facilitates the discovery of the IP address of the VSM media
server by inspecting the DHCP server response carried in Option 150, as described in the DHCP section
of this document.
Once the camera has this information, the MSI enables camera-based discovery which allows for
contacting a media server or list of media servers, if there are multipl e discovered and the first on the list
does not respond.
Network Validation
When planning and designing the IP Video Surveillance network, it is important to consider the effect
that IP video will have on existing infrastructure. IP Video Surveillance tr affic is similar to voice traffic
in the sense that it has high SLA requirements; unlike voice though, video traffic is bandwidth intensive.
Cisco recommends that a network readiness assessment is carried out to ascertain the capacity of the
network to transport video prior to any new IP Video Surveillance deployment or expansion of the
existing environment.
Establishing a traffic baseline should be the first step in the planning process. The IP Service Level
Agreement Video Operations (IPSLA-VO) probe can be used for generating synthetic media flows that
when injected into the network can be used to realistically stress the network and gather information
about the path between the two endpoints.
Round-trip time
One-way latency
Synthetic traffic can be generated on a number of platforms, most commonly on the ISR G2 and the
Catalyst 3000 series switches. For more information on supported platforms view the datasheet at
http://www.cisco.com/en/US/prod/collateral/routers/ps10536/data_sheet_c78-612429.html.
On the Catalyst 3000 platform, traffic can be generated either using a standard profile or a custom
profile. The standard, pre-packaged profile for IP Video Surveillance traffic generates a video stream at
a maximum bitrate of 2.2Mbps. Custom profiles for use with IP SLA VO can only be generated using a
client application that extracts header and payload information from packet capture files. M ore
information can be found at
http://www.cisco.com/web/solutions/medianet/docs/User_Guide_IPSLAVO_Profile_Generator_Tool.pdf.
Also note that the Catalyst 3000 platform can only generate up to a maximum of 20Mbps of traffic in all
sessions from the sender.
The preferred and more scalable method of video traffic generation is by using the ISR G2. Video
surveillance traffic can only be generated using custom profiles; however, these custom profiles can be
created on-demand using the IOS CLI. The ISR G2 generates traffic in hardware using DSP resources on
the high-density Packet Voice DSP Module 3 (PVDM3).
The capacity for traffic generation by the DSP is based on the number of total credits available and the
stream bitrate, and is measured by the number of channels available. Each DSP has a fixed number of
credits based on the number of cores available.
For example, if a custom video profile specifies a 4Mbps bitrate when using a PVDM3 module, then the
IP SLA sender can create a maximum of 60 sessions. Note that this operation does have a variable CPU
cost which can impact the total number of sessions that can be created by the ISR based on the aggregate
utilization by other processes. If the CPU is experiencing high utilization due to other running processes,
performance may be impacted.
When measuring network performance of particular flows using IP SLA VO, it is important to replicate
as much of the network characteristics of a normal media flow as possible, to ensure the validity of the
results gathered. This includes ensuring that
Synthetic traffic flows in the same direction as the normal traffic would as pol icy maps could be
applies in either input or output direction on upstream switches
QoS markings are identical to provide the same differentiated services to the synthetic flows
Synthetic media profiles match normal media profiles generated by the video e ndpoints. Note
that IP SLA VO can only emulate media flows encoded in H.264; MJPEG is not supported.
SAMPLE
Consider the following sample network:
Sample Network
In this example, we are interested in measuring the performance metrics (packet loss, l atency and jitter)
of the flows between:
R1 and R2 are ISR G2 routers while the rest are Catalyst 3000 switches. R1 and R2 will need to be
configured as IP SLA senders and the switches as responders. Both routers are equipped with PVDM3
modules for on-demand traffic generation.
The sender and responder both need to be synchronized to the same NTP clock so that the time stamps
can be accurate. This can be verified by issuing the command:
!
R4-C2911#sh ntp status
Clock is synchronized, stratum 9, reference is 10.250.1.1
nominal frequency is 250.0000 Hz, actual frequency is 249.9998 Hz, precision is 2**21
reference time is D4625434.17554952 (13:37:56.091 PST Thu Nov 29 2012)
clock offset is 26.8172 msec, root delay is 1.00 msec
root dispersion is 43.03 msec, peer dispersion is 3.05 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000811 s/s system poll
interval is 64, last update was 115 sec ago.
!
!
! Configure switches as responders
!
ip sla responder
!
!
! On the routers, reserve 90% of DSP resources for video traffic
!
voice-card 0
voice-service dsp-reservation 10
!
!
! Create custom profile for video traffic
!
ip sla profile video IPVS-H264-1080P-30F-4M
endpoint custom
codec h.264 profile baseline
resolution 1080P
frame rate 30
bitrate maximum 4000
bitrate window-size 167
frame intra size maximum 100
frame intra refresh interval 1
rtp size average 1300
rtp buffer output shaped
content news-broadcast
no shutdown
!
! Define SLA probes initiated from R1 to SW3
!
ip sla 1
video 10.100.30.3 8888 source-ip 10.100.21.100 source-port 9999 profile
IPVS-H264-1080P-30F-4M
reserve dsp
dscp cs5
duration 60
frequency 80
history hours-of-statistics-kept 24
!
!
! Schedule the SLA operation to start immediately and run for an hour
!
ip sla schedule 1 start-time now life 3600
!
The statistics can be viewed on-demand as they are being gathered by the router. The following figure
illustrates the SLA metrics collected using the Medianet visualizer by LiveAction:
SLA Metrics by LiveAction
Additional flow metrics can be gathered by executing a performance monitor mediatrace poll against the
synthetic media flow. The configuration and considerations are described in the Reactive Monitoring
section below.
The following is sample output collected from a mediatrace responder along the end-to-end path of the
traffic flow showing the additional data points that can be gathered to supplement the information
provided by IP SLA VO:
!
Hop Number: 1 (Mediatrace, host=SW9-C3560G, ttl=255)
Metrics Collection Status: Success
Reachability Address: 10.102.0.24
Ingress Interface: Gi0/3
Egress Interface: Gi0/48
Metrics Collected:
Flow Sampling Start Timestamp: 13:54:54
Loss of measurement confidence: FALSE
Media Stop Event Occurred: FALSE
IP Packet Drop Count (pkts): 0
IP Byte Count (KB): 7867.899
IP Packet Count (pkts): 7819
IP Byte Rate (Bps): 262263
Routing Forwarding Status: Unknown
IP DSCP: 40
IP TTL: 254
Flow Counter: 0
Flow Direction: Input
IP Protocol: 17
Media Byte Rate Average (Bps): 257050
Media Byte Count (KB): 7711.519
Media Packet Count (pkts): 7819
RTP Interarrival Jitter Average (usec): 2382
RTP Packets Lost (pkts): 0
RTP Packets Expected (pkts): 7814
RTP Packet Lost Event Count: 0
RTP Loss Percent (%): 0.00
Traceroute data:
Address List: NA
Round Trip Time List (msec): NA
!
Proactive Monitoring
Proactive monitoring of network health is implemented using Cisco Performance Monitor. Performance
monitor is a feature of the Medianet architecture that measures the hop -by-hop performance of Real-
Time Protocol (RTP), Transmission Control Protocol (TCP) and IP Constant Bit Rate (CBR) traffic.
The granular performance data gathered at each hop enhances the speed of fault isolation and resolution.
Analysis is also carried out per-flow and both SNMP and Syslog alerts can be generated based on
thresholds.
Performance monitor maintains historical records of statistics gathered and these can be sent to a
network management system using NetFlow v9 or SNMP.
SAMPLE
Sample Network
Performance monitor is typically deployed at strategic points in the network where traffic converges and
are useful for fault isolation, for example at the network edge router. In this example, perf ormance
monitor is deployed on SW2 since all media flows traverse this device.
!
! Classify all traffic based on the DSCP value. This assumes that marking was implemented
! at the access edge
!
class-map match-all CMAP-IPVS
match dscp cs5
!
!
! Create a flow export destination. This is where flow records will be sent e.g. syslog
server
! In this example the syslog server is listening at the default port UDP/514.
!
flow exporter FLOW-EXPORT
destination 10.100.21.112
transport udp 514
!
!
! Create a custom flow record. This specifies what fields are of interest to gather
statistics on
!
flow record type performance-monitor FLOW-REC
match ipv4 protocol
match ipv4 source address
match ipv4 destination address match transport source-port
match transport destination-port
match transport rtp ssrc
collect routing forwarding-status collect ipv4 dscp
collect ipv4 ttl
collect transport packets expected counter
collect transport packets lost counter collect transport packets lost rate
collect transport event packet-loss counter collect transport rtp jitter mean
collect transport rtp jitter minimum
collect transport rtp jitter maximum collect interface input
collect interface output
collect counter bytes collect counter packets collect counter bytes rate
collect counter packets dropped collect timestamp interval
collect application media bytes counter
collect application media bytes rate collect application media packets counter collect
application media packets rate collect application media event
collect monitor event
collect transport round-trip-time
!
!
! Define a flow monitor. This ties together the flow record and flow export
! and is used to define policy
! The default-rtp flow record can also be used; it only omits the RTT field from the
statistics.
!
flow monitor type performance-monitor FLOW-MON
record FLOW-REC
exporter FLOW-EXPORT
!
!
! Apply the flexible netflow policy to the interesting traffic
!
policy-map type performance-mon PMAP-IPVS
class CMAP-IPVS
flow monitor FLOW-MON
monitor metric rtp
min-sequential 2
max-dropout 2
max-reorder 4
monitor metric ip-cbr
rate layer3 packet 1
react 1 transport-packets-lost-rate
threshold value ge 1.00
alarm severity critical
action syslog
!
!
! Apply the policy map to an interface. The service policy can be applied in both
directions.
!
interface gig0/0
service-policy type performance-monitor input PMAP-IPVS
service-policy type performance-monitor output PMAP-IPVS
!
The status of the performance data can be validated using the command:
!
R6-C2851# show performance monitor status
*counter flow : 10
counter bytes : 5227454
counter bytes rate (Bps) : 17424
*counter bytes rate per flow (Bps) : 17424
*counter bytes rate per flow min (Bps) : 16009
*counter bytes rate per flow max (Bps) : 19126
counter packets : 4206
*counter packets rate per flow : 14
counter packets dropped : 0
routing forwarding-status reason : Unknown
interface input : Gi0/0
interface output : Gi0/1
monitor event : false
ipv4 dscp : 40
ipv4 ttl : 62
application media bytes counter : 5143334
application media packets counter : 4206
application media bytes rate (Bps): 17144
*application media bytes rate per flow (Bps) : 17144
*application media bytes rate per flow min (Bps) : 15751
*application media bytes rate per flow max (Bps) :: 18821
application media packets rate (pps): 14
application media event : Normal
*transport rtp flow count : 10
transport rtp jitter mean (usec) : 2766
transport rtp jitter minimum (usec): 2
transport rtp jitter maximum (usec) : 50098
*transport rtp payload type : 96
transport event packet-loss counter : 141
*transport event packet-loss counter min : 6
*transport event packet-loss counter max : 21
transport packets expected counter : 4347
transport packets lost counter : 141
*transport packets lost counter minimum : 6
*transport packets lost counter maximum : 21
transport packets lost rate ( % ) : 3.77
*transport packets lost rate min ( % ) : 1.35
*transport packets lost rate max ( % ) : 4.45
*transport tcp flow count : 0
*transport round-trip-time sum (msec) : NA
*transport round-trip-time samples : NA
transport round-trip-time (msec) : NA
*transport round-trip-time min (msec) : NA
*transport round-trip-time max (msec) : NA
!
Each media flow has a Source Synchronization ID (SSRC) which is used to uniquely identify each flow
from a particular source. In this example we see that jitter is at a mean of 2.7ms and packet loss is
occurring at a 3.77% rate.
Since the packet loss rate exceeds the 1% threshold set, a Threshold Crossing Alarm (TCA) is triggered
and sent to the syslog server as shown below:
Reactive Monitoring
Reactive monitoring of IP Video Surveillance networks is implemented using mediatrace. Mediatrace is
a technology feature of the Medianet architecture that dynamically enables monitoring capabilities on
network devices along a flows end-to-end path, collecting statistics on a hop-by-hop basis. Mediatrace
can collect metrics on TCP profiles, RTP profiles, interface profiles, CPU profiles, memory profiles and
application health. These statistics gathered assist in fault isolatio n and troubleshooting.
Each participating network node to be monitored must be configured as a mediatrace responder. Each
participating network node that will be used to initiate mediatrace polls or sessions must be configured
as an initiator. In addition, all switches in Layer-2 mode need to have Resource Reservation Protocol
(RSVP) snooping enabled for hop discovery.
This configuration is shown below:
!
! Configure mediatrace initiators
!
Mediatrace initiator source-interface gig0/1
!
! Configure mediatrace responders
!
Mediatrace responder
!
! Configure RSVP snooping
!
ip rsvp snooping
!
There are two main frameworks for launching mediatrace:
Mediatrace Poll
A, mediatrace poll is an on-demand collection of system and network data from network nodes on a
specific path. The mediatrace runs on a hop-by-hop basis and reports on Layer 3 network devices along
the end-to-end path.
Devices with compatible IOS images and configured in Layer 2 mode support mediatrace with RSVP
snooping option enabled. The TTL field in the received mediatrace results remains unchanged because
the Time To Live (TTL) field is not decremented when an IP packet traverses the Layer 2 node.
Hops Poll
This one-time poll trace is useful for identifying what access edge node a video endpoint is attached to
as well as the network path that a media flow takes from one end -to-end, for instance taking a
mediatrace of a VSM server from the access switch that a video endpoint or client endpoint is located.
Consider the following sample topology:
Sample Topology
A reverse mediatrace is run from the initiator, SW9, to the VSM server attached to SW13. The output is
as shown below:
!
SW9-C3560G#mediatrace poll path dest 10.100.21.20 hops
Started the data fetch operation.
Waiting for data from hops.
This may take several seconds to complete...
Data received for hop 1
Data received for hop 2
Data received for hop 3
Data received for hop 4
Data received for hop 5
Data fetch complete.
Results:
Data Collection Summary:
Request Timestamp: 20:20:56.822 PST Wed Nov 28 2012
Request Status: Completed
Number of hops responded (includes success/error/no-record): 5
Number of hops with valid data report: 5
Number of hops with error report: 0
Number of hops with no data record: 0
Detailed Report of collected data:
Number of Mediatrace hops in the path: 5
A source interface can optionally be specified. Notice that the TTL did not change at R8 this is
because the switch is configured to operate in Layer-2 mode, not as a routing device. The switch still
shows up in the mediatrace results anyway since the IOS image installed supports mediatrace.
Currently, the 6500 series with Supervisor 720 engine IOS images do not support mediatrace, therefore
do not show up in the results. The TTL, however, does get decremented as IP packets traverse both 6500
appliances since they are operating as Layer-3 nodes.
System Poll
The system poll is used to fetch data on a system profile, including interface statistics. The following
output shows results from a system poll:
!
SW9-C3560G#mediatrace poll path sou 10.102.0.24 dest 10.100.21.20 system
Started the data fetch operation.
Waiting for data from hops.
This may take several seconds to complete...
Data received for hop 1
Data received for hop 2
Data received for hop 3
Data received for hop 4
Data received for hop 5
Data fetch complete.
Results:
Data Collection Summary:
Request Timestamp: 20:27:56.072 PST Wed Nov 28 2012
Request Status: Completed
Number of hops responded (includes success/error/no-record): 5
Number of hops with valid data report: 5
Number of hops with error report: 0
Number of hops with no data record: 0
Detailed Report of collected data:
Number of Mediatrace hops in the path: 5
The five-tuple used in the path-specifier has to be exactly the same as the existing media flow. The
parameters can be retrieved either from the syslog notification or SNMP trap received, or on -demand
from the monitoring device.
Below is an example of how to gather the required parameters on-demand from a monitoring device:
!
! Identify the existing media flows using the SSRC as the unique search field
!
R9-C3845#show performance monitor status | include SSRC
Match: ipv4 src addr = 10.101.0.10, ipv4 dst addr = 10.100.21.20, ipv4 prot = udp, trns
src port = 6840, trns dst port = 18814, SSRC = 1835561719
Match: ipv4 src addr = 10.101.0.2, ipv4 dst addr = 10.100.21.20, ipv4 prot = udp, trns
src port = 1024, trns dst port = 18950, SSRC = 1321437565
Match: ipv4 src addr = 10.101.0.4, ipv4 dst addr = 10.100.21.20, ipv4 prot = udp, trns
src port = 1024, trns dst port = 18776, SSRC = 1327287406
!
The mediatrace will now need to be run from the initiator closest to the source (ideally the access switch
the endpoint is connected to), to the responder closest to the destination (ideally the access switch the
server is connected to).
The following example shows statistics collected when a perf-mon poll is run between an IP camera and
a VSM server:
A performance monitor poll can also be executed against a synthetic media flow. In the previous section
that discussed network validation, synthetic but realistic media flows were generated using IP SLA VO.
Once the probes have been initiated, the mediatrace poll can be set up as described in this section.
Mediatrace Session
A mediatrace session is a recurring monitoring session that can be scheduled to start at a particu lar time
and run for a particular duration. Specific metrics to be collected can be defined and hops along the
network path are automatically discovered.
A session would be configured in order to allow a network administrator gather statistics on a regula r
basis on the state of the IP Video Surveillance network health. The endpoints need to be predefined
meaning that each mediatrace session will correspond to a single source and single receiver. The
mediatrace session is typically defined on an initiator that is closest to the monitored source.
Configuring a mediatrace session is useful as a time-saving measure, to quickly gather monitoring
statistics from commonly used endpoints. For example, running a mediatrace session from an access
switch onto which a set of video endpoints are attached to the VSM server, or from the access switch
onto which the VSM server is attached to a client endpoint. Later, when in the process of
troubleshooting, instead of entering the entire session monitoring details (flow an d path information), the
mediatrace session number can be quickly invoked.
The following example shows how to configure a mediatrace session between a VSM server (10.0.100.5)
and a client endpoint (10.30.0.1):
!
! Create the path-specifier. This defines the parameters used by RSVP to discover hops
!
!mediatrace path-specifier IPVS-PATHSPEC-VSM-PC disc-proto rsvp destination ip
10.30.0.1 source ip 10.0.100.5
!
!
! Create the flow-specifier. This defines the media flow five-tuple
!
mediatrace flow-specifier IPVS-FLOWSPEC-VSM-PC
source-ip 10.0.100.5 source-port 1024
destination-ip 10.30.0.1
dest-port 26602
ip-protocol udp
!
!
! Create session profile. This defines attributes for the performance monitoring profile.
!
mediatrace profile perf-monitor IPVS-PROF-VSM-PC
metric-list rtp
clock-rate 96 35000
admin-params
sampling-interval 60
!
! Create the session parameters.
!
mediatrace session-params IPVS-PARAMS-VSM-PC
response-timeout 20
history data-sets-kept
10 frequency on-demand
!
!
! Define and schedule the mediatrace session
!
Mediatrace 1
path-specifier IPVS-PATHSPEC-VSM-PC
session-param IPVS-PARAMS-VSM-PC
profile perf-mon IPVS-PROF-VSM-PC flow-specifier IPVS-FLOWSPEC-VSM-PC
!
mediatrace schedule 1 start-time now
!
Module 2
VMS
Overview
The Cisco VSM Operations Manager is a browser-based configuration and
administration tool used to manage the devices, video streams, archives, and
policies in a Cisco Video Surveillance deployment.
Lesson 1
VMS
Overview
The Cisco Video Surveillance Manager (Cisco VSM) is an advanced security
solution for enterprise organizations at a centralized location, or who have
offices and sites at diverse geographical locations
VSM Components
Cisco VSM is a comprehensive video surveillance system that enables your network and security teams
to collaborate effectively in a highly scalable environment combining both video and network
techniques to optimize the experience. Cisco Video Surveillance Manager comprises several
components that combine to create a flexible, highly scalable system for the enterprise.
Cisco Video Surveillance Operations Manager allows a user to quickly and effectively configure and
manage video throughout the enterprise. It provides a highly secure web portal to configure, manage,
display, and control video in an IP network, and allows you to easily manage a large number of
security assets and users, including media servers, cameras, encoders, and event sources.
Understanding Cisco VSM Servers and Server Services
A Cisco VSM deployment includes one or more Cisco VSM servers that provide video processing,
storage, analytics, configuration interface, monitoring, and other features.
Server appliance
Cisco VSM is pre-installed on physical Cisco Connected Safety and Security UCS Platform
Series servers CPS-UCS-1RU-K9 and CPS-UCS-2RU-K9 (when ordered with the Cisco VSM
software installed).
An .OVA template file is installed on a supported Cisco UCS blade to create a new virtual
machine (VM) instance of the server.
The server functionality is the same in either format, although some performance differences and
considerations apply. You can also combine physical and VMs in a deployment.
Virtual machines are often used in a centralized deployment where multiple servers are
installed in a central NOC. Although VM deployment requires some additional configuration
during the initial setup, and additional maintenance of the VM platform, you can more easily
manage multiple servers or add additional VMs as the needs of your deployment changes.
Physical servers are frequently deployed at the edge, where only one or two servers are
required to support the cameras in a location or LAN. Physical servers are pre -installed with
the Cisco Video Surveillance Manager software.
Understanding Server Services
Each server can run one or more services that provide features and functions for the Cisco Video
Surveillance system. For example, the Operations Manager provides the configuration interface and
management features for the entire deployment, while the Media Server service manages cameras and
encoders and plays and records video.
At a minimum, every Cisco VSM must include a Cisco VSM Operations Manager server and a Cisco
Media Server. These services can be co-located on a single physical or virtual server, or installed on
stand-alone servers.
Operations Manager
The browser-based Cisco VSM Operations Manager administration and configuration tool. The
Operations Manager be added as a stand-alone server, or co-located with other services (such as a
Media Server and/or Maps Server).
Media Server
The Media Server service provides video streaming, recording and storage for the cameras and
encoders associated with that server. Media Servers can also be configured for high availability, and
provide Redundant, Failover, and Long Term Storage. Media Servers can be added as a stand-alone
server, or co-located with the Operations Manager, or co-located with the Operations Manager and the
Maps service.
Map Server
Allows Image Layers to be added to location maps using the Operations Manager.
Image layers are viewed by operators using the Cisco Video Surveillance Safety and Security Desktop
application. Cameras, locations and alerts are displayed on dynamic maps, and map images that
represent the real-world location of devices and events.
This service is supported as a stand-alone server on a server running the RHEL 6.4 64 bit OS, or co-
located on a Operations Manager server. In co-located deployments, use the Operations Manager to
activate the service.
Metadata Server
Allows metadata to be added to recorded video, which enables features such as Video Motion Search
in the Cisco SASD desktop application.
Metadata can also be accessed by 3rd party integrators for advanced analytics analysis. Use the
Operations Manager to activate the service.
Note
This service is supported as a stand-alone server only, on a server running the RHEL 6.4 64 bit
OS.
VSF
Enables the Federator service used to monitor video and system health for the cameras and resources of
multiple Operations Managers. The Federator service can only be enabled on a stand -alone server in
this release. Other server services cannot be enabled on the same server as the Federator service. The
Federator interface is accessed using a web browser or the Cisco SASD. Federator.
Activated using the Management Console only. Cannot be activated using the Operations Manager.
Note
This service is supported as a stand-alone server only, on a server running the RHEL 6.4 64 bit
OS.
Understanding Co-Located and Stand-Alone Servers
Stand-alone servers are servers that run only a single server service. A stand -alone server can be a
physical or virtual machine.
Co-located servers are physical or virtual servers enabled with multiple server services, such as the
Operations Manager and a single Media Server.
Some system configurations require stand-alone servers. For example, the Cisco Video Surveillance
Federator and Metadata services can only be run as stand-alone servers. In addition, Operations
Manager HA requires that both servers in the redundant pair be stand -alone servers. Additional server
services cannot be enabled.
Required
Operations Manager
Stand-alone server or co-located with one Media Server and/or one Maps server.
Each deployment requires one Operations Manager to manage the system.
Operations Manager HA configuration requires two stand-alone Operations Manager servers.
A co-located Operations Manager does not support the same number of Media Servers as a
stand-alone
Media Server(s)
Each deployment requires at least one Media Server to enable video streaming and recording.
One Media Server can be co-located with the Operations Manager service.
All additional Media Servers can be stand-alone servers or co-located servers with the Maps Server
service.
Co-located Media Server can only be a primary Media Server (co-located Media Servers do
not support other HA roles such as Standby or Redundant).
Failover or Redundant Media Servers cannot be associated with a co-located primary Media
Server.
Only a long term storage (LTS) server can be associated with a co-located primary Media
Server.
Co-located Media Servers do not support the same number of cameras as a stand-alone server.
Optional
Metadata Server
Federator
Stand-alone server only. Select the VSF service using the Management Console Initial Setup
Wizard.
Other server services cannot be enabled on the same server as the Federator service.
Video Viewing Options
Live and recorded Cisco Video Surveillance video can be viewed using a Cisco -provided application.
Mobile device
Cisco VSM Mobile Viewer
Allows access to surveillance cameras using a phone or tablet to remotely monitor live s treams and
recorded video streams.
Deployment Scenarios
Overview
The fundamental factor when designing a Cisco VSM deployment is determining
where the Cisco Video Surveillance Manager (Cisco VSM) servers will be located.
This determination is based on the bandwidth requirements of your surveillance
video, and the performance of your network.
VMS Architecture
A Cisco Video Surveillance Manager deployment starts with the location of your video cameras and the
servers that support them. Specifically, you must determine where the Cisco VSM Operations Manager
server and Cisco Media Servers will be located.
This lesson describes the basic server deployment scenarios, including the following:
The cameras for a centralized deployment can be installed in a multiple networks (NATs), and securely
communicate with the central servers over a WAN or public Internet. Users who monitor the video can
also be at different locations and networks.
This scenario is typically used by school districts or businesses where cameras are at various locations
but the server infrastructure is in a central administrative location
Centralized Management and Distributed Architecture.
Video surveillance cameras continuously stream video to their associated Media Servers, even if video
is not being recording or monitored. This provides on-demand video access to users, and for recordings
if an event occurs.
This on-demand video requires sufficient bandwidth between the network where the cameras are
installed and their associated Media Servers that manage and record that video. If network bandwidth is
limited, slow, or expensive, performance, quality, or cost issues can occur.
To address these issues, a distributed deployment can be used. In this deployment architecture, the
management servers (such as the Operations Manager, Long Term Storage, and Dynamic Proxy
servers) are still located in a central NOC, but the Media Servers are installed in the networks where
cameras and encoders are located. Since video is streamed from the cameras to the Media Servers, this
distributed deployment greatly reduces the amount of video traffic sent between networks since video
is only sent from the Media Server to users (or a Long Term Storage server) when requested.
In the example, the Operations Manager is centrally-located in a NOC, along with optional LTS storage
servers and a Dynamic Proxy server. The Media Servers are installed in the same locations as the
cameras and encoders they support.
For example, a city-wide deployment may include a Cisco VSM system for each independent agency,
such as the county court, schools, police, post office and fire department. Each of these deployments
includes an Operations Manager server that is used to configure the cameras, users, and features for
that agency or department.
To allow central employees or security personnel to monitor the video from all Cisco VSM
deployments, a Cisco VSM Federator server is installed in a central location. The Federator provides
video monitoring without giving them direct access to the administrative and configuration features.
Hybrid Deployment Scenarios
Each of the deployment scenarios described in this document can be combined with other server and
storage options, such as on-camera recording (Connected Edge Storage), Dynamic Proxy, high
availability, long term storage, Maps server, Metadata servers, and other features. Use of these options
depend on the on your organizations need and the network resources available from the various
locations in your deployment.
Lesson 3
Server performance
The number of cameras, amount of video data, and storage supported by each Cisco Media Server.
Performance numbers vary depending on the server model and configuration, and factors such as if the
device is a physical or virtual machine.
Server storage.
The amount of storage supported by, and installed in each server. This is the amount of video and other
data that can be stored before automatic pruning occurs.
Deployments with greater recording needs or longer video archive retention times will require greater
amounts of storage space.
You can also install external storage arrays to increase the available storage.
When selecting a server for Media Servers with the intention to be able to increase the servers internal
storage later, it is recommended to select a server with of maximum number of hard drives (e.g. 12)
so that an equal number of hard drives can be added later.
Adding internal storage will require configuring an additional RAID -5/RAID-6 array with the new hard
drives to create a new RAID volume (LUN); adding an equal number of drives will allow for a roughly
equal size storage volume for recording additional cameras, and maximize the additional storage
capacity. Adding a new RAID-5/RAID-6 array with only a few hard drives (e.g. 2-4) is less efficient
use of the additional capacity.
For example, a CPS-UCS-2RU-K9 server with a (12) drive capacity could be deployed with (6) 4TB
hard drives, and later add an additional (6) 4TB hard drives, for an approximately 16TB capacity
initially, and later add approximately 16TB more.
Network conditions.
The network policies, performance, and bandwidth required to support your deployment.
For example:
Cameras in locations where bandwidth is limited or expensive can use a distributed server
deployment, on-camera recording, or a Dynamic Proxy server.
Determine Bandwidth and Storage Estimates for Media
Servers and Cameras
The network in a Cisco VSM deployment must be able to continuously stream video from the cameras
to the Cisco Media Servers, and from the Media Servers to the monitoring workstations in your
deployment. The bandwidth requirements for each Media Serer includes all of the video streams
configured for its cameras, the bandwidth of the video streams from t he Media Servers to other
applications and to monitoring workstations. Depending on the location of the cameras, Media Servers
and monitoring workstations, different segments of the networks will also have different bandwidth
requirements
For example, if cameras are installed in different network segments (NATs) than the Media Servers,
then the network must have sufficient bandwidth between those segments for the video streams from all
cameras. The bandwidth requirement is the aggregate data rate for all cameras assigned to a server.
You must include all camera streams from each camera, and the different bit rates for each stream. For
example, if a camera has dual video streams, you must include both streams in your bandwidth
requirement calculations.
Camera bandwidth
Calculate per-camera bandwidth estimates based on the expected video stream, media type, resolution,
and frame/bit rate.
Calculate bandwidth requirement estimates for each Media Server based on expected number of vid eo
streams to the Media Server.
Storage requirements
Calculate storage requirement estimates per Media Server based on expected number of archives in the
Media Server, their expected duration, and video stream information. Include 7 -minute loop archives in
motion detection event setups.
Recommended
Consider disk space requirements for clips stored on the server. Even if the clip duration is (for
example, 15 seconds), it occupies 5 to 10 minutes worth of disk space.
Consider disk space requirements for archive backups.
Consider future expansion plans and disk space requirements for new feeds and archives.
Based on the bandwidth and storage estimates, determine if the Cisco Media Server hardware can
handle the expected configuration. Consider future expansion plans, if any.
Using the Guided System Selling Tool
Use the Cisco Commerce Workspace Guided System Selling tool to determine the resources required
by your deployment, the prices for those components, and to order the devices and resources.
The resources include the total number of cameras, the total camera bit rate (Mbps), the number of
required physical or virtual servers, licenses, network switches, and other resources required in your
deployment.
Procedure:
Step 4 Complete the on-screen forms to determine the cameras, servers, licenses, network
switches, and other resources required in your deployment
Methods to Reduce Video Bandwidth Usage
If bandwidth is limited between the video cameras and supporting Media Server, use one or more of the
following methods to reduce the bandwidth created by the video streams, or reduce the traffic sent
between network segments.
To reduce the video framerate, use one or more of the following methods:
Economical Streaming
By default, video cameras continuously stream video over the network to the Media Server. This allows
users to instantly access live video, and recordings to being immediately when an e vent occurs.
Economical Streaming is a camera feature that delivers video only when requested by a user, or when an
event occurs.
When selected:
When Economical Streaming is enabled, motion event alerts and other Advanced Event
processing is disabled since video is only sent when requested by a user.
Connected Edge Storage
Video cameras can use this feature to save video on the cameras storage device (such as an SD card).
This can be used with Economical Streaming (above) to eliminate the need for a local Media Server, and
send video over the network only when requested.
For example, if a camera with on-device storage is installed in a remote sub-station, video can
be streamed continuously to the cameras SD card. That video is not sent across the network to
the Media Server unless requested by a user.
If the camera is mobile, such as a camera installed on a bus, video can be saved to the cameras
storage when the bus in in service, and transferred to the Media Server when the bus (and
camera) are back in network range.
Using Dynamic Proxy to Monitor Video From Low-
Bandwidth Sites
Dynamic Proxy.
When cameras and their associated Media Servers are located in Site with limit ed outgoing connectivity
(such as an offshore oil platform), the Dynamic Proxy (DP) feature can be used to reduce the amount
video data going out from that remote Site.
The Dynamic Proxy (DP) feature provides this service by retrieving video from the remo te Media
Servers and delivering it to the end users. The DP minimizes the amount of bandwidth used to deliver
video data from the remote Site while allowing multiple users to access that video data.
Dynamic Proxy
For example, an offshore oil platform has a set of IP cameras and Media Servers. Any requests coming
from users within that Site can be serviced by those on-Site Media Servers. Since the internal network is
robust, the video is delivered at high resolution.
However, since this offshore oil platform has limited bandwidth to send data to on-shore monitoring
Sites, requests from off-Site users would quickly consume the available outgoing bandwidth.
When the Dynamic Proxy feature is enabled, however, requests for video from off -Site (onshore) clients
can be intercepted and services by the Dynamic Proxy. This Dynamic Proxy can collect a single video
stream from the off-shore Site and deliver it to multiple users onshore.
For example:
The Dynamic Proxy establishes secure communication with the source Media Server, retrieves
the video, and displays it to the off-Site user(s) who requested it.
The Dynamic Proxy service scales down the audio/video quality to accommodate small network
pipe between the Media Server and the Dynamic Proxy server.
The Dynamic Proxy service is only available for live video streams.
The Dynamic Proxy servers do not support Failover. If a Dynamic Proxy server goes down or is
unavailable, the user must re-request the video stream. The video will be served by a different
Dynamic Proxy server, if configured.
PTZ commands can be used by users inside and outside a Site since PTZ commands use a small
amount of bandwidth and are sent directly to the Media Server.
The maximum latency between a Media Server and Dynamic Proxy Server is 4 seconds. This is
long enough to allow the use of a satellite link between a central site and remote location.
The Dynamic Proxy server supports only live video. Access to recorded video goes directly to
the Media Server where the recorded video is stored. This doesnt benefit from bandwidth
savings through the proxy server.
Camera Controls like PTZ are not supported through the Dynamic Proxy server. These
commands go directly to the Media Server that is hosting the camera that is the intended target
of the command.
Proximity based DP Server selection is not supported. This means if a user logs in from the
Milpitas Site and is accessing a camera in San Jose and if there are Dynamic Proxy servers in
North Carolina and one in San Jose, the Operations Manager will randomly pick one of the DP
Servers.
Setting Description
MJPEG Max Framerate (Optional) Stream thinning to be carried out for MJPEG streams. Must be set based on
To Skip bandwidth availability.
All MJPEG frames are IFrames. Depending on the frame rate of the original stream, skip
values are supported when the cumulative frame rate is greater than or equal to 0.1 fps.
Therefore, the maximum value is 10 times the MJPEG stream's framerate.
The supported values are from 1 - 300.
For example, if the original frame rate of the MJPEG stream is o_fr, then the MJPEG Max
Framerate To Skip can be any value, x, where o_fr/x >= 0.1 fps.
For example, for 10fps, it is 100, for 30 fps, it is 300, for 0.1fps, it is 10, etc.
Note
This setting is enabled only if the Dynamic Proxy service is enabled .
Max I Frames To Skip
(Optional) The number of IFrames to skip for a video feed.
The minimum and maximum skip rates vary depending on the video stream format:
MPEG4/H.264 Streams
The minimum and maximum values are 1 9 (true only for cameras sending 1IFrame per
second).
MPEG4 and H264, setting skip results in a stream with only IFrames. Most cameras send 1
IFrame per second. If the stream (regardless of frame rate) is sending 1 IFrame per second,
the maximum skip is 9.
Note
This setting is enabled only if the Dynamic Proxy service is enabled.
Lesson 4
Securing VMS
Overview
This lesson provides the best practices and recommendations to ensure the
security of Cisco Video Surveillance (Cisco VSM) components, including the
Cisco VSM Operations Manager, Cisco Media Servers, Cisco Video
Surveillance Safety and Security Desktop (Cisco SASD) application, video
devices, and client PCs.
A video surveillance system typically captures valuable, confidential, and sensitive information. This
information also is often required for command and control, and for critical decisions. It is important
that you secure your video surveillance deployment to protect your information, thwart bad actors and
disruptive actions, and prevent accidental or intentional destruction of data. By following the
guidelines in this document, you can help to protect your video surveillance system against physical
threats and unauthorized access or configuration changes. You can also establish audit trails to assist
with resolution if issues do occur
To control physical access to video surveillance components, consider the following guidelines:
If possible, place components in areas where you can control who can access the areas. For
example, consider placing servers in locked cages or rooms.
To establish a secure network topology, deploy Cisco VSM software, clients, servers, and video
devices in the same secure network, which is a network that is physically or logically separated from
general access networks.
If necessary, you can allow clients from outside the network access to Cisco VSM serves. However, its
is a best practice to use standard network methodologies to limit or control such access to the
maximum extent possible.
In addition, it is a best practice to isolate video devices from general users and viewers on a network.
To do so, follow these guidelines:
Create one or more separate VLANs for video devices. Make sure that each VLAN limits
access to monitoring and administrative users only.
On network switches, configure access lists to allow Cisco Media Servers to access these
VLANs.
Changing Default Passwords
Before you begin to operate a VSM system, change all default passwords. Use passwords that are not
easy to guess, and control who has access to the passwords. A strong password prevents someone who
knows a default password from accessing your system.
Procedure
Enter the number of minutes before a user is automatically logged out due to inactivity.
After this period, users must reenter their username and password to log back in.
Setting Description
Password Expiry Months The number of months before a user password automatically expires. At the end of this
period, users are required to enter a new password.
Minimum Password Length The minimum number of characters for a valid password. Passwords with less
characters than the entered value are rejected.
Maximum Password Length The maximum number of characters for a valid password. Passwords with more
characters that the entered value are rejected.
Identical Password/Username If selected, user passwords can be the same as their username.
Allowed
If de-selected, user passwords must be different than their username.
3 Password Groups Required If selected, user passwords must include characters from at least three different
types of characters, including:
lower case letters
upper case letters
symbols
numbers
If de-selected, user passwords can include only one type of character
(for example, all lower case letters).
Repeat Characters If selected, user passwords can repeat the same 3 characters.
If de-selected, user passwords can not repeat the same 3 characters.
The self-signed or custom certificate is also used for back-end communication between Cisco Video
Surveillance components, such as between the Operations Manager, Media Server and/or Management
Console.
Configuring User Roles and Access
As a best practice, create users that have access to the locations, cameras, and video that they require.
Cisco VSM users can monitor video or configure the system based on the fo llowing:
The user group(s) to which the user is assigned: user groups are associates with a user Role,
which defines the access permissions for the group.
Users can be assigned to multiple user groups, and gain the combined access permissions for
all groups.
Tip
User accounts provide access to both the browser-based Operations Manager and the Cisco Safety and Security
desktop application.
Make sure that the current Microsoft Windows update is installed. These updates typically
provide increased security features.
Overview
Video can be recorded using a variety of automatic methods, or manually
triggered by a user.
Video can be recorded continuously, when an event occurs, or be manually triggered by a user.
Recording Type
Continuous recording, scheduled recordings, and/or motion event
recordings
The recordings can occur continuously in a loop (for example, the past 30 minutes), or according to a
schedule (such as Monday-Friday, 8 a.m. to 11 a.m.).
In either case, recording can occur for the entire time, or only when triggered by a motion event.
User-initiated recording
Describes how to enable the On Demand Recording option when a user right-clicks a cameras live
image.
Cisco VSM supports configuration for default motion detection settings to allow quick setup of camera
motion detection. The motion detection inclusion window is set to the full frame and sensitivity is set
to a default value. These settings may or may not be optimal for detecting video in all situations
depending on many factors such as lighting, the camera placement and if there is extraneous motion in
the scene. For example, if there is an area in the frame where there is always motion, the camera may
continuously detect motion and motion recording will continuously record video. Prior to Cisco VSM
7.6, recording would stop by default after 2 hours of continuous motion activity. In Cisco VSM 7.6,
that behavior has been changed and motion based recording will continue as long as there is motion
activity. This may negatively affect video retention for all came ras on the same Media Server, if this
motion recording behavior s not expected.
When configuring motion recording, make sure that the camera is detecting motion as
expected. Use the Operation Managers motion detection configuration page to observe the
cameras motion activity, and ensure the field of view is correct. Make sure that motion is
being detected as expected and adjust the inclusion and exclusion windows and settings as
needed.
When configuring motion detection for a camera using Operation Ma nager, always click the
Save Motion Config button to save changes before closing the browser or leaving the motion
configuration page. If you do not save the motion settings, the motion detection recording will
not operate as intended.
Deployment Scenarios
Connected Edge Storage is typically used when the camera is off network, or to save network
bandwidth. Refer to the following use cases for more information:
Off-Network Cameras
This deployment scenario is useful when it is not critical to continuously monitor or record video.
Off-Network Cameras
Cameras that support on-device video storage can save recordings on the camera, and copy them to the
Cisco VSM system at a later time. This feature is typically used when the camera is out of network
range while recording.
For example, a bus equipped with an IP (network) camera can save video recordings to the camera
even when the bus is transporting passengers. When the bus returns to the depot, and is again in
network range, the recordings can be copied to the Media Server that supports the camera. The copy
action can be performed automatically when the bus camera rejoins the network, or an operator can
manually trigger the copy action using the Operations Manager interface.
Connected Edge Storage: Camera Recording on Device and Copy to a Media Server
Copy Options
Video that is saved to the cameras SD card must be copied to the Cisco Media Server so it can be
viewed and analyzed using the Cisco Video Surveillance Safety and Security Desktop (Cisco SASD)
application.
The video can be copied manually based on a start and end time, or automatically copied when an
event occurs. Video can also be merged based on the camera template recording schedule
Automatic merge
Automatically copies a continuous recording to the Media Server based on the camera templates
recording schedule.
After configuration, no user interaction is required. The recordings are copied to the Media Server
when camera network communication is established (or re-established).
When the action for an event is Record for some time, video for each event is automatically saved to
the camera storage (such as an SD card) and to the Media Server.
Important Performance Considerations with Connected Edge Storage
Note
Cisco VSM Release 7.5 and highervcan support up to 100 cameras configured with Auto-Merge recordings on a single Media
Server depending on the model of server and video data rate.
See the Auto-Merge Calculator tool for guidance on using Auto-Merge recordings with more than 10 cameras on a single
Media Server (to download the tool, go to the Cisco Video Surveillance Manager download page, select Video Surveillance
Manager Stand-alone Tools, and download the Auto-Merge Calculator tool).
For cameras with camera storage configured with Manual Copy, there is no limit to the number of cameras on a single Media
Server imposed by camera storage. The normal limits of 250 cameras and limits on recording bandwidth depending on video
configurations of the cameras and server type still apply.
Example
For example, when a camera configured with Auto-Merge recordings reconnects to the Media Server
after a network outage, live video recording will resume and the camera will begin copying locally-
stored video to the Media Server (to fill the recording gaps on the Media Server). Video is also copied
from the camera at a rate that is at least 25% faster than real-time so that all of the video from an
outage is copied from the camera before it is overwritten. This means that after an outage, the total
bandwidth from the camera to the Media Sever is more than 2X the video data rate until all of the
video from the outage has been copied from the camera. Since the Media Server has a limit on total
recording bandwidth, the use of Auto-Merge recordings will reduce the total number of cameras that
can be supported on a Media Server. If all of the cameras on the Media Server are c onfigured with
Auto-Merge recordings, the number of supported cameras will drop by more than half.
Example Video and SD Card Configurations
The following tables show examples of video configurations and SD card sizes for 1RU and 2RU
servers, and the maximum outage that can be supported by the Auto-Merge Recordings feature. If
the outage exceeds the maximum, recorded video in the camera from the outage period will be lost.
Additional Limitations
MJPEG streams are not supported with the Connected Edge Storage feature.
The maximum supported video bit rate for camera storage is 6Mbps.
For Auto-Merge recordings, only video recorded in the last 24 hours can be auto -merged.
When camera storage is used, the camera reserves 1GB of space on the SD card for buffering
and it is not available for video recording. For example, only 15 GB is available on a 16GB SD
card
Lesson 6
Overview
The Cisco Video Surveillance Manager (Cisco VSM) deployments typically
include servers, cameras, encoders, and users located in different networks.
Network configuration for each of these devices must be correct or system
errors will occur.
.
Network NAT Support
A typical Cisco VSM deployment includes servers, cameras, encoders, and users located in differen t
networks, which requires video traffic and other data to be sent across network NAT boundaries.
Although this is supported in Release 7.6 and higher, some configurations, such Operations Manager HA
server pairs, require devices to be in the same network NAT.
For example, Cisco Media Server streams all audio and video data to monitoring clients (PC
workstations) from RTSP port 554. Cameras stream data to Media Servers using UDP port 16000:1 9999.
Nic Port 1 configured for DHCP (the IP address and other settings are received from a DHCP
server, if available).
These settings are applied in new servers, or servers that have been restored using the USB recovery
drive. Use either of these addresses to access the Cisco VSM Management Console and complete the
Setup Wizard. At least one of these interfaces must reachable from the network where the workstation is
installed.
Server Reachability.
Dual-homed/NAT Configurations
Dual-homed/NAT server configurations are not supported on any server running the Operations
Manager service (including co-located servers). The Operations Manager server hostname can
resolve to only one (correct) address. All users must be able to access that IP address.
Dual-homed/NAT server configuration is supported only for stand-alone Maps, Metadata, and
Media Servers.
Server Reachability
Stand-alone Maps, Metadata, or Media Servers must be added to Operations Manager using an IP
address or hostname that can be accessed by all users.
For example, add the server using a hostname to ensure user requests resolve to the correct IP address if
there is a NAT between users and the server.
Note
The hostname is usually resolved via DNS, but can also be resolved by configuring the users computer to resolve
each server hostname).
Operations Manager-only system Only one interface can be enabled (static or DHCP). The other interface must
be disabled.
Verify that the Operations Manager server hostname resolves to only one
(correct) address. Dual-homed/NAT server configurations are not supported
on any server running the Operations Manager service.
Stand-alone Maps, Metadata, or Media At least one Ethernet port must be enabled. The following combinations are
Servers supported:
Notes:
Dual-homed/NAT server configuration is supported only for stand -alone Media
Servers.
A hostname must be configured on all servers. The hostname does not have to be
accessible through DNS, but all servers must have a hostname configured (a
hostname is required for some services such as ActiveMQ).
Notes
At least one static interface must be configured.
A servers network settings can be modified using either the Cisco VSM Management Console or
browser-based Operations Manager tool.
Changing network settings can cause the server to restart system services. Restarting services
can take up to 90 minutes or more depending on number of devices managed by the Operations
Manager and Media Server. Installed products will be offline during this time.
Using Dynamic Host Configuration Protocol (DHCP)
A DHCP server can be used to automatically assign network settings for a server, camera, or encoder.
Server DHCP
A DHCP server can be used to automatically assign the IP address, default gateway and the DNS server
for a server Ethernet port. If DHCP is enabled, then the other network fields are disabled and the
required settings must be provided by the DHCP server.
To manually assign the IP address, default gateway, or DNS server, de-select DHCP by selecting the
Static IP option.
Note
If the Media Server interface used in the Operations Manager configuration is set to DHCP, the connection can be lost when th e
Media Server reboots and receives a different IP address. To restore communication, update the Operations Manager
configuration in with the new Media Server IP address. To avoid this situation, we recommend using a DNS hostname for the
DHCP interface, or using a static IP address.
Configuring an interface as DHCP may cause connectivity issues if no DHCP server is present in the network. For example, if an
interface is configured for DHCP, and a DHCP server is not available in the network, then the network settings (such as the I P
address and default gateway) will fail to populate and network communication cannot occur.
Camera DHCP
DHCP also offers a convenient way to assign IP addresses to many cameras at once.
When using DHCP, it is important to configure the DHCP server properly. DHCP servers s upport
assigning addresses to devices in these ways:
Dynamic assignmentAn IP address is assigned temporarily for the duration of a lease time. At
the end of this time, the address expires and a new address is assigned.
Automatic assignmentA camera is assigned a permanent IP address that is based on its MAC
address.
Static assignmentA system administrator must assign IP addresses based on MAC addresses
of devices and enter the IP addresses into the DHCP server.
With dynamic assignment, an IP address can change when the lease expires. In general, this event causes
a short loss in video while the IP address changes and streaming resumes. However, in some cases, such
as if the IP address changes during certain administrative operations or during a failove r, VSM is not
informed of the address change and loses connectivity with the camera until the camera is reset. To
avoid this situation, Cisco recommends that the DHCP server be configured with automatic assignment.
If dynamic assignment must be used, Cisco recommends that a long lease time be configured.
Note
DHCP is required for using Medianet camera discovery in Cisco VSM 7.x
Note
Settings such as name, template, location, media-server associations are configurations in the Operations Manager
and are not merged or overwritten by discovered settings.
Allowing Duplicate Camera IP Addresses
By default, servers, encoders, or cameras with duplicate IP addresses are not allowed and will result in
an error.
If your network configuration requires that devices be added with duplicate IP addresses, you can enable
the Allow Duplicate IP Address system setting. This setting allows multiple cameras with the same
access IP address to be added to the Operations Manager configuration. For example, cameras with the
same IP address can be added to different Media Servers in different locations.
Note
Medianet cameras must be configured for DHCP. Cameras that do not support Medianet can only be
added using a static IP address.
The following scenarios can also occur for cameras configured with hostnames, if the DNS entry does not
update with the correct hostname to IP address mapping.
Cisco Cameras
The new IP address is automatically updated in Operations Manager for Cisco cameras configured with
DHCP. To clear the error message, choose Repair Configuration from the Device Settings menu.
Non-Cisco Cameras
You must manually enter the correct IP address in the camera configuration for non -Cisco cameras
configured with DHCP.
Step 1 Open the camera configuration page in Operations Manager.
Step 2 Select the Status tab and verify the following:
The device overall status is Enabled: Critical.
Click the link next to the Hardware category to open a pop-up window.
Verify that a Hardware ID Mismatch issue occurred.
Step 3 Select the General tab.
Step 4 Under Access Information, enter the correct IP address for the device.
This is the setting used by Operations Manager to communicate with the device,
The IP address stored in Operations Manager must be the same as the device configuration.
Step 5 Verify that the camera status changes to Enabled: OK (green).
Scenario 2: Cameras Configured with a Static IP Addresses
If cameras are configured with a static IP address, and that address is changed in the cam eras device
user interface, the device is placed in Enabled: Critical state with a hardware ID mismatch issue. This is
because the IP address no longer matches the hardware address configured in the Operations Manager.
This occurs for each camera where the IP address was changed.
If another camera has the same IP address, an ID collision issue occurs.
If the cameras IP address is unique, but no longer matches the entry in the Operations Manager,
you must correct the entry on the camera configuration page.
Procedure
Step 1 Open the camera configuration page in Operations Manager.
Step 2 Select the Status tab and verify the following:
The device overall status is Enabled: Critical.
Click the link next to the Hardware category to open a pop-up window.
Verify that a Hardware ID Mismatch issue occurred.
Step 3 Select the General tab.
Step 4 Under Access Information, enter the correct IP address for the device.
This is the setting used by Operations Manager to communicate with the device,
The IP address stored in Operations Manager must be the same as the device
configuration.
Step 5 Verify that the camera status changes to Enabled: OK (green).
Adding cameras from different networks (NATs).
This section describes how to add cameras that are installed in different network (NAT) than the Cisco
VSM Operations Manager.
Review the following topics to understand the two different IP addresses assigned to cameras, and how
the Cisco VSM Operations Manager determines if a duplicate entry exists when adding the new device.
Note
If all cameras and servers are in the same network, then the Private (NIC) IP address and Access (NAT) IP address
are the same.
The network router uses network address translation (NAT) to route data from the private NIC address
of a device (camera) to and from external networks. For example, in Figure a request from the Cisco
VSM Operations Manager is sent to the cameras access (NAT) IP address. The network router forwards
that data to the cameras private (NIC) IP address.
To ensure data is sent to the correct device, the Operations Manager normally requires that each
cameras access (NAT) IP address be unique (by default). If a camera is added or discovered, and a
device entry with the same access (NAT) IP address already exists, the camera may be merged with an
existing record, or an error can occur.
This document describes the following scenarios to avoid camera IP address conflicts:
Understanding Camera IP Address Conflicts
A camera IP address conflict occurs if the device is assigned an IP address that is already configured on
another camera that was (previously) added to Cisco VSM.
If a camera is added or discovered with a duplicate access (NAT) IP address, the following rules apply:
In this scenario:
The camera is added using the Access (NAT) IP addresses. The Access (NAT) appears in the
camera page of the Operations Manager UI.
Only Access (NAT) IP is checked for duplicate. The Private (NIC) address is ignored during the
duplicate check.
The Access (NAT) IP addresses is static and unique, so a collision ID will not occur.
The Private (NIC) address is taken from the IP header and added to the config.
Note
This scenario is supported when manually adding a camera, or for automatic discovery of Medianet -enabled
cameras.
User-initiated discovery of cameras (non-Medianet devices) is not supported since the Operations
Manager cannot determine that the cameras are behind a NAT (since DHCP is not used).
Scenario 3:
In this scenario:
The Access (NAT) IP addresses is added or discovered.
Only Access (NAT) IP is checked for duplicates. If a duplicate exists, a collision ID can occur.
Select the Allow Duplicate IP Addresses system setting to allow duplicates. Duplicate camera
entries will be ignored and the camera will be added.
The Private (NIC) address is taken from the IP header and added to the camera config.
Lesson 7
Understanding NTP
Configuration.
Overview
The server time synchronizes server operations, defines recording timestamps
and backup schedules. To ensure correct playback and system operation, we
strongly recommend using a network time protocol (NTP) for all servers and
devices..
Recommended (and Default) NTP Configuration
In the default and recommended NTP configuration, the Operations Manager is configured with an NTP
server, and all other servers, cameras and encoders use the Operations Manager as their NTP se rver. This
ensures that all devices, recordings, timestamps, alerts, and other resources are synchronized.
In Figure the cameras use their Media Servers as the NTP server, and the Media Servers use the
Operations Manager as the NTP server. Since these are the default settings, no user configuration is
required except to (optionally) enter a custom NTP server address for the Operations Manager server.
If an NTP server is not configured on the device, you must update the camera settings to either enter an
NTP server address or select Use Media Server as NTP.
This setting is displayed only for camera models that support NTP.
You must belong to a user group with Cameras permission.
Note
Auto-configuration applies a set of basic configurations to cameras that are discovered on the network. Auto-
configuration is disabled for all camera models by default..
Lesson 8
Overview
Two Operations Manager servers can be configured as a redundant pair for
high availability (HA). Since the Operations Manager is responsible for
configuring and coordinating the entire Cisco Video Surveillance deployment,
this helps ensure uninterrupted system access for users and administrators.
Operations Manager (VSOM) HA
If an NTP server is not configured on the device, you must update the camera se ttings to either enter an
NTP server address or select Use Media Server as NTP.
In Figure, users enter the virtual hostname/IP address to connect to the Cisco VSM Operations Manager.
Server 1 acts as the Master server, receiving and managing all user and system requests. All data and
configuration changes are automatically synchronized with the Peer server (server 2) to ensure it is ready
to take over if a failover occurs.
The Peer polls the Master server regularly to verify connectivity. If the Peer does not receive a response,
the Master is assumed to be down or offline and the Peer assumes the Master role. The Peer server
immediately takes control of the system, and the virtual hostname/IP address is redirected to the new
Master server.
User Interfaces
The following user interfaces (UIs) access Cisco VSM video using the shared virtual IP address:
Operations Manager (browser-based UI)enter the virtual hostname/IP address in a Internet
Explorer browser window.
Cisco SASD (desktop application)enter the virtual hostname/IP address at the login prompt.
Custom applicationsmonitoring applications that use the Cisco VSM APIs access the
Operations Manager using the virtual hostname/IP address.
Media Server Redundancy and Failover
Cisco Video Surveillance Media Servers can be configured in a high availability (HA) arrangement that
allows a primary server to be paired with additional Failover, Redundant, or Long Term Storage Media
Server. These HA servers provide the primary server with hot standby, redundant stream storage and
playback, and long term recording storage to help ensure that functionality and recordings are not lost if
the primary server goes offline.
Failover status is indicated in the server Status page (Figure). The possible Failover Status values are:
In Failover
Not In Failover
Could Not Failover (this occurs if a different Primary server already failed over to the same
Failover server.)
For example, Figure displays a Primary Media Server with a critical configuration error that causes a
failover.
The Failover Server status is OK (green), indicating that the server is up and ready to assume
control.
The Failover Status is Failed Over, indicating that a failover occurred.
The Failover server Status page also displays Failed Over.
When a user attempts to access live or recorded video from a camera that is associated with the Primary
server, the request will time out and be forwarded to the Failover server, which completes the request
and sends the requested video.
Because the Failover server maintains the same configuration as the Primary server (in real time), users
will not encounter a change in network behavior other than a slight delay while communication is
established with the Failover server.
Once the Primary server comes back online, it will automatically resume control from the Failover
server. The Failover server will revert to hot standby status.
Note
Polling between the servers is coordinated based on the system time in each server. Use a NTP time
source to ensure server synchronization.
Requirements
Before adding HA Media Servers, verify that the following requirements are met.
You must belong to a User Group with permissions for Servers & Encoders.
At least two Media Servers must be enabled:
Note
Although there are no hard limits to the number of cameras that a Primary server or associated HA server can
support, the Cisco Video Surveillance Manager Release 7 Server Performance Guidelines provide the recommended
maximum number of cameras that can be assigned to a server. We highly recommend that your deployment not
exceed these numbers for any server in your deployment.
Note
Determining the server loads, ratios and priority is part of the system design and should be planned
according to the equipment and needs in your deployment.
Use the following guidelines when determining Failover server deployment:
A Failover server can only stand in for one Primary server at a time (if a Failover server is
already acting as the primary for a Media Server that is down, the Failover cannot assume
control for a second Primary Media Server.
We recommend a maximum of 5 Primary server be associated with a single Failover server.
Associating more than 5 Primary servers with a Failover server is not recommended.
A few minutes of recording may be lost between the loss of the Primary server and the Failover
assuming control.
A co-located Media Server can only be a primary Media Server (co -located Media Servers do
not support other HA roles such as Standby or Redundant).
When the Primary Media Server is down and the Failover has taken over the role of the primary
server, and a DHCP based Medianet discovered camera has a change of IP address, the Cisco
VSM Operations Manager will not reconfigure the camera to the new IP address unt il the
Primary Media Server comes back up. This is because Cisco VSM Operations Manager does not
allow any configuration changes on the cameras when the primary server is down.
Configuration changes cannot be made to the Media Server or associated devices (such as
cameras) while the server is in Failover mode. This is because Failover mode is meant as a
temporary server to enable continued operations, not as a permanent replacement server.
Lesson 9
Overview
Although cameras can be added individually, you can also deploy multiple
cameras using one of the following methods.
Importing Cameras from a List
Multiple cameras or encoders can be imported using a comma separated value (CSV) file that includes
configuration details for each device. This same method can be used to update existing camera
configurations.
This figure summarizes the process to import devices from a CSV file. Devices can be added in Enabled
state if all required configurations are included or in Pre-Provisioned state if configurations are missing
or if the devices are not yet available on the network. If an error occurs, correct the CSV file and try
again.
Best Practices
Cameras, encoders and servers can be pre-provisioned in Release 7.2 and higher.
Pre-provisioned devices are devices waiting to be added to Cisco VSM. You can make
additional configuration changes, but the device cannot stream or record video until t he
configuration and network issues are resolved. Choose Enable from the Device Settings menu to
enable the device video functions.
If the CSV file details are accurate and complete, the devices are added to Cisco VSM and video
from the cameras is available for viewing and recording.
If any required fields are left blank, or if any devices in the file are not available on the network,
then the devices are added to Cisco VSM in pre-provisioned state, even if the pre-provisioned
option is deselected. Complete the configuration to change the status to Enabled.
f any fields are inconsistent with the Cisco VSM configuration, the import action fails and an
error file is created that specifies the problem(s). For example, if the CSV file specifies a Media
Server or location that does not exist in your Cisco VSM configuration, an error occurs. Correct
the CSV file and try again.
You cannot mix device types in the import file. For example, the file can include servers,
encoders, IP cameras, or analog cameras only.
To update existing cameras, use the Camera Report to create a spreadsheet with camera details.
Then modify the sheet for your cameras.
Discovering Cameras on the Network
Cameras can be discovered when they are added to the network, and automatic ally added to the Cisco
VSM configuration. The camera configuration can include a camera template and additional camera
settings.
Supported Cameras
To view the camera models that support discovery, open the Auto Configuration Settings page and click
on a camera manufacturer.
Camera Discovery and AutoConfig Flow Chart
Tip
You can also move a discovered camera to the Blacklist to prevent it from being added to Cisco VSM or from being
discovered in future discovery actions
Medianet Requirements
For cameras to be automatically discovered on the network using Medianet, the following requirements
must be met:
The network (IP) camera must support Cisco Medianet
o Medianet cameras must be configured for DHCP (cameras that do not support Medianet
can only be added using a static IP address).
o See the Release Notes for Cisco Video Surveillance Manager, for a summary of
supported Cisco cameras and required firmware.
o
o See also the camera product information at http://www.cisco.com/go/physicalsecurity
(click View All Products, and select the camera model under Video Surveillance IP
Cameras). Examples of Medianet cameras include the Cisco models 4300, 4300E,
4500, 4500E and 26xx.
The camera must be able to discover an available Media Server using one of the following
methods:
o The cameras Preferred Media Server List is enabled using the camera UI. This list is
also configured with up to four Media Server IP addresses.
o A Cisco IOS DHCP server must be installed and configured with Option 125 to return a
list of Media Server IP addresses.
If both of these options are enabled, the manually-entered Preferred Media Server List is used
by the camera. If the list is disabled or empty, DHCP is used.
If neither of these options is enabled, auto-discovery will fail.
Medianet Overview
To enable Medianet discovery, you must install a Medianet-enabled IP camera on the network, as shown
in Figure. A Cisco IOS DHCP server must also be installed and configured with Option 125 to provide a
list of up to 16 Media Server IP addresses.
Medianet Camera Discovery Summary
Process
Event Description
Step 1 Media Server is The camera discovers a valid Media Server IP address using one of the
discovered following methods:
Cameras Preferred Media Server ListThe camera UI is
populated with up to 4 Media Server IP addresses.
or
DHCPA DHCP request returns the camera IP address and list of
up to 16 Media Server IP addresses.
In each method, the list of Media Server IP addresses are polled in order until
the request is accepted.
If both of these options are enabled, the manually-entered Preferred Media
Server
List is used by the camera.
If neither of these options is enabled, auto-discovery will fail.
Step 2 Camera added to VSM The camera is added to the Cisco VSM config:
Auto-configuration settings are applied, if enabled for that camera
model, and the camera is placed in Enabled state.
If Auto-Config is disabled for the camera model, the camera is added
to the Pending Approval list.
Step 3 Camera config is After the camera is added to Cisco VSM, use the Operations Manager to
applied complete the device configuration:
If the Auto-Config settings were applied (and camera is placed in
Enabled state), revise the camera settings if necessary.
If the camera was added to the Pending Approval list, complete the
required config and approve the camera.
Detailed Process
Note
When the camera is added to the network,it contacts the DHCP server, which returns the camera network settings
(including IP address).Medianet cameras are factory-configured for DHCP by default. If the camera IP address is
set to static, then the DHCP address is ignored (released).
Step 1 The IP camera attempts to connect to a Cisco VSM Media Server using one of the following
methods:
The camera UI is configured with up to four Media Server IP addresses (in the
Preferred Media Server List).
A DHCP server configured with Option 125 provides a list of MS IP addresses
.
The IP camera attempts to connect to the Cisco Media Servers (in order of the IP addresses)
If a Media Server does not reply, then the camera attempts to connect to the next server in
the list.
Note
The camera first tries to connect to any Media Server addresses that were manually entered on the
camera. If there are no manual entries, or if none of the manually-entered Media Servers accepts the
connection request, then the camera attempts to connect to the Media Server addresses sent by the
DHCP server. If neither of these options is enabled, auto-discovery will fail.
Step 2 When the camera connects to a Media Server, the camera is also added to the Operations
Manager configuration.
If Auto-Configuration is enabled for the camera model, the configuration settings
(including a static IP address) are applied and the camera is placed in Enabled state.
The configuration includes a camera template, Location, and permanent Media Server
assignment
If the Auto-Configuration is disabled (default), then the camera is placed in the
Cameras Pending
Note
When the camera configuration is applied, the IP address provided by the DHCP server is retained.
You can change the IP address using the camera configuration page, if necessary.
Step 3 Once the camera is added to the Operations Manager, you can apply additional configurations,
or approve the camera (if it was added to the Cameras Pending Approval list).
Note
Only Cisco IOS DHCP servers are supported for Option 125 to support Medianet camera discovery.
Procedure
Step 1 Convert the Media Server IP address to a HEX value.
The Media Server IP address is the server that the Medianet camera will register with.
The HEX value is used in the DHCP server Option 125 configuration.
a. Search for an online tool that can be used to convert the Media Server IP
address to HEX.
For example, search for IP to HEX Converter tools.
b. Convert the cameras IP address to HEX:
For example, covert the Media Server IP address 10.194.31.1 to the HEX value
0AC21F01.
Step 2 Add additional HEX values to the Media Server HEX value, as required by your DHCP server.
Note
Each DHCP server may require additional HEX strings to be added before and after the Media Server
HEX value. This entire HEX string is entered in the DHCP Option 125 configuration. Be sure to use
the correct HEX format, as defined in your DHCP server documentation.
For example, a Cisco IOS DHCP server requires that the following HEX values be added
before and after the Media Server HEX value:
a. Prefix the following value to the Media Server HEX:
0000.0009.0b14.0901.
b. Append the following value to the Media Server HEX:
.0050.0001
The complete HEX string used in the DHCP server Option 125 configuration (for Cisco IOS
devices) is:
0000.0009.0b14.0901. 0AC21F01.0050.0001
Step 3 Configure the Cisco IOS DHCP server to advertise Option 125 to the endpoints.
For example:
ip dhcp pool MYADDRESSPOOL
network 10.194.31.0 255.255.255.0
option 125 hex 0000.0009.0b14.0901. 0AC21F01.0050.0001
default-router 10.194.31.254
Note
0AC21F01 is the HEX value of the converted Media Server IP address. The entire required
HEX value is 0000.0009.0b14.0901. 0AC21F01.0050.0001.
Other DHCP servers may require a different format for the HEX value such as prefixing x to
the values or prefixing a \
Overview
User access to Cisco VSM video is controlled by the user account ac cess
permissions , and the locations to which cameras and other resources are
assigned.
For example, a user account is assigned to one or more user groups. Those
user groups provide access to the cameras and resources for a location (and
its sub-locations), such as campus A, or Building 1. In addition, each user
group is associated with a user Role that defines access permissions for
viewing video and managing the system.
Cameras and other resources are also assigned to a location. Users can only
access the video, devices, and resources for the locations they belong to.
Although cameras can be added individually, you can also deploy multiple
cameras using one of the following methods.
Understanding User Access Permissions
Add user accounts to Cisco Video Surveillance Operations Manager to provide access to both the
browser-based Operations Manager and the Cisco Video Surveillance Safety and Security Desktop
(Cisco SASD) application.
The user group(s) to which the user is assigned: user groups are associated with a user Role,
which defines the access permissions for the group.
The location assigned to the user group(s). User can only access the devices and video for
that location (and its sub-locations).
Users can be assigned to multiple user groups, and gain the combined access permissions for
all groups.
For example, the Figure summarizes the user Roles, groups and user accounts that must be configured
for user access.
Roles define the access permissions for different types of users. For example, create an operator
Role that allows users to view live and recorded video, and an administrator Role that allows users
to configure cameras and add new users.
When the Roles are assigned to a user group, any user added to that group will inherit the Role
permissions. Users also gain access to different types of resources based on the user group location.
For example, create an Operator Role that allows users to view video, but does not allow
configuration of cameras or other system resources. When you add that Role to a user group, any
user added to the group will inherit the Role permissions. In addition, users can access the devices
at the group location (including sub-locations), and the templates, schedules and other resources for
any location in the same location tree.
Understanding the Impact of a Users Location
The access permissions for a user are determined by the user group(s) to which they belong, and
the location(s) of those groups. For example, a user assigned to a user group at the root location
will have access to all cameras and video. A user assigned to a user group at a sub -location, such as
a campus, will have access only to the cameras and video at that sub-location.
In the following example, an admin might have access to the root location, enabling him to access
all cameras and resources in the system. A guard might only have access to a specific region,
allowing him to view video only for that sub-location and its children.
1. Root location. User groups at the root location have access to all sub -locations.
Note
A super-admin is any user who has access to all access permissions at the root location.
2. Sub-location. A users access permissions apply only to this sub-location and its children.
1. Before you begin, create the location hierarchy as described in Using Locations to Limit
User Access
2. Create the Roles that define access permissions for operators, administrators, and other
user types.
3. Create the user groups and assign a Role to each group.
4. Create the user accounts and assign each account to at least one user group. Users assigned
to multiple user groups inherit the permissions and locations for all groups.
5. (Optional) Require a second user (such as a manager) to enter their credentials when a user
logs in.
6. (Optional) Provide access to users on an LDAP server.
Sample Roles in a Cisco Video Surveillance Deployment
User Group Role Permissions Location User name
Guard View Live Video Building 1 John Smith
View Recordings
Listen to Audio
Export Recordings
Perform PTZ
Area Admin View Live Video Campus 1 Debbie Sanchez
View Recordings
Export Recordings
Perform PTZ
Manage Cameras
Manage Servers and
Encoders
Note:
A super-admin is anybody that has all permissions at the root location.
Note
A local-admin user account is not included by default. You must add a
user and add them to a user group associated with the
local_admin_role, if necessary.
LDAP Users Members of an external Lightweight Directory Access Protocol (LDAP)
Active Directory user database can be granted access to Cisco VSM.
Understanding Permissions
A users access permissions are defined by the user group that the user belongs to and the Role
associated with that user group. The user group also determines the location that a user has access to.
The users access permissions are for that location only.
User Roles define the permissions that are assigned to a user group. Click the Roles tab to view or
modify the permissions that can be assigned to a Role. Permissions are divided into two categories:
Manage and Operate. Select or de-select the check boxes to add or remove permissions.
Default Roles
The default Roles are read-only and cannot be revised or deleted.
For example:
operator_roleIncludes most Operator permissions.
super_admin_role Includes all operate and manage permissions (a super-adminuser is any
user that has access to all permissions and is assigned to the roo -level location).
local_admin_roleIncludes a combination of operate and manage permissions.
Tip
Select a Role to view the permissions assigned to that Role.
Permissions
Selecting a permission may automatically result in the selection of other dependent per missions if the
permissions overlap. For example, if you select the Manage Cameras permission, the View Live Video
and Perform PTZ permissions are automatically selected. The automatically selected dependent
permission(s) cannot be deselected unless the parent permission is deselected first.
Manage Permissions
Manage Permission Description
Users & Roles Create, update, or delete user accounts, groups and Roles.
Cameras Create, delete, or update Cisco VSM cameras.
Note
Only super-admins can perform camera auto-provisioning. See
Understanding the Super Admin, page 16-9.
Servers & Encoders Create, update, or delete Cisco VSM severs and analog camera encoders.
Video Walls Create, update, or delete Video Walls.
Templates Create, update, or delete camera templates.
Schedules Create, update, or delete schedules.
Locations & Maps Create, update, or delete Cisco VSM locations and associated map images.
Views Create, update, or delete pre-set video views used to monitor multiple video
cameras.
System Settings Update Cisco VSM system settings.
Images Allows the user to upload firmware images, define the recommended
firmware version, and upgrade devices.
Some permissions are mutually exclusive. For example, you can select either View Live Video or View
Secondary Stream Only but not both at the same time. If you select View Secondary Stream, the
mutually exclusive permission will be automatically deseleted.}
Note
If selected, View Secondary Stream Only will be automatically deselected.
View Recordings View recorded video from Cisco VSM cameras.
Listen To Audio Play live or recorded audio from cameras that support audio.
Export Recordings Export a video clip to a file.
Perform PTZ Use the pan, tilt and zoom controls on cameras that support PTZ.
Push Video to Wall Enables the Publish to Wall feature in the Cisco Safety and Security
Desktop
(SASD) application.
This feature allows users to change the view shown by all other instances
of a selected video wall. The new view is displayed until the dwell time is
exceeded.
Note
If selected, View Secondary Stream Only will be automatically deselected.
Alerts Allows all operators to view the alerts for cameras they can access. Users
can acknowledge, clear, or comment on an alert
(ack/clear/add_user_comment).
View Analytics View the already generated meta data and perform video motion
Metadata searches (using the Cisco SASD desktop application). Users with only
View permissions cannot generate the metadata using Cisco SASD.
Operation Permissions Description
Post Analytics Generate the Metadata using Cisco SASD. Users with only Post permission
Metadata cannot perform searches.
Control Privacy Mask Allows operators to enable or disable the Privacy Mask on compatible
cameras. All live video from the camera is blocked and cannot be viewed
by any operator or monitor, or recorded by the Cisco Video Surveillance
system.
Download Software Allows users to download the available software installation packages,
such as the Review Player EX, Advanced Video Player, and MSI
Installation Package.
Copy From Edge Allows users to copy recording from a camera to the Media Server.
Storage
View Secondary Stream Members of user groups with this permission can only view the secondary
Only stream of cameras. If the secondary stream is not available, no video feed
is shown.
Note:
If selected, View Live Video and Push Video to Wall will be automatically
deselected.
Note
A super-admin is any user that has access to all permissions at the root location.
Super-Admin Functions
Function Description
Operations Manager HA Create, update replace or delete, updating, replacing high availability
(HA) configuration for Operations Manager.
Active Users Get a list of the active user sessions. The super admin can also log out
any active user(s).
Change user passwords Change the password for another user.
Prune History Prune (delete) old alerts and events.
Notification policies Create, update and delete email notification policies.
Reports Create, download, and delete reports.
Custom Event Type Create, download, and delete custom event types.
Registration
Language Settings Update the language settings
Auto Provisioning Settings Update the auto provisioning settings for supported camera models.
LDAP user configuration Create, download, and delete the LDAP server configuration.
Understanding Dual Login
Dual Login requires that a second user (such as a manager) enter their credentials to approve a users
access. When the user logs in, a second prompt appears for the managers credentials. This optional
feature can be used when explicit approval is required whenever a user logs in.
To enable Dual Login, select the Approval Required checkbox in a User Group, and then select an
Approval Usergroup. All users assigned to the User Group can only gain access if a member of the
Approval Usergroup also enters their password.
Users select the LDAP domain when logging in to the Operations Manager or Cisco SASD UI.
Considerations
Operations Manager uses the LDAP server to authenticate and authorize the users username
and password.
LDAP users should be members of user groups in the LDAP configuration since the Operations
Manager determines user access privileges based on those LDAP groups. Search filters in the
Operations Manager LDAP configuration are used to map the user group(s).
The number of search filters determine the time it takes for users to log in. A large number or
search filters will cause longer wait times for LDAP users logging in. The maximum number of
filters is 500.
Use the Operations Manager Active Users page to view the user groups assigned to LDAP
users.
Users must be in an LDAP organizational unit (OU) that is at least 1 level above the root of the
LDAP tree.
LDAP Best Practices
LDAP users can be added or removed from the source database without affecting Cisco VSM. When the
LDAP user logs in to Cisco Video Surveillance, their credentials are authenticated with the LDAP
server, and access is granted or denied based on the LDAP response.
Use LDAP filters to limit the users who can access Cisco VSM.
To delete an LDAP server, you must un-associate the LDAP server from all Cisco VSM user groups.
For example, a filter for the dept_eng users can be associated with an admin user group whil e rest
everyone in company_eng will be made an operator.
For example, to match any user who is a member of the vsomadmin user group, the user
group search filter is:
The variable %USERID% matches the user ID entered by the user at the login screen with an
Active Directory record with the same user ID (sAMAccountName), and that Active
Directory record must also be a member of the user group
CN=vsomadmin,OU=Groups,DC=company,DC=com).
To match an individual Active Directory user ID johndoe, the user group search filter is:
(&(sAMAccountName=%USERID%)(sAMAccountName=johndoe))
This example matches the user ID entered by the user at the login screen with an Active
Directory record with the same user ID (sAMAccountName), and the Active Directory record
must have the sANAccountName johndoe.
Lesson 11
Overview
User access to Cisco VSM video is controlled by the user account access
permissions , and the locations to which cameras and other resources are
assigned.
For example, a user account is assigned to one or more user groups. Those
user groups provide access to the cameras and resources for a location (and
its sub-locations), such as campus A, or Building 1. In addition, each user
group is associated with a user Role that defines access permissions for
viewing video and managing the system.
Cameras and other resources are also assigned to a location. Users can only
access the video, devices, and resources for the locations they belong to.
Although cameras can be added individually, you can also deploy multiple
cameras using one of the following methods.
Understanding Permission-Based and Partition-Based
Locations define the physical location of devices, such as cameras, and the logical location of attributes,
such as camera templates. This allows system administrators to restrict user access to only the devices
and resources required by the different users in a deployment. For example, in a simple deployment,
users are assigned to the root level and gain access to all devices and resources. In larger deployments,
however, users can belong to user groups that are assigned to locations at lower levels. This restricts the
users access to the devices at that location (and sub-locations). The users also have access to system
resources (such as templates and schedules) that are assigned to other locations.
Resources
Locations assigned to Cisco VSM resources define the following:
The logical location of Cisco VSM attributes, such as camera templates, schedules, Video Walls
and preset Views.
Resources such as devices, user groups and view are permission-based, meaning that they can
only be accessed by users at that same location or lower (sub-location).
Partition-based resources (such as templates and schedules) can be accessed by users within the
same location hierarchy (locations higher or lower in the same location tree).
Global resources can be accessed by all users who have the required access permissions.
Super-admin resources (such as system settings and audit logs) can only be accessed by super -
admin users.
Partition-Based User roles User groups can access partition-based resources that are in
Schedules the same location hierarchy (either higher or lower, but not
Camera templates in a different branch).
For example, in Figure, root (System) level users have access to the devices and resources in all sub-
locations, such as California, Texas, and the associated campus and building sub -locations. A users
ability to view or configure devices and resources is based on the role assigned to their user group.
Tip
User access can still be restricted based on the assigned user group. For example, an operator user group can
provide access to only view video, but not configure system resources
Permission-Based Resources: Limiting User Access to
Devices
Users can access devices assigned to the same location, or lower. For example, if a user is assigned to a
user group at the San Jose Campus location, the user gains access to any cameras assigned to the San
Jose Campus location, and all sub-locations (such as SJ Building 1).
Note
Users cannot access cameras assigned to higher locations (such as California), or sub -locations in a different
hierarchical tree (such as the Milpitas Campus or Texas).
A users location includes all of the user groups to which the user is assigned. For example, if a user is
assigned to a user group for the San Jose Campus, and is also assigned to another user group for the
Dallas Campus, the user gains access to the devices at both locations.
Devices, user groups and Views are permission-based resources. All permission-based resources adhere
to these same rules.
Tip
Servers should be assigned to a high-level location to provide support to services, devices and user groups at lower-
level locations. In the Figure the example, assign the servers to either the Root (System) location, or the California
and Texas locations.
Camera Views are also assigned to a location. Users can only access the Views assigned to their location and lower.
Partition-Based Resources: User Access to Templates,
Schedules and Other Resources
Partition-based resources include camera templates, schedules, and user roles. If the user belongs to a
user group with access to these resources, then the user can access any partition-based resource in the
same location hierarchy (locations that are higher or lower, but not in a different branch).
For example, a user assigned to a San Jose Campus user group can access the templates or schedules at
any higher level location (up to the U.S. root location). The user cannot, however, access templates or
schedules for the Milpitas Campus or any of the Texas locations.
Tip
The user must be assigned to a user groups that provides access to the resource.
Partition-based resources (templates, roles and schedules) can be viewed and used by all
users at all sub-locations.
Users can only modify the templates, roles, and schedules that are assigned to their location
(or lower).
For example, in Figure a user assigned to Milpitas Buildings can view partition -based
resources assigned to the U.S. location, but only super-admin users can modify the
resources.
Tip
We recommend also assigning servers to a high-level location to provide support to devices and user
groups at lower-level locations
Tip
Deployments with a small number of users can also assign user groups and permission -based
resources to the U.S. (root) location.
Large Deployment
Larger deployments support multiple campuses or geographically distant sites. Users at different regions
or campuses require a distinct set of schedules, roles and templates. For example, the deployment in
Figure includes sites in both the U.S. and India. Partition-based resources (templates, roles and
schedules) assigned to the India location can only be viewed by users in the India sub -locations, (not by
U.S. users). Resources assigned to the U.S location can only be viewed by U.S. users.
This configuration also allows India or U.S. user to modify the partition -based resources for their
region without impacting other regions.
Partition-based resources (templates, roles and schedules) can be viewed and used by all
users within that location hierarchy (for example, from the San Jose Campus up to the
System users).
Users can only modify the templates, roles, and schedules that are assigned to their location
(or lower).
For example, a user assigned to California can view partition-based resources assigned to
the U.S. location, but not resources in the India locations.
Overview
Events and alerts reflect changes to system and device health, or security
events that occur in the system. These events and alerts can be viewed in a
monitoring application (such as Cisco SASD), generate notifications, or trigger
Understanding Events and Alerts
Events represent incidents that occur in the system and devices. Alerts aggregate (group) those events
together for notification purposes. For example, if a camera goes offline and comes back online
repeatedly, the individual events for that issue are grouped under a single alert, which results in a single
notification. This prevents operators from being flooded with notifications for every event that occurs
for the same issue.
Note
The alert severity reflects the severity of the most recently generated event. For example, if a camera becomes
unreachable and the streaming status is Critical, the alert is Critical. When the camera becomes reachable again, and
the streaming status normal event occurs, and the alert severity is changed to INFO.
The Cisco Video Surveillance Safety and Security Desktop (Cisco SASD) application can
be used to view alerts, related events, and related video. You can also change the alert
state, add comments, close the alert, and perform other management options.
Custom applications can be written gather information, change the alert status, add
comments, or trigger actions when an event or alert occurs.
Note
Custom applications can also subscribe to ActiveMQ topics to receive notifications about device and system
changes. For example, the Alerts topic notifies subscribers when any alert occurs in the system. The custom
application can use the ActiveMQ message contents to optionally trigger additional notification or actions.
Health Events are generated when a device health change occurs, such as reachability, fan
speed, file system usage, or other device-related issues. Critical health events generate alerts by
default.
Security EventsEvents such as motion stop or start, analytics, contact closures, or soft triggers
from an external system can be configured to generate alerts, or perform other actions. Security
events do not generate alerts by default.
Triggering Actions
Action Description
Critical health notifications Use the Health Notifications feature to send notifications when a critical
device error occurs. Critical errors are health events that impact the device
operation or render a component unusable. For example, a Media Server that
cannot be contacted on the network, or a camera that does not stream or
record video.
Motion event notifications Click Alert Notificatio in the camera template to enable or disable
the alerts that are generated when a motion event stops or starts.
Trigger actions when a Use the Advanced Events feature (in the camera template) to trigger a
security event occurs variety of actions when a security event occurs.
For example, you can send alerts only on motion start, on motion stop, stop
or start video recording, record video for a specified length of time, invoke
a URL, move a camera position to a specified PTZ preset, or display video
on a Video Wall.
Module 3
Configurations VMS
Overview
The Cisco VSM is a browser-based configuration and administration tool used
to manage the devices, video streams, archives, and policies in a Cisco Video
Surveillance deployment.
Lesson 1
Overview
The Cisco VSM Operations Manager is a browser-based configuration and
administration tool used to manage the devices, video streams, archives, and
policies in a Cisco Video Surveillance deployment.
Main Elements of the User Interface
All windows include a basic set of links and features, as described in Figure.
1. Feature tabs:
Monitor VideoView live and recorded video from up to four panes.
CamerasAdd, configure and modify video surveillance cameras, templates and encoders..
UsersManage user accounts and access permissions, including access for LDAP users
Note
Only the features and functions that the user has access permissions for are displayed.
2. Additional feature
The buttons and options vary depending on the screen. For example, Thumbnail Search, Clip
Search or Health Dashboard
3. Find
Search for devices and attributes
4. Location Hierarchy
Allows you to organize devices, resources, and access permissions according to the locations in
your deployment
5. Panel selection
Devices, users, or other attributes available for the selected location
8. Jobs
A user triggered Cisco VSM system task that is completed in the background. Click the icon to
view information about the job. The job icons are displayed only when a job is in progress
9. Connection
Define if the Operations Manager is receiving real time status updates (from the ActiveMQ
service).
11. Help
Opens the online help system that contains this document.
12. Logout
Click to log out of the Cisco VSM Operations Manager.
13. Site
Displays the site where you are logged in. Click the site name to change the site.
14. Username
Displays the username for the currently logged in user.
Basic Configuration.
Complete the following steps to create a basic configuration. A basic configuration allows you to verify
that basic system components and devices are online, configured, and working properly.
Step 8 View video from the camera to verify that the system is working properly
Step 9 Backup the Operations Manager configuration and other data, or create an automatic backup
schedule
Step 10 Troubleshoot problems or verify the system and device status
Log on.
Log in to the Cisco Video Surveillance Operations Manager
Procedure
Step 1 Launch the 32-bit or 64-bit version of Internet Explorer on your Windows computer.
Step 2 Enter the Operations Manager URL or IP address. Enter the virtual IP address or hostname
provided by your system administrator if redundant (HA) Operations Manager servers are
deployed.
Step 3 Enter your username and password.
The default credentials for a new or factory restored server are admin/admin.
The username and initial password for all other users is defined when the user account
is created
All users are prompted to reset the password at first login.
Step 4 Select a domain:
Choose the default localhost if your account was created using the Operations
Manager.
Select an alternative domain if instructed by your system administrator.
Step 5 Enter a new password, if prompted.You must enter a new password the first time you log in,
or when your password periodically expires.
Step 6 Select a Site, if prompted
Selecting a Site on First Login
Users with Site access are prompted for a Site on first login only, but not on subsequent
logins
Users with no Site access are not prompted for a Site.
Users can also change their Site after log in, if configured.
Step 7 If prompted; ask your manager or other administrator to enter their Approver Login
Approver Login
Step 8 If prompted, complete the on-screen instructions to install or upgrade the Cisco Multi-Pane
client software on your computer.
This application is an Active X client that enables video playback and other features.
Video will not play unless the Cisco Multi-Pane client software is correctly installed.
If using the 64-bit version of Internet Explorer, you will be prompted to install the 64 -
bit version of the Cisco Multi-Pane client, if necessary.
You must have administrative privileges on the PC workstation to install the software.
You will also be prompted to install the required Microsoft .Net 4.0 component, if
necessary. If your workstation does not have Internet access, the .Net 4.0 installer can
be downloaded from http://www.microsoft.com/en-us/download/details.aspx?id=17718.
Note
You must log in with a standard Windows user account. Logging in with a Guest account can prevent video
streaming and result in an error to be displayed in the video pane: Cannot create RTSP connection to server. Check
network connection and server health status.
Understanding Dual Login
Dual Login requires that a second user (such as a manager) enter their credentials to approve a users
access. When the user logs in, a second prompt appears for the managers credentials. This optional
feature can be used when explicit approval is required whenever a user logs in.
To enable Dual Login, select the Approval Required checkbox in a User Group, and then select an
Approval Usergroup. All users assigned to the User Group can only gain access if a member of the
Approval Usergroup also enters their password.
Procedure
Step 6 Assign users to the User Group, and to the Approver Usergroup.
Step 7 When the user logs in, a window appears requiring a second user to enter their username and
password
Note
If the approval is not successfully submitted within the time-out period displayed, the login is denied.
Default User Accounts and Passwords
The Operations Manager includes two default users: the super-admin account and an operator account.
You are prompted to change the default passwords the first time you log in.
Note
Users from external systems (LDAP servers) cannot change their password using th e Cisco VSM Operations
Manager. If you forgot your password, contact your system administrator and ask them to create a new password
(you will be prompted to change it when you log in).
Changing Another Users Password
Only super-admins can change another users password.
Procedure
Notes
This method can also be used by the super-admin to change their own password. All other users can change their
own password by clicking on their username in the top right corner of the browser
If the system is configured with Sites, and you are a member of a User Group that is assigned to a Site
location, you will be prompted to select a Site the first time you log in .
Users with Site access are prompted for a Site on first login only, but not on subsequent logins.
Users with no Site access are not prompted for a Site.
Users who have access to multiple sites, but do not have the option to change sites, will default
toNot in any site when logging in.
If the Site is configured for Dynamic Proxy, users inside the Site are served by the Media Server
in that Site (when accessing cameras inside the Site). Users outside the Site will receive video
from a Dynamic Proxy server when accessing any camera inside the Site. .
Users who do not select a Site, are not assigned a Site, or select Not in Any Site will receive
video from a Dynamic Proxy server for cameras in any Site where Dynamic Proxy is enabled.
Changing Your Site While Logged In
Users can also change their Site while logged in to the system. Click the current Site name in the top
right corner and select a new Site
Note
Users are allowed to change their Site after logging in only if the Allow Site Change option is selected in their user
configuration.
Install the system licenses
A license must be purchased and installed for each Media Server and non-Cisco camera added to your
deployment.
Consideration
You can add 1 Media Server and 10 non-Cisco cameras without a license for initial setup
purposes only. This feature is removed when you add any permanent license.
A permanent license is required for each Media Server and non-Cisco camera installed in your
deployment.
A license for 10,000 Cisco cameras is included by default (you do not need to purchase and
install any additional licenses for Cisco cameras).
Licenses are installed in the Operations Manager only (not on the individual servers).
o Licenses can only be installed on a single instance of Operations Manager.
o The same license file cannot be installed more than once on the same Operations
Manager.
o Do not rename the license file before installing it on the Operations Manager. Use the
original file name only.
License files can include licenses for a single device type, or for multiple device types, such as
non-Cisco cameras and Media Servers.
Licenses are cumulative: each additional license is added to the capacity of existing licenses.
For example, if you initially installed a license for 100 non-Cisco cameras, you can purchase an
additional license for 200 cameras to support a total of 300 non-Cisco cameras.
The maximum number of devices in a system is 200 Media Servers, 10,000 cameras (including
Cisco and non-Cisco devices), and 100 dynamic proxy servers.
Installed licenses are included in the Operations Manager backup and restore archives. We
recommend backing up Operations Manager data after installing new licenses (or anytime major
changes are performed). If the license file is installed after the backup is performed, the license
file is not backed up and not available to be restored.
Note
Multiple camera and Media Server licenses can be included in a single license file. For example, a s ingle license
file might include support for 25 additional cameras and two additional Media Servers.
Tip
License files can include licenses for a single device type, or for multiple device types, such as non -Cisco cameras
and Media Servers.
Procedure
a. Locate the Product Authorization Key (PAK) created with the purchase.
b. In a Web browser, open the Cisco Product License Registration Web page.
http://www.cisco.com/go/license/.
c. Follow the onscreen instructions to complete the form and enter the Product Authorization Key
(PAK). When you are done, a license file with the extension .lic is sent to your email address.
d. Transfer the file to the drive of the PC used for the configuration.
Tip
The additional capacity is available immediately. You do not need to restart the server or take additional steps.
Entries shown in red are invalid or expired.
Software Licensing
1. The License Summary displays the total number of Cisco cameras, non-Cisco cameras, and
servers that can be managed by the current Operations Manager. The total number of device
licenses used and available is also shown.
Note:
Up to 200 servers and 10,000 cameras can be managed by the system. Although you can install
more than the supported number of licenses, they will not be recognized.
2. The license for Cisco cameras (included).
3. Licenses for additional servers and non-Cisco cameras.
Note
Entries shown in red are invalid or expired.
4. Information about the selected license file, such as the upload date and the number of devices
enabled by the license.
Deleting Licenses
Deleting a license will reduce the number of cameras and Media Server supported in your Cisco Video
Surveillance deployment.
You cannot delete a license if the number of licenses devices will be less than the number added to the
Operations Manager. View the number of licenses Used to verify that the license can be removed.
To remove a license:
Step 1 Select System Settings > Software Licensing.
Step 2 Highlight a license entry and click Delete
Step 3 Click Yes to confirm.
Revising the System Settings
The default settings are sufficient for a basic setup, but you should review and revise the settings to meet
the needs of your deployment. System settings can only be modified by super -admin users.
Choose System Settings > Settings to define basic parameters for the Operations Manager and
Federator.
Beginning with release 7.2, retention of alerts, events and audit log entries is now managed
automatically by the Operations Manager, which can store up to 1 million alerts, 1 million events, and 1
million audit log entries.
The General settings define user sessions, backup storage rules, and other settings. Choose System
Settings > Settings, and the click the General tab.
Setting Description
User Timeout (Required) The number of minutes before a user is automatically logged out
due to inactivity. After this period, users must re-enter their username and
password to log back in.
Note
The maximum value is 10080 minutes (168 hours / 7 days). The default is 30
minutes.
On Demand Recording (Required, Operations Manager only) Enter the number of seconds
Duration that video will be recorded for user-generated recording requests.
The minimum value is 300 seconds (5 minutes).
Autocorrect (Operations Manager only) Device synchronization ensures that the
Synchronization Errors device configuration on the Media Server, camera or encoder is
identical to the Operations Manager settings. Synchronization is
automatically performed when certain events occur, such as when a
Media Server goes offline and comes back online.
Preserve MS IP Cameras can be configured with a Preferred Media Server List for
on camera delete use in camera discovery. You can chose to delete or retain this setting
if the camera is deleted from Cisco VSM:
Privacy Mask (Required, Operations Manager only) The number of minutes before
Timer the camera Privacy Mask camera expires (this setting applies to all
cameras that support the Privacy Mask feature).
When enabled, the Privacy Mask causes a camera to block all live
video from that camera. When the timer expires, the operator is
reminded to disable the Privacy Mask (which restores the live video
stream).
The default is 15 minutes. Enter a value between 1 and 120 minutes.
Auto Create Map Automatically creates a camera marker on the location map when a
Markers camera is manually added, updated, or imported from a CSV file. The
icon is added based on the cameras Install Location.
Auto Upgrade Automatically upgrade video walls when a new version is available.
Video Walls
Password Settings
The password settings define the rules for user passwords.
Choose System Settings > Settings, and the click the Password tab.
Password Settings
Setting Description
Password Expiry Months The number of months before a user password automatically expires. At the
end of this period, users are required to enter a new password.
Minimum Password Length Enter a value between 1 and 40 to define the minimum number of charact ers
for a valid password. Passwords with less characters than the entered value
are rejected.
If de-selected, user passwords can include only one type of character (for
example, all lower case letters).
Repeat Characters If selected, user passwords can repeat the same 3 characters.
Language Settings
Setting Description
System Language Select a supported language for the user interface text.
d = day
M = Month
y = year
Time Format Select the time format displayed in system messages, alerts, and other generated
information.
For example, hh:mm:ss tt means that the time will be displayed as hours, minutes, and
seconds, and include the AM/PM notation.
hh = hour
mm = minute
ss = second
tt = A.M. or P.M.
First day of week Select the day that should be considered the first day of the week.
For example, Monday.
Language Pack
Add language packages to display the Cisco Video Surveillance interface in additional languages. You
must upgrade the language packs on all servers in your deployment.
Procedure
Find
For example, open Cameras and then enter a name of a camera. The results are displayed below the Find
field, and is dynamically updated to display even partial matches. The example in Figure shows the
results of a partial search: entering Lo returns the camera Lobby Door.
Find Results
Lesson 2
Tip
This distinction is used when viewing video alarms. If an alarm occurs at Building 1, the Cisco Safety and Security
desktop application will display the alarm (for Building 1) even if the cameras installed location is Building 2
(since the camera is pointed at Building 1).
To automatically add camera map icons to the location maps based on the cameras Installed Location,
select the Auto Create Map Markers setting
Creating and Editing the Location Hierarchy
To create or modify the locations in your deployment, do the following:
Procedure
Step 1 Log on to the Operations Manager.
You must belong to a User Group with permissions for Locations & Maps.
Note
In a new system, only the System location appears.
Locations Menu
Add menu:
Choose Add Location (Shift-J) to add a location at the same level.
Choose Add Sub-Location (Shift-U) to add a sub-location to the existing location.
Enter the name and description.
Press Enter or click Save.
Update menu:
Choose Detent Location (Shift-<) to move the location one level higher in the hierarchy.
Choose Indent Location (Shift->) to move the location one level lower as a sub-location.
Choose Rename (Enter) to edit the location name. Press Enter or click Save.
Tip
Use the keyboard shortcuts (shown in parentheses) to quickly add or edit location entries.
You can also drag and drop location names within the location hierarchy.
Click Delete to remove an entry. You can only delete a location that does not have any resources assigne d to the
location, or any of its sub-locations. If the delete operation fails, remove or reassign any associated resources and
try again.
Note
The Longitude and Latitude of the visible map are automatically entered in t he location settings (Figure). The
second field displays the Zoom factor.
Overview
Figure summarizes the process to import locations from a CSV file. All required fields must be included,
and all fields must have the correct syntax. If an error occurs, correct the CSV file and try again.
Usage Notes
The Root location cant be updated using the import location feature.
Location names cannot be updated using a CSV import. New location names are added as new
locations.
The Location CSV file must maintain the hierarchy parent / children hierarchy order: The parent
location must come before the child location.
You cannot move a location using CSV the import.
Creating the CSV File
Create a file in plain text CSV format that can be opened and saved using Excel or OpenOffice Calc
Blank rows or rows beginning with // are ignored.
Procedure
Step 1 Download a sample import file:
Step 2 Open the CSV file in a program such as Excel or OpenOffice Calc.
Step 3 Modify the file to include the location settings described in Table
Note
The Root location cant be updated using the import location feature.
Description Optional For example: This location includes all cameras and a servers in the San
Francisco campus location.
Latitude Optional Defines the physical location of the entry on a map. All three must be entered if a
map location is used.
Longitude
Zoom For example, if Latitude is entered, you must also include the Longitude and
Zoom. If Zoom is entered, you must also include the Latitude and Longitude.
Step 4 Save the revised file in CSV format.
For example, in Excel, create the file and then choose Save As > Other formats. Select CSV
(Comma delimited) for the Save as type.
If the CSV file details are accurate and complete, the locations are added to Cisco VSM.
Cameras, Media Servers and other attributes can then be assigned to the locations.
If any required fields are left blank, or if any entry is invalid, the import action fails and an error
file is created that specifies the problems. Correct the CSV file and try again.
Procedure
Step 1 Log in to the Cisco VSM Operations Manager.
Step 2 Create the camera CSV file containing details for each location.
Step 7 View the location hierarchy to determine if additional changes are required.
New events show the new location, but are added to the existing (and open) alert at the old
location.
When the alert is closed by an operator, any new events create a new alert at the new location
(the location reference in the alert is now consistent with the device location in the event).
Deleting a Location
Locations can be deleted only if no resources (such as cameras) are associated with the location or any
of its sub-locations.
Procedure
To delete a location or sub-location:
Step 1 Remove all devices and resources from the location and sub-locations.
You can reassign the devices and resources to a different location, or delete the items
Step 5 If the delete operation fails and an error message appears, remove or reassign any resources
that are associated with the location or sub-location and try again.
Lesson 3
User groups are also associated with a specific location, allowing you to limit access to the Cisco VSM
resources in a specific location (such as a campus, building, or floor).
If a user belongs to more than one user group, the user inherits the combined rights and permissions of
all the groups.
Procedure
To create a user group, do the following:
Step 1 Select Users, and then select the User Groups tab .
The currently configured user groups are listed in the left column.
For example, assign Operators a priority of 50, and Administrators a priority number 60.
Assign security personnel priority 70, and building managers priority 80.
The default is 100 (highest priority).
Note
If two users belong to user groups with the same priority, then the first user to access the PTZ con trols
gains priority and can continue to use the controls.
You can also define the idle time that a lower priority user must wait to use the PTZ controls after a
higher priority user stops using the controls.
Live QoS (Required) Defines the priority of the user group to receive live video if network traffic is
heavy. The video quality is not affected, but user groups with a low QoS setting may have
dropped packets so user groups with a higher QoS setting can continue to receive
uninterrupted video.
LowIf network traffic is heavy, video packets may be dropped for users assigned to
this group.
Mediumthe user group has secondary priority to receive video packets over the
network.
If network traffic is heavy, video packets may be dropped for users assigned t o this
group.
Highthe user group has the highest priority to receive video packets over the
network.
Archive QoS
(Required) Defines the priority of the user group to receive recorded (archive) video if
network traffic is heavy. The video quality is not affected, but user groups with a low QoS
setting may have dropped packets so user groups with a higher QoS setting can continue to
receive uninterrupted video.
LowIf network traffic is heavy, video packets may be dropped for users assigned to
this group.
Mediumthe user group has secondary priority to receive video packets over the
network.
If network traffic is heavy, video packets may be dropped for users assigned to this
group.
Highthe user group has the highest priority to receive video packets over t he
network.
User Group Settings (continued)
Allow Site Change
(Optional) Select Allow Change Site to allow users to change their Site after logging into
the Operations Manager. This option is disabled (deselected) by default when adding a
new user group.
Deselect to disable Site changes. Users must log out and log back in to change
Sites.
Users can only change Sites if they are assigned to User Groups with access to
multipleSites.
If a user selects the Not in Any Site option, then video from came ras in Sites
that have the Dynamic Proxy option enabled will be streamed from the Dynamic
Proxy server.
Note
Users who have access to multiple sites, but do not have the option to change sites, will default to
Not in any site when logging in.
If a Sites Dynamic Proxy option is disabled (deselected), video from cameras at the Site will be
delivered to all users by the Sites Media Servers (and not by a Dynamic Proxy server).
Tip
Sites are used to define if you are inside or outside a location served by a Dynamic Proxy server.
Defaults
Allow Site Change is disabled by default when adding a User Group.
Allow Site Change is enabled by default for all User Groups when upgrading to r7 .5 from
a previous release.7.5 (or higher) from a previous release.
Tags (Optional) Enter keywords used by the Find function.
Description (Optional) Enter a description of the rights granted by the Role.
Approval Required (Optional) If selected, a second user is required to approve the user login. When the user
logs in, a window appears requiring a second user to enter their username and password.
Approval Usergroup (Required if Approval Required is selected). Select a User Group that can approve logins
for members of the Approval Required usergroup.
Allow Multiple (Optional) Allows users with the same credentials to login from multiple workstations.
Logins This setting is enabled by default.
Note
Users who configure unattended video walls (using the Cisco SASD Wall Configurator) must
belong to a user group that allows multiple logins. This is because each unattended video wall
requires a unique Cisco VSM login session for the video wall to be displayed .
Tip
Press Shift-click or Ctrl-click to select multiple users.
Creating Users
Tip
A second user (such as a manager) can also be required to approve when a user logs in .
Procedure
Tips
Only super-admins can use this field to change another users password.
All other users can change their own password by clicking on their
username in the top right corner of the browser.
Super-admins can use this field to change their own password.
Upgrade Requirements
New fields were added in Cisco VSM release 7.0.1 to simplify the LDAP server configuration. After
upgrading from release 7.0.0, the administrator must reconfigure the LDAP server settings including the
following:
Review all LDAP server configurations in the Operations Manager and update missing
information after the upgrade.
Verify and reconfigure the binding requirements.
Reconfigure the LDAP filters and User Group associations for each server.
Note
These settings are not imported automatically upon upgrade. Operations Manager will not prompt the
administrator or display messages that indicate the new fields that need to be updated. Carefully review
the LDAP configuration descriptions and instructions to implement the required changes.
You must be logged in to the localhost domain to apply these changes (Figure).
The following table describes the purpose and requirements for each setting
Note
The LDAP server settings were changed for Release 7.0.1. If you are upgrading from Release 7.0.0, you must revise
the configuration to conform to the new fields and requirements.
The Principal entry includes the %USERID% variable, which represents the userID configured on the
LDAP sever. The %USERID% and password are entered when the user logs into Cisco VSM, and is sent
to the LDAP server for authentication.
If the Principal path (Bind DN) contains userid, enter the Principal in the following pattern:
CN=%USERID%,OU=Company Users,DC=mycompany,DC=com
If Principal path (Bind DN) contains user's full name instead of userid(eg. CN represents full
name instead of userid) especially for AD servers, then enter the Principal in the following
pattern: %USERID%@domain.com.
The following illustration shows an LDAP configuration that uses the userID as the CN.
Anonymous Binding
Select this option if the LDAP server allows anonymous access and you prefer to connect and search the
LDAP server anonymously in order to authenticate the users logging in to Cisco VSM.
Anonymous Binding requires only the base DN, and does not require the %USERID% variable. For
example:
ou=employees,ou=people,o=mycompany.com
Note
The following error is returned if the LDAP server does not support Anonymous Binding:
Operation failed: User <user id> is not found in LDAP or given distinguished name does not
support anonymous access.
User Search Base (Required, except for Anonymous Binding)
The Search Base indicates the lowest level of LDAP hierarchy where users will be found. User
information includes attributes such as first name, last name, email address, etc.
Anonymous Binding
This field is optional field for Anonymous Binding.
cn
uid
userid
sAMAccountName (Active Directory onlythis value is used only with Active Directory servers). The
following illustration shows an LDAP configuration that uses the sAMAccountName field for the
userID.
The name of the LDAP server attribute that holds the users first name.
For example: givenName or displayName.
Lastname Attribute (Optional) The name of the LDAP server attribute that holds the users surname.
For example: sn (if defined on the LDAP server).
Email Attribute (Optional) The name of the LDAP server attribute that holds the users email address
For example: mail (if defined on the LDAP server).
Tags (Optional) Words that assist in a Find.
Description (Optional) Description of the LDAP server. For example: the server purpose, location,
or user base.
LDAP Search Filter Settings
Filters restrict authentication to a subset of users (the filter represents a user group that is defined on the
LDAP server). Each filter can be associated with a different user group, which grants LDAP users in that
filter the access permissions of the Cisco VSM user group. This allows you to grant different
permissions to different sets of users.
For example, a filter for the dept_eng users can be associated with an admin user group while rest
everyone in company_eng will be made an operator.
The maximum number of filters is 500.
Note
The LDAP filter settings were changed for Release 7.0.1. If you are upgrading from Release 7.0.0, you
must revise the configuration to conform to the new fields and requirements.
User Group Filter Enter the LDAP syntax that limits access to members of a specific group on the
LDAP server.
For example, to match any user who is a member of the vsomadmin user group, the user
group search filter is:
(&(sAMAccountName=%USERID%)(memberOf=CN=vsomadmin, OU=
Groups,DC=company,DC=com))
The variable %USERID% matches the user ID entered by the user at the login screen with
an Active Directory record with the same user ID (sAMAccountName), and that Active
Directory record must also be a member of the user group
CN=vsomadmin,OU=Groups,DC=company,DC=com).
To match an individual Active Directory user ID johndoe, the user group search
filter is:
(&(sAMAccountName=%USERID%)(sAMAccountName=johndoe))
This example matches the user ID entered by the user at the login screen with an Active
Directory record with the same user ID (sAMAccountName), and the Active Directory
record must have the sANAccountName johndoe.
LDAP Configuration Procedure
Complete the following procedure to bind a LDAP server to Cisco VSM, and associate the LDAP user
with a Cisco VSM user group.
Note
To configure LDAP servers, you must log in with super-admin privileges, using the localhost Domain.
Procedure
Step 1 Log on to the Cisco VSM using the following:
An account that belongs to a User Group with super-admin access permissions (for
example, admin)
Select the localhost Domain.
Note
The LDAP server settings were changed for Release 7.0.1. If you are upgrading from Release 7.0.0, you must revise
the configuration to conform to the new fields and requirements.
a. Click Add
b. Enter the settings
c. Click Test to verify the filter. You must enter a valid username and password for the LDAP
server and filter. If the test fails, correct your entries and try again.
Note
The LDAP filter settings were changed for Release 7.0.1. If you are upgrading from Release 7.0.0, you must revise
the configuration to conform to the new fields and requirements.
d. (Optional) Repeat Step 5 to add additional filters. Each filter allows those LDAP users to access
Cisco VSM (based on the user group assignments
Step 6 (Required) Click Create or Save to save the LDAP server settings.
Step 7 (Required) Add the LDAP server/filters to a Cisco VSM user group.
The user group(s) define the Cisco VSM access permissions for the LDAP users (defined by the filter).
The LDAP server/filters can be added to multiple user groups. The users gain the combined access
permissions of all associated user groups.
d. Select the LDAP Server name that includes the appropriate filter and click OK.
Tip
The filter defines a sub-set of LDAP users that will gain the user group access permissions.
e. Click Save.
Step 8 (Optional) Click the LDAP Server tab to verify that the user group appears in the LDAP
server configuration.
Step 9 (Optional) Log out and log back in using the credentials for an LDAP user (Figure).
Select an LDAP Login Domain
b. In the Cisco VSM Login page, enter the Active Directory username and password.
c. From the Domain menu, select the LDAP server name and filter comb ination.
To discontinue an active user session, select an entry and click Kill Session. Users that are logged out in
this method can continue watching the video they are currently viewing. But users must log in again if
they attempt to access new video streams or open a new video pane.
Setting Description
Username The username of the account used to access the system.
First Name The first name in the user account
Last Name The last name in the user account
User Group(s)
The user groups the user is assigned to.
User groups define the user role and location for member users, which defines
the cameras and resources they can access.
Super-admin Indicates if the user account is assigned the super-admin role.
Logged-In Time The date and time when the user logged in.
Last Access Time The date and time the user last performed any action on the system.
From IP The IP address of the device or computer used to access the system.
Note
You cannot kill (end) your own user session.
Tip
To view a history of user activity, go to Operations > Audit Logs
Lesson 4
Configuring Serves
Overview
A server is a physical or virtual machine (VM) that runs the Cisco Video
Surveillance system software. Each server can run one or more server services.
For example, the Operations Manager is a server service that provides the user
interface used to configure and manage a Cisco Video Surveillance
deployment.
Additional services can be enabled when the server is added to the Operations
Manager configuration. For example, a server can be added as a Media Server,
Maps Server or Metadata Server that supports those features and functions for
the entire deployment
Understanding Server Services
Each server can run one or more services that provide features and functions for the Cisco Video
Surveillance system. For example, the Operations Manager provides the configuration interface and
management features for the entire deployment, the Media Server service manages c ameras and encoders
and plays and records video, and the Maps service supports image layers used in location maps. In
addition, a Federator service allows users to view the resources from multiple Operations Manager
deployments.
Note
The Operations Manager server (VsomServer) is added by default and cannot be deleted. All ser vers are
assigned the Primary HA role by default
Tip
Select an existing entry to revise an existing server configuration
Overview
To manually add a single server, open the server configuration page and click. If the server is not
available on the network, it can be added in pre-provisioned state (Figure).
Adding a Server
Pre-Provisioning Servers
Pre-provisioning allows you to add a server before it is installed or available on the network. The
server is waiting to be added to Cisco VSM and is not available for use. A pre-provisioned server can
be modified, but cannot stream or record video.
If a server is pre-provisioned, the Media server service is activated by default. This allows
pre-provisioned cameras and encoders to be added to the pre-provisioned server.
After the server is installed and available on the network, you can enable it by choosing
Device Settings > Enable from the server configuration page. The server configuration must
be complete, and Cisco VSM must be able to verify network communication or the enable
action will fail.
Tip
Use Bulk Actions to enable multiple servers.
Prerequisites
The server(s) must be installed on a physical machine, or as a virtual machine (VM).
Complete the server initial configuration (including network settings) using the Setup Wizard available
in the browser-based Cisco VSM Management Console.
Note
The Operations Manager server (VsomServer) is added by default and cannot be deleted. All servers
are assigned the Primary HA role by default.
Step 1 Install the server and complete the Initial Setup Wizard using the browser -based Management
Console.
You must belong to a User Group with permissions for Servers & Encoders
Each Media Server requires a license in order to be added to the Operations Manager
configuration.
Tip
To edit a server, click an existing entry to highlight it.
If you are adding a server that was previously configured in Cisco VSM, you will be prompted to import or discard
any camera configurations or recordings that exist on the server.
Server Settings
Setting Description
Hostname/IP The hostname or IP address used by the Operations Manager to access the server.
Username (Read-only) The default username for all servers is localadmin.
Tip
The server password is initially defined using the Cisco Video Surveillance Management Cons ole
interface.
Name A meaningful name for the server. For example, Primary Server or Campus A Server.
Service Type The service that runs on the server.
The location determines the cameras and users that can access the server.
Cameras/encoders and their associated Media Servers must belong to the same Site (you cannot
associate a camera in Site A to a Media Server in Site B)
Click Add.
Step 8 Assign cameras and encoders to the Media Server service on the server, if necessary. Cameras
and encoders can be assigned to the Media Server even if the server if pre -provisioned.
Overview
The figure summarizes the process to import devices from a CSV file. Devices can be added in Enabled
state if all required configurations are included, or in Pre-Provisioned state if configurations are missing
or if the devices are not yet available on the network. If an error occurs, correct the CSV file and try
again.
Usage Notes
Create a file in plain text CSV format that can be opened and saved using Excel or OpenOffice Calc
Blank rows or rows beginning with // are ignored.
The CSV file can be created in plain text using a program such as Excel or OpenOffice Calc. For
example, in Excel, create the file and then choose Save As > Other formats. Select CSV (Comma
delimited) for the Save as type.
The fields (columns) must follow a specific format, which is shown in the downloadable sample.
Comment // Optional Blank rows or lines/cells starting with ''//'' are treated as
comments and ignored.
Name Required Enter the server name
For example: Primary Server
Host name or IP Required The network address for the physical or virtual machine.
address
Install Location Required Enter the location where the server is physically installed, or
the physical location of the cameras and encoders supported by
Path the camera.
For example: USA.CA.SJ.28.Lobby
Tip
To view the location path, go to System Settings > Locations and
highlight the location name.
localadmin Required The password configured on the server to provide network
password access from the Operations Manager.
Server Role Required The high-availability role of the server. The options are:
primary_server
redundant_server
failover_server
long_term_storage_server
Tags Optional Keywords used by the Find field.
Procedure
Step 1 Create the CSV file containing details for each server.
Step 2 Select System Settings > Servers.
Step 3 Choose Add and Import servers from file.
Step 4 Complete each Import Step as described below:
a. Import Step 1 - Retain Device(s)
(Cameras only) Select the Retain box if existing device(s) found on the server during import
should be retained. If selected:
Enabled cameras and encoders associated with the server are added to the Operations
Manager.
Soft deleted cameras are added to the Operations Manager in the soft-deleted state, which
allows recordings to be accessed.
Disabled cameras are not added to the Operations Manager configuration.
Select Pre-Provision to pre-provision the devices:
Cameras and encoders associated with the server are added in the pre-provisioned state.
Pre-provisioned devices must be enabled once the configuration is complete.
.
b. Import Step 2 - Download Sample
(Optional) Click Download Sample to download a sample CSV import file. Use this sample to
create the import file as described in the Creating the CSV File section on page 6 -21. Click
Next.
c. Import Step 3 - File Upload.
Click to select the CSV file from a local or network disk. Click Upload.
d. Import Step 4 - Processing:
Wait for the import process to complete.
e. Import Step 5 - Results Success:
If a success message appears, continue to Step 5.
If an error message appears, continue to Step 4.
f. If an error message appears, complete the following troubleshooting steps:
Click Download Annotated CSV, save the error file and open it in Excel or OpenOffice
Calc.
Correct the annotated errors and save the revised file in the CSV format.
Correct the CSV file in the //Error rows
Click Start Over to re-import the fixed file.
Return to Step 3 and re-import the corrected CSV file.
Deleting a Server
To remove a server you must remove all devices and other associations with the server, or the job will
fail.
Usage Notes
You can only delete a server that is not associated with cameras or encoders.
The Operations Manager server (VsomServer) cannot be deleted.
When a camera is moved to a Media Server on a different server, recordings are begun again.
Any existing recordings remain on the old Media Server. If the old Med ia Server is deleted, any
associated recordings are removed.
If the server is unreachable, and no HA servers are configured, the user is given an option to
force-delete the server, which also deletes all camera configurations and recordings. All
associated cameras must be re-added to Cisco VSM, and all recordings are lost.
Procedure
Step 1 Log on to the Operations Manager.
You must belong to a User Group with permissions for Servers & Encoders.
Step 2 Verify that all cameras and encoders associated with the Media Server are switched to a
different Media Server.
The cameras existing recordings will remain on the old server.
Step 3 Click System Settings > Servers.
Step 4 Select the server name.
Step 5 Click Delete.
Step 6 Click OK to confirm.
Step 7 Wait for the Job to complete.
Viewing Server Status
To view the status of a server, click the Status tab in the server configuration page (Figure).
Device Status
Server Device Status
Device States
State Description
Enabled: OK The device is operating normally. has no error.s
Enabled: Warning A minor event occurred that did not significantly impact device operations.
Enabled: Critical An event occurred that impacts the device operation or configuration.
Pre-provisioned The device is added to the configuration but not available on the network.
The device is waiting to be added to Cisco VSM and is not available for use. A pre -provisioned
device can be modified, but the cannot stream or record video until the configuration is complete
and you choose Device Settings > Enable.
Usage Notes
Click the Status History tab to view detailed information regarding the events or alerts that impact the
Device Status. For example, if a Synchronization mismatch occurs, and the Configuration status changes
from OK to a synchronization alert, click the Status History tab to view details for the errors that caused
the mismatch.
Click Reset Status to clear status issues that do not automatically clear when the issue is
resolve
See the following options to repair configuration issues or reset the device state:
Repairing the Configuration or Restarting the Server
Click the Reset Status button on the server Status page to clear device status and configuration issues.
Clears status issues that do not automatically clear when the issue is resolved. For example, an
issue that causes a coredump might still display a critical error in the Operations Manager even
if the issue is resolved.
Performs a Repair Configuration that synchronizes the server configuration with the Operations
Manager (mismatched configurations on the Media Server are replaced with the Operations
Manager settings)
Note
Any unresolved configuration issues will reappear after the reset.
Only the server state is reset, not the device alerts or events. You must still acknowledge or
clear any alert using the Cisco Video Surveillance Safety and Security Desktop.
To access the Reset Status button, you must be a Super-Admin or belong to a user group
assigned to the super_admin_role (a super-admin is anybody that has all permissions at the root
location)
From the General tab, select the Device Setting menu and select one of the actions described in Server
Operations
Operation Description
Replace Overwrite all configuration settings on the server with the settings in the Operations
Configurations Manager.
Repair Push only the configuration changes required to correct a mismatched field.
Configurations Changes are pushed from the Operations Manager to the Media Server
Note
The restart period can last 1 minute or longer. During this time, the Cisco VSM system will
be offline and inaccessible.
Operations Manager Advanced Settings
SMTP Management Settings
The SMTP Server is used to send email notifications. Enter the server settings on the Operations
Manager server to enable this feature.
Note
SMTP settings are the only available Operations Manager advanced settings in this release.
Usage Notes
The SMTP settings are required if the Operations Manager application is enabled on the server.
SMTP settings can only be set for the Operations Manager server (VsomServer).
SMTP settings in the Cisco VSM Management Console Management are also shown in the
IP cameras (also called network cameras) are connect directly to the network and are added to
Cisco VSM by entering the cameras IP address and other settings.
Analog cameras are connected to an encoder. The encoder provides network connectivity and
digitizes the analog video.
Step
Step 1 Log on to the Operations Manager.
Step 2 Configure recording schedules
Step 3 (Optional) Add camera templates.
Step 4 (Optional) Add camera encoders to support analog cameras.
Step 5 Add one or more cameras.
Step 6 Edit additional camera settings.
Step 7 (Optional) Create a custom configuration for a single camera.
Step 8 Configure the Image Settings, such as PTZ, motion detection, and brightness and contrast.
Step 9 Configure the high availability options.
Step 10 Create actions that are triggered by camera events.
Viewing Cameras
To display cameras already configured on the system, click Cameras and then choose the Cameras tab.
You can view the cameras for a location, Media Server, or template by clicking one of the icons
described below
Click a camera name to view and edit the settings for that camera. Click a template name to edit the
settings applied to all cameras associated with the template.
Cameras Tab
Tab Description
Cameras By Location Displays the cameras assigned to each location.
For example, click the Cameras By Location tab and then select a location
name. The cameras assigned to that location are listed by name. Click a camera
name to display and edit the camera settings.
Cameras by Media Server Displays the cameras assigned to each Media Server.
Tip
The number next to the template name indicates the number of cameras assigned to the
template.
Note
The camera configuration pages may not display properly if the Internet Explorer (IE)
compatibility view box is checked. Deselect this option, if necessary.
Viewing a List of Supported Cameras
To view the camera models supported in the Cisco Video Surveillance release you are using, open the
model list when adding a camera.
Procedure
Step 1 Click Cameras and then choose the Cameras tab
Step 4 Expand the Manufacturer names to view the list of supported models.
Supported Cameras
Manually Adding Cameras
Cameras can be added to Cisco VSM individually, or in groups. You can add cameras that are already
installed, or pre-provision cameras that are not yet available on the network. Network cameras can also
be discovered on the network and automatically configured or held offline u ntil approved by an
administrator. In addition, if you add a Media Server that was previously installed in another VSM 6.x or
7.x deployment, you will be prompted to add or discard any cameras configured on that server.
If the device is not available on the network, it can be added in pre -provisioned state.
Manually Adding a Camera or Encoder
Note
All required fields must be complete to add a camera manually. You cannot submit a partial configuration.
Pre-Provisioning Cameras
Pre-provisioning cameras allows you to add the cameras before they are installed or available on the
network. The camera is waiting to be added to Cisco VSM and is not available for use. A pre-provisioned
camera can be modified, but the camera cannot stream or record video.
After the camera is installed and available on the network, you can enable the camera by choosing
Enable from the Device Settings menu. The camera configuration must be complete, and Cisco VSM
must be able to verify network communication or the enable action will fail.
Usage Notes
To add the camera, you must choose a pre-defined configuration template and camera location.
Only users with access permissions to that same location can view video from the camera.
To make configuration changes, users must have Camera management permissions.
The camera must be assigned to a Media Server, Location, and camera template.
Tip
Although you must choose a camera template when adding the camera, you can edit the camera configuration after
the initial configuration to create a custom configuration.
To automatically add camera map icons to the location maps (based on the cameras Insta lled
Location), select the Auto Create Map Markers setting .You can also specify an alternative
location when importing cameras from a CSV file
The camera must be accessible on the network if the device is added in Enabled state
If the camera is not available on the network, you can add the camera in pre -provisioned state.
The camera will be disabled until you choose Enable from the Device Settings menu (all
required fields must be complete).
If the camera is still not reachable on the network it will be in Enabled: Critical state until the
network issue is resolved.
Setting Description
IP Address Enter the hostname or IP address entered in the camera configuration. See the camera
documentation for instructions.
Note
All edge devices (such as cameras and encoders) must added to a server using a local (non -NAT)
addresses.
Username Enter the username for accessing the camera on the network.
Password Enter the password for accessing the camera on the network.
Name Enter a descriptive name that can help you identify the camera. The name can include any
combination of characters and spaces.
Install Location Click to select the location where the camera is physically installed.
The Installed and Pointed locations define where the camera is physically installed vs. the
scene that the camera is recording. For example, a camera installed on building 2 might be
pointed at the lobby door of building 1. If an alert event occurs at the Building 1 lobby, it
can be flagged and viewed using the Cisco Safety and Security Desktop application even
though the camera is physically installed on building 2. The camera and the associated
Media Server must be in the same Site
Tip
To automatically add camera map icons to the location map based on the Installed Location, select
the Auto Create Map Markers
Media Server Select the Media Server responsible for storing and playing video from the camera.
The camera and the associated Media Server must be in the same
Model Select the camera model.
Setting Description
Template Select a camera template from the pop-up window.
You must choose an existing template when the camera is added to Cisco VSM.
After the camera is created, you can create a custom configuration or select a
different template.
Templates define attributes such as video quality and schedules. Only templates
that support the camera are displayed.
Camera Settings Apply a set of camera settings for features such as the motion detectio n window and
sensitivity, tamper settings, and NTP server and timezone used by the device.
Existing Settingsapply a pre-defined set of configurations.
New Settingdefine a new set of configurations. Enter a name to save the
Camera Settings, so they can be applied to other cameras.
Multicast
Note
The multicast fields are enabled only if a template is chosen that uses Custom settings to enable UDP_Multicast
on Stream A and/or Stream B.
Primary Address (Optional) Enter the multicast IP address where the cameras primary video stream (Stream
A) should be sent.
This field is enabled only if the cameras template Stream A is configured for multicast.
Addresses must be in the proper address range.
Note
Public addresses must be individually assigned by IANA (Internet Assigned Numbers
Authority)
Primary Port Enter the port value used by Cisco Video Surveillance to listen to the cameras primary
video stream.
Secondary Address (Optional) Enter the multicast IP address where the cameras secondary video stream
(Stream B) should be sent.
This field is enabled only if the cameras template Stream B is configured for multicast.
Addresses must be in the proper address range.
Note
Public addresses must be individually assigned by IANA (Internet Assigned Numbers Authority)
Secondary Port Enter the port value used by Cisco Video Surveillance to listen to the cameras secondary
video stream
Analog Camera Rules and Settings
Analog cameras are attached to an encoder that provides network connect ivity.
See the encoder documentation for instructions to properly attach the serial cables to the
cameras and determine the serial port and serial address for each camera.
Single analog camera are attached to the encoder directly. Multiple cameras can be attached in a
daisy chain configuration. A serial port and serial address is assigned to each camera. See the
encoder documentation for more information.
The following table describes the settings available for analog cameras, which includes settings for the
encoder that provides network connectivity.
Setting Description
Encoder Select the encoder that supports the analog camera.
Video Port The physical encoder video port where the camera video cable is attached.
Tip
Only the unused ports are displayed.
Audio Port (Optional) The physical encoder audio port where the camera audio cable is attached.
Tip
Only the unused ports are displayed.
Name Enter a descriptive name that can help you identify the camera. The name can include any
combination of characters and spaces.
Installed Location Select the location where the camera is physically installed.
Note
The Installed and Pointed locations define where the camera is physically installed vs. the scene that
the camera is recording. For example, a camera installed on building 2 might be pointed at the lobby
door of building 1. If an alert event occurs at the Building 1 lobby, it can be flagged and viewed using
the Cisco Safety and Security Desktop application even though the camera is physically installed on
building 2.
Model Select the camera model.
Template Select a camera template from the pop-up window.
The template is based on the encoder model, not the camera model.
You must choose an existing template when the camera is added to Cisco VSM.
After the camera is created, you can create a custom configuration or select a
different template.
Templates define attributes such as video quality and schedules. Only templates t hat
support the camera are displayed.
Procedure
To manually add a camera to the Cisco VSM configuration, complete the following procedure.
Step 2 (Required) Add additional camera licenses for non-Cisco cameras, if necessary.
Step 3 (Optional) Create a camera template that defines the camera configuration, if necessary.
You can also use an existing template, such as the default syste m templates for low,
medium and high quality video.
You must assign a template to the camera when adding it to Cisco VSM.
After adding the camera, you can modify the template or create a custom configuration
for the camera.
Step 4 Click Cameras.
IP Cameranetworked IP camera
Analog Cameraanalog camera are attached to an encoder to provide network
connectivity and digitize the analog video.
Tip
To use the auto-discovery option.
Step 11 (Optional) When the camera configuration page appears, update the additional General
Information settings, if necessary
Setting Description
Pointed Location Click to select the location where the camera is pointed. This is the video that
will be displayed and recorded by the camera.
Description Enter a description of the camera, if necessary.
Step 13 (Optional) If the camera was pre-provisioned, complete the configuration and select Enable
from the Device Settings menu.
Note
The Enable option is only enabled if the camera configuration is complete and the device is available on the
network.
Overview
Figure summarizes the process to import devices from a CSV file. Devices can be added in Enabled state
if all required configurations are included, or in Pre-Provisioned state if configurations are missing or if
the devices are not yet available on the network. If an error occurs, correct the CSV file and try again.
Usage Notes
Cameras, encoders and servers can be pre-provisioned in Release 7.2 and higher.
Pre-provisioned devices are devices waiting to be added to Cisco VSM. You can make
additional configuration changes, but the device cannot stream or record video until the
configuration and network issues are resolved. Choose Enable from the Device Settings menu
to enable the device video functions.
If the CSV file details are accurate and complete, the devices are added to Cisco VSM and video
from the cameras is available for viewing and recording.
If any required fields are left blank, or if any devices in the file are not available on the network,
then the devices are added to Cisco VSM in pre-provisioned state, even if the pre-provisioned
option is deselected. Complete the configuration to change the status to Enabled.
If any fields are inconsistent with the Cisco VSM configuration, the import action fails and an
error file is created that specifies the problem(s). For example, if the CSV file specifies a Media
Server or location that does not exist in your Cisco VSM configuration, an error occurs. Correct
the CSV file and try again.
You cannot mix device types in the import file. For example, the file can include servers,
encoders, IP cameras, or analog cameras only.
If cameras are updated using the CSV import, and the template is changed to one with different
stream resolutions, then all motion detection windows are deleted and you must re -configure the
motion windows for those cameras. To do this:
o Import the CSV file again to specify the motion detection windows (without changing
the camera template).
o Apply the motion windows to cameras
Tip
To download a sample import file, launch the import wizard. Click the Download Sample button in the second step
of the wizard to obtain a sample file. The import file is different for each device type: IP cameras, analog cameras,
and encoders.
Table describes the CSV file fields for both IP and analog cameras (the fields vary for each cameras
type).
The CSV file can be created in a program such as Excel or OpenOffice Calc and saved as a CSV file.
For example, in Excel, create the file and then choose Save As > Other formats. Select CSV (Comma
delimited) for the Save as type.
Import File Field Descriptions
Content Required/Optional Description
Comment // IP / AnalogCameras Blank rows or lines/cells starting with ''//'' are treated as comments and
Optional ignored.
Name IP / Analog Cameras Enter the camera name
Required
For example: LOBBY INT ENTRY
Model IP / Analog Cameras
Required The camera model. For example: cisco_2500
IP address IP cameras
Required At least one value is required (IP address, MAC or serial number).
MAC address
Serial no New CamerasThe IP address, serial number, and MAC address
must be unique for new cameras.
Existing camerasIf all three entries are provided for an existing
camera, the settings must match the devices existing settings.
Server Name IP cameras Enter the Media Server name.
Point-To IP / Analog
Location Path Cameras Enter the location where the camera is capturing video. For example, a
camera installed on building 2 can be pointed at building 1, so the
Optional if the camera cameras video is from the pointed at location building 1.
is
pre-provisioned; For example: CA/North Campus/bldg 1
required if not.
Template IP / Analog Cameras
Name Optional if the camera
is The configuration template that defines the camera video quality,
pre-provisioned; recording and motion parameters, and other settings.
required if not.
The template must be valid and already present in the system.
If the template is changed to one with different stream
resolutions, then all motion detection windows are deleted and
you must re-configure the motion windows for those cameras.
Use one of the following options:
o Import the CSV file again to specify the motion detection
windows (without changing the camera template).
o Apply the motion windows to cameras
Username IP Cameras
Optional if the camera
is The username configured on the camera to provide network access.
pre-provisioned;
required if not. See the camera documentation for instructions to define the camera
credentials.
Password IP Cameras
Optional if the camera The password configured on the camera to provide network access.
is
pre-provisioned; o See the camera documentation for instructions to define the
required if not. camera credentials.
Tags Optional
Keywords used in the camera search field.
Camera IP Cameras Optional The name of a pre-defined set of camera settings. Enter the name of an
Settings name existing setting only (new settings cannot be created when importing
cameras).
Procedure
Step 1 (Optional) Enable Auto-configuration for the camera model(s).
Note
If any required fields are left blank, or if any cameras in the file are not available on the network, then
the devices are added to Cisco VSM in pre-provisioned state, even if the pre-provisioned option is
deselected. Complete the configuration to change the status to Enabled
Procedure
To use fisheye cameras, you must first install the camera and add it to Cisco VSM. Then define the 360
Camera settings.
Note
You must mount fisheye cameras perfectly flat, on either a vertical or horizontal surface. For example, do not
install the camera on a cathedral ceiling.
Step 3 Define the camera Orientation and Dewarp settings (360 Camera Settings), using one of the
following methods:
o The cameras General Settings
o Pre-set Camera Settings
Step 4 Create the video Views that include the fisheye cameras.
Camera Settings
Procedure
Note
Only the settings supported by the camera model are displayed.
You must belong to a user group with Cameras permission. Use one of the following methods to access
the Camera Settings.
Step 3 To save the setting for use by other cameras, select Save setting for future use and enter a
name for the setting.
Action Description
360 Camera Settings Defines the display settings for panoramic cameras that display a 360 field of view.
Orientation
The physical camera mounting: Ceiling, Wall, or Table
Note
Cameras must be mounted perfectly flat, on either a vertical or horizontal surface.
Dewarp Mode
A fisheye camera image is round and distorted, which is the result of capturing an ultra-
wide field of view. Use Dewarp modes to flatten or dewarp the image.
Dewarp mode varies by orientation. For example, Double Panoramic View is available
in Ceiling and Table orientations, but not for Wall orientations. PTZ operation is not
available in either panoramic Dewarp mode. Digital PTZ is available in individual
regions.
Use the different Dewarp modes to set the view to a grid layout of different regions of
the fisheye image:
Configure full motion windowDraws the motion detection window to fill the entire
camera view. This setting is not applied if the camera is already configured with motion
detection windows.
Automaticthe camera uses the assigned Media Server as the network time
protocol (NTP) server.
User-configuredthe camera uses a custom NTP server.
This setting applies only for camera models that support NTP.
Timezone Information Use Media Servers TimezoneUse the same timezone for the Media Server assigned
to the camera.
If your network configuration requires devices with duplicate IP addresses, however, you can enable the
Allow Duplicate IP system setting to allow multiple cameras with the same network address to be added
to the Operations Manager configuration. This may be necessary when the same set of private IP
addresses are used at multiple sites.
Enabling the Auto Configuration Defaults for a Camera Model
Enable the auto-configuration default settings to automatically apply a set of basic configurations to
cameras that are discovered on the network.
Auto-configuration is disabled for all camera models by default. You must enable the defaults for each
camera model.
Usage Notes
If auto-configuration is not enabled for a camera model (or if the auto -configuration fails) then
the camera is placed in the Cameras Pending Approval list.
If the auto-configuration fails, cameras can also be placed Enabled:Critical state. For example,
if the entered password does not match the password configured on the device.
Medianet-enabled devices also include an Uninitialized option. Select this to log in to the
camera using the default device credentials. Enter a password to automatically replace the
device password with the new setting (the username is read-only).
Uninitialized Option
Procedure
To enable auto-configuration for cameras that are discovered on the network or imported from a CSV
file, complete the following procedure.
Note
The change will not be implemented if the current username and password has been changed from the
factory default.
Username Enter the username used to access the camera over the network.
Password Enter the password used to access the camera over the network.
See the camera documentation for instructions to set the credentials, or ask your system
administrator for the information.
Template Select the camera template that will provide the camera configuration..
Media Server (Optional) Select the Media Server that will manage the camera (the camera will be assigned to
this Media Server)..
Camera Settings Apply a set of camera settings for features such as the motion detection window and sensitivity,
tamper settings, and NTP server and timezone used by the device.
Select New Setting to define a new set of configurations. Enter a name to save the C amera
Settings, so they can be applied to other cameras.
Step 8 (Optional Repeat this procedure to enable auto-configuration defaults for additional camera
models.
Cameras Pending Approval List
Discovered cameras that are not auto-configured are held in the Cameras Pending Approval list so they
can be reviewed and updated before being added to Cisco VSM. The cameras in this list are not available
for streaming or recording video.
These cameras can also be added to the blacklist which deletes them from the Cisco VSM configuration
and prevents them from being found in future discovery operations.
Cameras Pending Approval
Tip
Camera models that have the auto-configuration defaults enabled are added to Cisco VSM. If auto-configuration
fails or is not enabled, the camera is added to Cameras Pending Approval. If the camera is in Enabled: Warning or
Critical state, go to device Status page to get information, fix the problem and choose Repair Configuration from
the Device Settings menu.
Procedure
To move cameras from the Cameras Pending Approval list to either Cisco VSM or to the blacklist,
complete the following procedure.
You must have Manage Cameras permissions to approve or blacklist cameras.
Tip
Click the camera to highlight it, or use Ctrl-Click or Shift-Click to select multiple cameras.
Step 6 (Optional) Enter additional camera configurations:
Click the buttons at the bottom of the list to edit the required fields. You can also double -
click a field to edit the setting.
Scroll the list to the right, if necessary, to display the editable fields.
Editable fields are displayed in bold.
Setting Description
IP Address The IP address assigned to the camera.
Name (Optional) Double-click the entry to change the camera name. The default entry
is auto-generated.
Media Server (Required) select the Media Server to manage the camera.
Install Location (Required) select the location where the camera is physically installed.
Pointed Location (Required) select the location where the camera is pointed. This is the scene
shown in the cameras video.
Template (Required) select the configuration template for the camera..
Credential (Required) enter the username and password used to access the camera over the
network. See the camera documentation for instructions to set the credentials,
or ask your system administrator for the information.
Step 7 Click Add to save the configuration and add the camera(s) to Cisco VSM.
Note
Click Blacklist to blacklist the camera.
Blacklisting Cameras
Blacklisted cameras are deleted from the Cisco VSM configuration and are ignored in discovery
operations. Cameras can be kept in the Blacklist indefinitely.
Blacklisting a Camera
Cameras can be added to the blacklist using the following methods:
Tip
Click the camera to highlight it, or use Ctrl-Click or Shift-Click to select multiple cameras.
Caution
Full Delete permanently deletes all recordings associated with the camera.
Viewing Cameras in the Blacklist
Procedure
Step 1 Click Cameras.
Step 3 (Optional) Use the filter settings to narrow the displayed devices.
Remove the device from the blacklist, as described in the following procedure.
Manually add the camera. This removes the camera from the blacklist and adds it to Cisco VSM.
Procedure
Step 1 Click Cameras.
Step 3 (Optional) Use the filter settings to narrow the displayed devices.
Step 4 Highlight one or more entries and click Remove From Blacklist.
The following settings are accessed in the Camera configuration page. You can also update camera
configurations by importing a CSV file that defines the settings.
Usage Notes
Not all settings are available for all cameras. For example, Image settings are available only if
the camera supports features such as motion detection, PTZ controls, and image adjustments.
Device configuration changes can fail is a camera firmware upgrade is in process. Make sure that
a camera firmware is not being upgraded (or wait until it is complete) and try again.
Most camera settings are applied by the template assigned to the camera. To create a
configuration for a single camera, create a custom configuration for the camera.
The camera configuration pages may not display properly if the Internet Explorer (IE)
compatibility view box is checked. Deselect this option, if necessary.
Procedure
Step 1 Log on to the Operations Manager.
Step 3 Click the tabs in the top left column to view cameras and templates.
Tab Description
Cameras By Location Displays the cameras assigned to each location.
For example, click the Cameras By Location tab and then select a
location name.The cameras assigned to that location are listed by
name. Click a camera name to edit the camera settings.
Cameras by Media Server Displays the cameras assigned to each Media Server.
Tip The number next to the template name indicates the number of
cameras assigned to the template.
Camera General Settings
Tip
The Streaming, Recording and Event settings (Table) are read-only when viewing a camera configuration. To edit the
settings, edit the template associated with the camera, or create a custom configuration for the camera (click Set
Template and choose Custom).
Only supported templates are displayed (based on the users location and camera model).
The remaining Streaming, Recording and Event settings are defined by the template and
are read-only.
If the camera template resolution settings are changed, all motion detection windows are
deleted and you must re-configure them. This occurs if the camera template is revised, or
if you select a different template for the camera
Although you can enter custom settings for both video streams, the IP or analog camera must also
support the settings for both streams (analog camera support is dependent on the cameras
encoder). If the camera or encoder model does not support the settings, or does not support two
streams, the configuration will fail. See the camera or encoder documentation for more
information regarding the stream settings supported by the device.
Tip
The remaining Streaming, Recording and Event settings can be changed for a specific camera only if the
Custom option is selected.
Video Format (Templates only) Select one of the following:
NTSC the analog television standard primarily used in North and some countries in
South
America and Asia.
PALthe analog television standard primarily used in Europe, Africa and some countries
in South America and Asia.
Note
The available quality settings depend on the camera model. For example, if a camera only supports NTSC
format, only NTSC can be selected. If a camera supports both PAL and NTSC, both formats will be available.
Streaming, Recording and Event Settings (continued)
Setting Description
Recording Schedule (Templates only) Select one of the following:
Basic Recording: 24x7Records 24 hours a day, every day, based on the continuous
and event recording properties. or
Select a previously-defined schedule.
Recording schedules allow you to define recording properties for different times of the day, days
of the week, or for special events. For example, a school might require different video surveillance
actions during School hours, After school hours, School off hours, and Closed hours. Additional
exceptions to the regular schedule might be required for special events, such as a Homecoming
event or the Christmas holiday. A recording entry appears for each time slot included in the
schedule.
Video Quality (Templates only) Slide the selector to Lo, Me or Hi to select pre-defined video quality settings for
stream A (primary) and stream B (if supported). Higher quality video requires more network
bandwidth, processing resources, and storage space than lower video quality.
Click Custom to choose specific settings (such as the video codec, transport, bitrate mode,
resolution, framerate, bitrate, and quality)
Caution
Switching a camera's codec may take 30 seconds or more to complete, resulting in a temporary
loss of the live video stream. Recorded video is not affected, but you cannot create recorded clips
that include more than one codec.
Streaming, Recording and Event Settings (continued)
Recording Options (Templates only) Click the recording option for each recurring schedule.
Note
If Basic Recording: 24x7was selected, only one row appears. If a schedule was selected, a row appears for
each schedule.
In Retain event recordings, enter the amount of time a motion event should be
retained (saved) on the system. Changes to this setting apply to new
recordings only (the retention time cannot be changed for existing
recordings). Recordings are deleted when the expired time is reached, or if the
Storage% is reached (the oldest files are deleted first, regardless of their
expiry time).
In Padding, enter the number of seconds of recording that will be included
before and after the event occurs.
Motion recording is available only if the camera supports motion detection
for instructions to define the areas of the image that trigger motion events.
Select Continuous Recording to record video in a loop.
For example, video will be recorded continuously for one day before being
overridden. This allows you to view video from the past 24 hours.
In Retain continuous recordings enter the amount of days that recorded video
should be recorded in a loop, or if a recording schedule is selected, the
amount of time recorded video should be retained on the system. Changes to
this setting apply to new recordings only (the retention time cannot be
changed for existing recordings).
Note
This setting will be ignored if the Default Grooming Only setting is enabled on the Media Server that
supports the camera. This can prevent new recordings from beginning if all server disk space is used
Streaming, Recording and Event Settings (continued)
Setting Description
Verify Recording (Templates only)
Space
Enable
Select Enable to verify that enough storage space is available on the Media Server to complete
the entire recording. The amount of required storage space is determined by the Storage
Estimation(%) setting for the Media Server. If the required amount of storage space is not
available for the entire recording, then the recording will not start.
For example, if a camera is configured to record a continuous H264 stream at 15mbps for 30
days, the Media Server would first verify that there is enough free disk space for the full
recording length (30 days). If not, then recording will not start. In this example, 15 mbps of
video uses approximately 2 megabytes of storage space per second, so 30 days of recording
would require roughly 5 terabytes of disk storage.
Note
The verification takes into account the storage demands required by other cameras assigned to the Media
Server.
Enabling the Default Grooming Only setting for the Media Server assigned to the camera can cause all
disk space to be used and prevent new recordings from beginning
Disable
Disabling this setting will allow recording to be started even when storage is full. But it can
cause the system to become oversubscribed, and critical alerts to occur as system performance
is impacted.
If this setting is disabled, and insufficient disk space for new recordings, the disk will become
oversubscribed and default grooming will occur when storage is full.
Frequent default disk grooming can cause the server to be slow, as the load average of the
server will be high, an critical alerts can occur for the Media Server:
Disk space usage for recordings has been over-subscribed.
A recording failure event may also occur due to queue overflow, which can cause
frame drops.
Note
Recordings are retained according to the Retain event recordings setting.
Streaming, Recording and Event Settings (continued)
Setting Description
Retain event recordings (Templates only) The amount of time a motion event should be retained (saved) on the system.
For example, enter 10 to keep motion event recordings for 10 days after the event video is
captured.
Note
This setting also applied to On Demand Recording recordings.
File Deletion
Recordings are deleted when the expired time is reached, or if the Storage% is reached (the oldest
files are deleted first, regardless of their expiry time). Video archive files are deleted until the free
disk space is less than the Storage (%).
Note
This setting will be ignored if the Default Grooming Only setting is enabled on the Media Server that
supports the camera. This can prevent new recordings from beginning if all server disk space is used.
Alert Notifications (Templates only)
Click Alert Notifications to enable or disable the alerts that are generated when a
motion stop or start event occurs.
Tip
Use Advanced Events to generate alerts only when a motion stop or motion start event occurs.
Advanced Events (Templates only) Use Advanced Events to trigger actions when an event occurs.
States of BeingEvents that trigger an ongoing action as long as that event occurs (for
example, while a contact remains open).
Advanced Storage (Templates only) Defines storage options for recorded video, such as the use of Redundant,
Failover, or Long Term Storage servers. Also defined advanced streaming and recording
options.
Streaming, Recording and Event Settings (continued)
Setting Description
Record Audio (Templates only)
Note
The audio settings is disabled if audio is not supported by the camera.
Off(Default) Audio is disabled for both live and recorded video playback.
Live and RecordedAudio is enabled for live streaming and recorded video
playback.
Defines the number of seconds of additional recording that will be included before and after a
motion event.
PreEnter the number of seconds before a motion event occurs that video should be
retained.
PostEnter the number of seconds after a motion event occurs that video should be
retained.
Using Custom Video Quality Settings
Custom video quality settings allow you to define the codec, transport method, bit rate, frame rate, and
other settings that are supported by the camera model, as described in
Usage Notes
Custom video quality settings can only be applied to model-specific camera templates.
The available quality settings depend on the camera model. For example, if a camera only
supports the H.264 codec, only H.264 can be selected.
Although you can enter custom settings for both video streams, the IP or analog camera must
also support the settings for both streams (analog camera support is dependent on the cameras
encoder). If the camera or encoder model does not support the settings, or does not support two
streams, the configuration will fail. See the camera or encoder documentation for more
information regarding the stream settings supported by the device.
To configure multicast transmission.
Caution Switching a camera's codec may take 30 seconds or more to complete, resulting in a temporary loss of the
live video stream. Recorded video is not affected, but you cannot create recorded clips that include more
than one codec.
Transport Select an option to stream video using either TCP or UDP.
Note
We recommend UDP for most networks where packet loss and high latency are not an issue.
Bit rate mode Select CBR (Constant Bit Rate) or VBR (Variable Bit Rate).
CBR delivers video at the selected bit rate (or at that average over time), depending on the video
device.
VBR adjusts the video quality and/or frame rate as the scene changes. Depending on the video
device, the selected bit rate may or not may be the streams maximum.
The bit rate is reduced when there is little movement or change
The bit rate is increased when there is more change.
Frame rate Select a frame rate (only frame rates supported by the device are displayed).
Bit rate Select the bit rate at which the video device will stream the selected frame rate.
Note
The frame rate must be specified first. Only frame rate and bit rate combinations supported by the device are
displayed.
Quality (VBR Bit rate mode only) Select the priority of the video quality against the desired frame rate.
A high Quality setting may cause the video device to reduce the frame rate during periods of
high motion or change (in order to maintain a higher quality image).
A low Quality setting may cause the video device to greatly reduce the image quality to
maintain a higher frame rate during the periods of high motion or change in the video.
Procedure
Step 1 Create or edit a model-specific camera template.
Image Settings
Image settings allow you to define the where motion is detected in a camera image, the pan, tilt, and
zoom settings for a camera, and the image properties such as contrast and brightness.
Motion Settings
Pan Tilt and Zoom (PTZ) Settings
Photographic Controls
o Click the Image tab to access the Photographic Controls that define properties such as
contrast and brightness.
Note
Only the settings supported by the camera model are shown.
Analog cameras support video controls only if the camera is configured for serial pass through
(a serial cable must be connected from the camera to the encoder, and a serial port must be
configured on the analog camera).
Photographic Controls
Setting Description
White Balance Adjusts the camera to compensate for the type of light (daylight, fluorescent,
incandescent, etc.,) or lighting conditions in the scene so it will look normal to
the human eye.
Sharpness Adjusts edge contrast (the contrast along edges in a photographic image).
Increase sharpness to increase the contrast only along or near the image edges
without affecting the smooth areas of the image.
Contrast Adjusts the separation between the darkest and brightest areas of the image.
Increase contrast to make shadows darker and highlights brighter. Decrease
contrast to lighten shadows and darken highlights.
Saturation Adjusts the intensity and vibrancy of each color channel.
Hue Adjusting hue will shift the entire color palate along a spectrum. This results in
all colors being changed toward a different dominant color. Useful for adjusting
the image to make it look more natural in unusual lighting conditions.
Deleting Cameras
When deleting a camera, you can delete the camera and all recordings, or keep the recordings on the
system.
Step 1 (Optional) Retain the Media Server IP address that is stored on the cameras Preferred Media
Server list.
By default, the IP address of the Media Server assigned to the camera will be deleted from the
cameras Preferred Media Server list. If the camera is re-added to Cisco VSM, the Media
Server must be re-configured on the camera
You can change this behavior to keep the configuration, so the camera will be re-assigned to the
same Media Server if the device is re-added and discovered on the network.
Camera Status
Select the camera or encoder Status tab Figure to display information about camera device health, service
jobs, and security events.
Procedure
Step 1 Select Cameras.
Device Status.
Status History.
Service Jobs (Cameras)
Camera Events.
Device Status
Displays a snapshot of the current device health status, and the device attribute that is experiencing the
error. The cameras device health impacts the cameras ability to communicate with a Media Server,
stream video over the network, or record video.
For example, in Figure, the camera is in the Enabled: Critical state, meaning that it cannot display or
record video. This state is due to a Critical configuration error.
Tip
Click Refresh Status to reload the current device status.
Camera States
When a camera is added to Cisco VSM, it is placed in either Enabled or Pre-provisioned state.
Enabled means that the user intends the camera is to be functional. There are three possible sub-
levels: OK, Warning, and Critical.
Pre-provisioned means that the device is added to the configuration but not available on the
network.
Camera Status
State Description
Enabled: Warning A minor event occurred that did not significantly impact device operations.
The device is disabled and unavailable for use. The configuration can be modified, and any
Disabled existing recordings can be viewed, but the camera cannot stream or record new video.
IP CameraThe IP camera is enabled but is in a state unable to perform its full capacity.
Analog CameraThe analog camera is enabled but is in a state unable to perform its full
Enabled: Critical capacity.
Tip
An IP camera and an analog camera that are in Enabled: Critical state after they are enabled from a Pre-
provisioned state usually indicate a mis-match configuration. This is often caused by a missing motion
detection configuration on the camera when the camera template requires one.
State Description
Pre-provisioned The device is added to the configuration but not available on the network.
The device is waiting to be added to Cisco VSM and is not available for use. A pre-provisioned
camera can be modified, but the camera cannot stream or record video until the configuration is
complete and you choose Enable from the Device Settings menu
IP CameraA Pre-provisioned IP camera may or may not have been connected to the
network. Settings can be changed, but the only device action allowed is Device Settings
> Enable. The device can be deleted.
EncoderA Pre-provisioned encoder may, or may not have been connected to the
network. Settings can be changed, but the only device action allowed is Device Settings
> Enable. The device can be deleted.
Note
You can enable an IP camera or encoder that is in Pre-provisioned state only after the device is connected
to the network and the associated Media Server is enabled. The Operations Manager does not automatically
enable them. An attempt to enable an IP camera or an encoder before connecting them to the network only
changes its state from Pre-provisioned to Enabled: Critical.
Analog CameraAn analog camera in this state is associated to an encoder that is either
in a state of Pre-provisioned or Enabled. Settings can be changed, but the only device
action allowed is Device Settings > Enable. The device can be deleted.
Analog cameras that are added to a Pre-provisioned encoder are also Pre-
provisioned.
You can enable an analog camera that is in Pre-provisioned state only after its
associated encoder is enabled. The Operations Manager does not automatically
enable it.
Soft Deleted The device configuration is removed from the Operations Manager but the recordings associated
(Keep Recordings) with that device are still available for viewing (until removed due to grooming policies).
To view the recordings, select the camera name in the Monitor Video page.
Display Options
Step 1 Select Display and choose a time range. By default, events from the past 24 hours are shown.
Select Special Range to specify a specific start and end time.
Step 2 Click Affecting Current Status to display only the alerts causing the current problem.
Step 3 Double-click an entry to display the alert details. Alerts can include multiple events for the
same issue.
Step 4 Double-click an event to display the event details. Alerts can include multiple events for the
same issue.
For example, in Figure, the camera is assigned to a template where a camera app is enabled, but the app is
not installed on the camera, an error will occur. To resolve the issue, install the appropriate camera app on
the camera.Once saved, the device status should be OK (click Refresh Status if necessary).
Camera Storage
Generate Metadata
Camera AppsThe camera apps that were installed, uninstalled, activated or deactivated.
Click an entry to view additional details about the job. The details also include the status and results of
the job.
To cancel a service job that is in progress (Created, or Running state), select the job and click Cancel
Job. Not all job types can be canceled. For example, you can cancel metadata and Camera Storage
service jobs that are still in progress.
Tip
To view the service jobs for all cameras and encoders managed by a Media Server, select the Service Jobs tab in the
Media Server configuration page. Not all Service Jobs are supported from the Media Server page (such as camera
apps)
Camera Events
Camera events display a cameras security events. For example, you can view all motion start events over
the past 12 hours.
Recovered Events
Cisco VSM can also recover motion, Camera Apps and Contact Closure camera events that occur when the
camera is disconnected from the Cisco Media Server. This feature is supported on Cisco 3xxx, 6xxx, 7xxx,
36xx, 66xx, 69xx, and 28xx cameras.
If the camera template is configured to send alerts, then recovered events are displayed in Cisco SASD
(Alerts workspace) in italics.
Note
Recovered events do not trigger any other actions, such as those configured in the Advanced Events
feature.
Procedure
Step 1 Select Cameras and select the camera.
Step 3 Select the following filters to display specific events during a span of time.
Step 4 The page automatically refreshes to display events from your selection.
Repairing Camera Configuration Errors
If a camera configuration error occurs, use the Status History to locate and correct the problem. Other
issues are the result of mismatched configuration between the device, the Media Server and/or the
Operations Manager. If this occurs, use the configuration repair options.
For example, be sure to successfully save or revert your changes while still in the motion configuration
window. Clicking out of the window before changes are successfully saved or discarded can cause a
configuration mismatch to occur on the camera Status page (the error will not include any additional
details). If this occurs, perform a Repair Configuration on the camera,
Replace ConfigurationsPushes the entire device configuration from the Operations Manager
to the Media Server. The Media Server data is replaced.
Create PTZ presets that allow operators to quickly jump to a preset position.
Create PTZ tours that automatically cycle a camera between the PTZ preset positions.
Create Advanced Events that automatically move the camera to a PTZ preset position when an
event occurs.
Define a Return To Home preset that automatically returns the camera to a selected Home
position when idle for a specified number of seconds.
Define user groups that have priority for accessing PTZ controls.
PTZ Requirements
Cameras that support PTZ controls automatically display an Image tab in the camera configuration that
includes PTZ controls (choose the camera and click the Image > Pan/Tilt/Zoom).
You can also use the Advanced Events to automatically trigger PTZ presets when an event occurs.
Procedure
Task
Step 1 Install the PTZ camera and enable PTZ functionality, if necessary.
Step 2 Add the camera to the Cisco VSM configuration.
Step 3 (Optional) Connect a PTZ joystick to a USB port on your PC and calibrate the device for Windows.
Step 4 Verify that you are using a compatible browser (such as Internet Explorer) with the ActiveX player
installed.
Step 5 Open the camera PTZ configuration page to verify the camera PTZ controls are available:
a. Select Cameras and select a camera name.
b. Click the Image tab and verify that the Pan/Tilt/Zoom tab is selected
Step 6
(Optional) Configure the camera PTZ presets.
Presets are used to quickly adjust a camera view to a pre-defined PTZ setting.
Step 7
(Optional) Configure the camera PTZ tours.
PTZ tours are used to cycle the camera view between PTZ presets.
Step 8 (Optional) Define if the camera should return to a selected Home position when idle for a specified
number of seconds.
Note
If a PTZ tour is enabled, then the Return to Home setting is ignored
Step 9 (Optional) Enter the camera PTZ idle time that defines the following:
PTZ Tourthe number of seconds after a manual PTZ movement or event action before the
PTZ tour can resume.
Return to Homethe number of seconds after a manual PTZ movement or event action before
the camera returns to the Return to Home preset position.
User PTZ control (priority lockout or camera controls lockout)the number of seconds that a
lower priority user has to wait before being able to move the camera after a higher priority
user stops using the PTZ controls.
Note
PTZ tours and Return to Home have the lowest priority, allowing users and Advanced Events to assume PTZ
control when necessary.
Step 10 (Optional) Define the user groups that have priority over other users for controlling PTZ cameras.
Note
By default, all user groups have the highest priority (100).
Step 11 (Optional) Configure the Return to Home preset position and timer.
Defining the User Group PTZ Priority
A conflict can occur if multiple users attempt to use the PTZ controls for the same camera. For example, if
a security incident occurs, a security officer may need to assume control over lower-priority users. To
resolve this, each user group is assigned a PTZ priority number from 1 to 100. Users in a group with a
higher number are given PTZ priority over users that belong to a group with a lower number. If the PTZ
controls are in use by a lower-priority user, the higher-priority user can assume control immediately.
When a higher priority user assumes control of a PTZ camera, lower priority users are denied access to
the PTZ controls. The lockout continues until the higher-priority user stops accessing the PTZ controls,
plus the number of idle seconds defined in the PTZ idle setting
Usage Notes
By default, all user groups have the highest priority (100).
Users that belong to multiple user groups gain the highest priority from any assigned
group.
If a higher-priority user is using the PTZ controls, the PTZ controls remain locked and you
cannot control the PTZ movements until released by the higher priority user (and the idle time has
expired).
If users belong to user groups with the same priority, they will be able to access the PTZ controls
at the same time. This can result in conflicting movements.
Advanced Events that trigger a PTZ preset position are assigned a priority of 50. This setting
cannot be changed.
Event-triggered PTZ presets will take control from any user group members that have a
priority lower than 50 (user groups with a higher priority can take control or will
maintain control).
The camera remains at the PTZ preset unless a PTZ tour is enabled or a user accesses the
PTZ controls.
PTZ tours and Return to Home are assigned the lowest priority by default. This allows users to
assume control of any camera that is configured with a rotating PTZ tour. Event-triggered PTZ
movements also override PTZ tours.
When all users stop accessing the PTZ controls and idle time expires, the camera PTZ Tour or
Return to Home position will resume, if configured (the PTZ tour continues). The lockout idle
time is reset each time the higher-priority user accesses the PTZ controls.
If the When manual PTZ idle for field is not defined, then cameras use the number of seconds in
their associated Media Servers Camera Control Lockout field.
Example
The following example is based on this scenario:
A PTZ tour is configured
user1 is in a user group with PTZ priority 60
user2 is in a user group with PTZ priority 100
The PTZ idle time (lockout) is 30 seconds
An Advanced Event is configured to move to the PTZ preset when a motion event occurs
A PTZ tour is enabled and rotating the camera between PTZ presets. User1 can access the PTZ controls
and interrupt the tour. However, if higher-priority user2 also accesses the camera PTZ controls, then
user2 will take control and user1s PTZ commands will be ignored. This is because user2 is in a user
group with priority 100 while user1 is in a user group with priority 60 (PTZ tours have the lowest
priority).
When the higher-priority user2 stops moving the camera, user1 must still wait the number of seconds
defined in the camera When Manual PTZ idle for setting before they can move the camera again. If user2
uses the PTZ controls within that idle time, then the timer is reset and user1 must continue to wait.
Advanced Event PTZ movement is the same as a user with priority 50 moving the camera. If lower
priority users (0-49) are moving the camera, those lower priority users will loose control of the camera
and the event will PTZ move the camera. If higher priority users (51-100) are using the camera then the
event PTZ movement will not happen.
If the event PTZ successfully moved the camera, then the camera's idle time lockout is set preventing
lower priority users from moving the camera until it expires.
When all users stop accessing the PTZ controls, the PTZ tour continues (after the idle time expires).
Step 2 (Optional) Enter the camera idle time to define the number of seconds a lower-priority user must
wait after a higher-priority user stops using the PTZ controls.
Configuring PTZ Presets
PTZ presets allow operators to quickly jump to a preset position.
To access the PTZ preset, go to the Monitor page, display the camera video, right-click the
image and choose Presets from the Pan, Tilt, and Zoom menu. Choose a preset to move the
camera to the defined position.
To trigger presets with a USB joystick, press the joystick button that corresponds to the PTZ
preset number. For example, joystick button 1 triggers PTZ preset 1, joystick button 2 triggers
PTZ preset 2, etc.
You can also create PTZ tours that automatically cycle a camera between the PTZ preset
positions, or Advanced Events that automatically move the camera to a PTZ preset position
when an event occurs.
PTZ presets cannot be deleted if they are being used in a PTZ tour.
If a camera is replaced, you must re-define the PTZ presets since the coordinates will not match
the new device.
To configure PTZ presets, use the PTZ controls to adjust the live video stream, enter a preset name, and
click Set.
Step 5 (Optional) Click Test to move the camera position between different preset positions.
Usage Notes
Any camera that supports PTZ presets also supports PTZ tours. At least two PTZ presets must be
available to create a PTZ Tour.
You can enable a single PTZ tour for each camera.
PTZ tours have the lowest priority for PTZ camera movements. For example, operators can
manually take PTZ control of the camera, or an Advanced Event can move the camera to a PTZ
preset. Both users and events have priority PTZ access to the camera.
Operators can interrupt the tour by manually changing the PTZ position. The camera will stay at
the user-selected position for the number of seconds configured in the Advanced Setting When
manual PTZ idle for, and then resume the tour with the next preset.
To stop the PTZ tour, deselect Enable PTZ Tour. The camera will return to the first PTZ preset
in the tour list.
If a PTZ tour is enabled, then the Return to Home setting is ignored.
If the PTZ tour is disabled, the camera will stay at the current position, or go to the Return to
Home setting, if configured.
Procedure
Note
At least two presets must be included in the Selected column.
d. Use the up-down arrows to move the presets up or down in the list to define the order of
the preset rotation.
e. Click Save.
Step 3 (Optional) Select Enable PTZ Tour to turn on the PTZ tour for the camera.
The camera will display the PTZ tour whenever live video is displayed. To stop the PTZ tour,
you must deselect Enable PTZ Tour.
Step 4 (Optional) Define the camera PTZ idle time to define the amount of time the number of
seconds after a manual PTZ movement or event action before the PTZ tour can resume.
Configuring Advanced Settings
The PTZ advanced settings are define the following:
The number of seconds before a PTZ tour resumes (after a manual or event override).
The number of seconds a lower priority PTZ user must wait after a higher-priority user
stops using the camera PTZ controls.
The number of seconds before the camera returns to a PTZ preset home position.
The Return to Home PTZ preset position. This returns a camera to a default PTZ location when
the manual PTZ controls are not used for the idle length of time.
Procedure
Step 1 Go to the cameras PTZ configuration page.
a. Click Cameras.
b. Click a location or Media Server and select a camera.
c. Click the Image tab and then click Pan/Tilt/Zoom.
Step 3 Use the following settings to define if the camera should return to a selected Home position
when idle for a specified number of seconds.
Note
By default, the idle time is defined by the Media Servers Camera Control Lockout setting.
Use the When manual PTZ idle for field to override the server setting for the current camera.
Usage Notes
If a PTZ tour is enabled, then the Return to Home setting is ignored.
Configure at least one PTZ preset.
Return to Home Select the PTZ preset used as the Home position.
If the Return To Home feature is enabled for one or more cameras, you can optionally display a
warning on the monitoring workstation before the camera returns to the home PTZ position. This warning
also allows users to cancel the operation and keep the camera at the current position, if necessary.
This option is configured on each client workstation by editing the following setting using the
computers Registry Editor. The message appears 60 seconds before the camera returns to the home
position. This value can also be (optionally) modified.
Note
If a PTZ tour is enabled, then the Return to Home setting is ignored and uses the PTZ tour presets.
The PTZ Return to home warning message may not be displayed on workstations running
Windows 8 with the IE 10 browser or Windows 8.1 with the IE11 browser. In IE 11, run IE as an
administrator and uncheck the "Enable Protected Mode" option, then restart IE.
Tip
The following process edits the Cisco Multi-Pane Video Surveillance Client that is installed on the workstation when
you first access the Cisco VSM Operations Manager or the Cisco Video Surveillance Safety and Security Desktop
application (Cisco SASD). This Multi-Pane client is the ActiveX utility installed on each client machine to enable
video viewing and controls.
Note
You must edit the setting for both the 32-bit client and the 64-bit client (if installed). The 64-bit client is used for 64-
bit IE browsers and the Cisco SASD application.
Procedure
To configure a Return to Home countdown on the monitoring workstation.
Step 2 Select regedit from the results to open the Registry Editor utility.
Step 3 Enable the 32-bit multi=pane client (which is used for the browser).
a. Select to HKEY_CURRENT_USER > Software > Cisco Systems, Inc. > Cisco Multi-Pane
Video Surveillance Client 32 bit.
b. Add an EnablePTZRTHWarning entry.
c. Enter 1 in the Value Data field.
1=the warning is on
0=the warning is off
d. Click OK.
a. Select HKEY_CURRENT_USER > Software > Cisco Systems, Inc. > Cisco Multi-Pane
Video Surveillance Client 64 bit).
b. Add an EnablePTZRTHWarning entry.
c. Enter 1 in the Value Data field.
d. Click OK.
Step 5 (Optional) Change the number of seconds the message will appear before the camera returns to the
home position. The default value is 60 (seconds).
a. Add a PTZ_RTHCountdownSecond entry (Figure 9-26).
b. Enter a decimal value in the Value Data field. This number is the number of seconds.
c. Click OK.
Step 7 Restart the monitoring windows by closing and re-launching any Operations Manager windows
or the Cisco SASD application.
Step 8 Test the monitoring workstation to verify that the warning message appears.
a. When 60 seconds remain in the countdown, a message appears: Camera returning to home
position in <X> seconds [Click here to cancel].
b. If the user clicks Cancel, the cameras stays in the current position and the return to home
timer is reset.
Configuring Motion Detection
Cameras that support motion detection can trigger actions or record video when motion occurs in the
cameras field of view. For example, a camera pointed at the rear door of a building can record a motion
event if a person walks into the video frame. A motion event can also trigger alert notifications, a
cameras PTZ controls, or a URL action on a third party system.
Motion detection is supported for analog cameras only if the encoder supports motion detection.
Motion detection is supported only for the primary (Stream A) video.
Motion can be detected for a cameras entire field of view, or for specified areas. If the camera
or encoder supports exclusion areas, you can also exclude areas where motion should be
ignored.
Motion detection must be configured for each camera (motion detection is not defined by camera
templates). Use Bulk Actions to locate cameras without motion detection and add motion
detection for the cameras entire field of view.
Alerts can be configured for motion events, contact closures, analytic events, or soft triggers.
Always configure these features carefully to avoid overwhelming operator(s) with an excessive
number of alerts. If an excessive amount of alerts are generated, the system may ignore new
alerts while deleting old entries.
Be sure to successfully save or revert your changes while still in the motion configuration
window.
Clicking out of the window before changes are successfully saved or discarded can cause a
configuration mismatch to occur on the camera Status page (the error will not include any
additional details).
If a camera configuration is changed to a template that has different resolution settings, all
motion detection windows are deleted and you must re-configure them. Use the following
instructions to apply motion windows to cameras, or import the motion window settings for
multiple cameras.
These values are set by default based on the recommended settings for
the camera model. For example:
Cisco 26xx: Threshold = 10, Sensitivity = 80
Cisco 29xx: Threshold = 10 Sensitivity = 80
Cisco 45xx: Threshold = 10 Sensitivity = 80
Cisco 60xx: Threshold = 1, Sensitivity = 85
(The maximum value is 100. The minimum value is 0.)
Motion Detection Settings (continued)
Setting/Field Description
Save Motion Configs Saves the changes to the cameras motion detection settings.
Restore Motion Configs Restores the settings to the previous saved values.
Step 3 Verify that you are using a compatible browser (such as Internet Explorer) with the ActiveX
player installed.
Step 4 (Optional) Complete the Motion Detection on All Existing Cameras (Bulk Actions)
a. Click Cameras.
b. Select the cameras location, Media Server or template.
c. Select the camera from the list in the lower left column.
Step 8 Add green Include Areas (windows) where motion should be detected in the image.
a. Drag the green Include Area box onto the video image.
d. Repeat these steps to create additional Include Areas in the video frame.
Step 9 Define the motion detection settings for each Include Area.
Note
All areas outside of the include boxes are ignored by default. Add exclude areas within include
boxes to also ignore motion within the included areas.
a. Drag the red Exclude Area box onto the video image (Figure).
b. (Optional) Enter a name in the Window Name field.
c. Move and resize the motion window.
Tip
Click Restore Motion Configs to return the settings to the previously saved value.
Note
Be sure to successfully save or revert your changes while still in the motion configuration window. Clicking out of
the window before changes are successfully saved or discarded can cause a configuration mismatch to occur on the
camera Status page (the error will not include any additional details).
Step 13 (Optional) Configure actions that are triggered when a motion event occurs.
Enabling Motion Detection on All Existing Cameras (Bulk
Actions)
Use the Bulk Actions feature to discover all cameras where motion detection is unconfigured, and add a
default motion window that includes the entire field of view
This process selects the entire camera view to be included in the motion window. Use the camera
configuration page to make further refinements or define excluded areas
Bulk Actions
Procedure
Step 1 Click Cameras to open the camera configuration page.
Step 6 Select Bulk Actions > Camera Settings, and select the Default Motion Window option.
Step 7 (Optional) Use the camera configuration page to refine the motion detection areas and
sensitivity for each camera.
Replacing a Camera
Replacing a camera allows you to exchange the physical camera hardware while retaining the
configurations, associations and historical data of the original device. The replacement camera also uses
the original camera name and device unique ID (used in API calls).
After the camera is replaced, only the hardware-specific details are changed, including the device MAC
address, IP address, and camera make and model.
Replacement Options
In Release 7.5 and later, you can replace a camera with an existing camera (a camera that was previously
added to Cisco VSM), or with a new camera. If replacing the camera with an existing camera, the camera
must have been previously added to the Operations Manager.
Usage Notes
Both network and analog cameras can be replaced (network cameras require the username and
password configured on the device).
Any network (IP) camera can be replaced by any other network (IP) camera, even if the devices
are a different make and model (be sure to select the appropriate template for the new camera
model). Network (IP) cameras cannot be replaced by an analog camera or encoder (or vice-
versa).
When you attempt to replace a camera when a device id-collision exists, the replacement will fail and you
must first clear the collision.
For example:
If you attempt to replace CameraB with CameraA, but the devices are in id-collision.
You attempt to replace Camera A with a newly added CameraB, but a cameraC is already in the
system that is colliding with cameraB.
In these situations, the Operations Manager will not proceed with the replacement, stating that
the camera is already in collision, and you must first clear the collision using one of the following
methods:
Soft-delete or delete one or more of the cameras (such as the camera already in the system).
The camera may be in the Pending camera list or elsewhere.
Replace one camera with the other (merge the devices to eliminate the collision).
Note
An IP collision occurs when two devices are configured with the same IP address.
Replace Camera
Step 3 Select Existing Camera if the device was previously added to the Operations Manager.
Replace With
Tip
When the page returns, the new camera will appear with the same name as the old camera, and will include all
configurations, recordings, and event histories. Associations with locations, maps, and Views are also the same.
Step 4 Select New Camera if the device is not in the Operations Manager configuration.
IP address
Username
Password
Model
Template
Camera Settings
b. Click Replace.
c. c. Wait for the job to complete.
Tip
When the page returns, the new camera will appear with the same name as the old camera,
and will include all configurations, recordings, and event histories. Associations with
locations, maps, and Views are also the same.
Step 5 Re-configure the contact closure, PTZ preset and motion detection settings, if necessary.
Bulk Actions: Revising Multiple Cameras
Bulk Actions allows you to change the configuration or take actions for multiple cameras. For example,
you can enable, disable, or delete the devices. You can also change the template, repair the
configurations, change the location or change the password used to access the device.
To begin, filter the devices by attributes such as name, tags, model, Media Server, location, status, or
issue. You can then apply changes to the resulting devices.
Requirements
Users must belong to a User Group with permissions to manage Cameras.
Only super-admin users can apply the Change Password option using Bulk Actions.
Non-super-admins must use the device configuration page to change one device at a time.
Procedure
Step 1 Select Cameras > Cameras.
Step 2 Click Bulk Actions (under the device list) to open the Bulk Actions window
Filter Description
Search by Name Enter the full or partial device name.
For example, enter Door or Do to include all device names that include Door.
Search by Tag Enter the full or partial tag string and press Enter.
Make/Model Select the device model(s).
Tip
Always use the Operations Manager to configure cameras. Changes made directly to the camera
are unknown to Cisco VSM and can result in incorrect behavior.
Category Select the issue categories that apply to the device. For example, hardware issues or
configuration issues.
Step 5 (Optional) Click the icon to view and edit the device status and configuration settings.
Step 6 Select the devices that will be affected by the action.
Choose the Select All check box to select ALL cameras matched by the filters, including the
devices not shown in the grid.
Use CTRL-CLICK and SHIFT-CLICK or to select multiple items.
Note
Only super-admin users can apply the Change Password option using Bulk Actions.
Camera Settings Apply a set of camera settings for features such as the motion detection
window and sensitivity, tamper settings, and NTP server and timezone used by
the device.
Step 8 Follow the onscreen instructions to enter or select additional input, if necessary.
For example, Reapply Template requires that you select the template.
Viewing Video
Overview
The following topics describe how to view live and recorded video using a
supported Cisco Video Surveillance application, such as the Cisco Video
Surveillance Safety and Security Desktop (Cisco SASD) application or the
Cisco VSM Operations Manager.
Understanding the Video Viewing Options
Live and recorded Cisco Video Surveillance video can be viewed using a Cisco -provided application, as
summarized in Table, or a third-party application that supports ActiveX controls.
Procedure
Step 2 If prompted, complete the on-screen instructions to install or upgrade the Cisco Multi-Pane
client software on your computer.
This application is an Active X client that enables video playback and other features.
Video will not play unless the Cisco Multi-Pane client software is correctly installed.
Step 4 (Optional) Select View Menu to select a video grid of multiple cameras.
Selectselect a blank layout.
Select Viewsselect a pre-defined View.
Step 5 Expand the location tree and drag a camera from the list onto a viewing pane.
Enter a partial or complete camera name in the Find field to display matching cameras.
You can also select a video pane by clicking in it, and then double-click the camera
name.
Video Layouts
Related information
Creating Video Views.
Select View Display pre-defined views Choose Select View to select a pre-defined multi-pane view.
Views can be configured to rotate video from multiple
cameras to provide a virtual tour of a building or area. The
video panes can (optionally) rotate video from different
cameras to provide a virtual tour of a building or area.
Related information
Creating Video Views
Setting the Default View
Set Default View Define the view that is The Default View is defined by each user and is
automatically loaded automatically loaded when they click Monitor Video.
Note
The Default View is saved as a cookie in the browser and is unique
to each user/PC. The Default View is not displayed if using a
different workstation.
Related information
Setting the Default View.
Tip
To change the video in a View pane, drag and drop a camera name onto the pane.
To create Views, go to System Settings > Views.
Views can be accessed using either the browser-based Operations Manager or the Cisco Video
Surveillance Safety and Security Desktop (Cisco SASD) application. The Operations Manager can display
a maximum of 4 video panes using the 32-bit version of Internet Explorer, and up to 16 panes when using
the 64-bit version. Cisco SASD can display up to 16 panes.
Double-click a video pane to fill the screen with that video. A preview of the other video panes is shown
in a smaller grid at the bottom of the screen. Double-click the video pane again to return the grid to
normal size.
Overview
To view live and recorded video, log on to the monitoring application and drag and drop camera names
onto the available viewing panes (you can also select a pane and double-click the camera name). Use
Views to view multiple panes in a single window.
For example, shows a multi-pane view using the Cisco Video Surveillance Safety and Security Desktop
(Cisco SASD) application.
Multi-Pane View using the Cisco Video Surveillance Safety and Security Desktop
Application
Each viewing pane includes various controls that allow you to do the following:
Note
The available controls depend on the camera model and system configuration. For example, pan -tilt-zoom (PTZ)
controls are available only on cameras that support PTZ. Recording options are available only if the camera is
configured to record video. Synchronized playback is available for recorded video (not live video).
2 Indicates the quality of the primary live video stream. If the live video quality is poor. , an alternative secondary or
iFrame video stream can be automatically applied.
3 Indicates live or recorded video (recorded video displays a time stamp such as ).
6 The green icon indicates live video. Click the icon to switch to the recorded view .
Note
The other playback controls are used with archived video only
8 Click the triangle to pin the control bar to the screen, or auto -hide the bar when the cursor is moved.
Note
The control bar and audio icon will not display if your workstation monitor is set to 16-bit color setting. Change your monitor
color setting to 32-bit.
9 Video image.
10 Camera menu.
Right-click the image to open the menu and select an option. Options not supported by the camera are disabled
(shown in gray)
11 Control icons.
Audio. The audio icon appears if the camera supports audio. Click to enable or mute live audio
volume. This control does not affect recorded video.
PTZ. Click to enable or disable the Pan, Tilt and Zoom (PTZ) controls.
Continuous recordings that include video from a set amount of time, such as the past 60
minutes.
Motion event recordings that are triggered whenever a motion event occur s. Video is recorded
when the motion occurs, and for a configured number of seconds before and after the event. Use
a video viewing application (such as the Cisco Video Surveillance Safety and Security Desktop)
to view motion event video
Viewing Recorded Video
Note
This icon is for informational purposes only when displayed with recorded video (the Smooth Video options do not apply).
3 Pop-up menu options.
4 Timestamp for the currently displayed video image. For example: .
Note
Changes to when live video is displayed.
The entire range bar represents the entire span of available recorded video. Slide the range bar selectors to
shorten the range (see below).
The lower (green) seek bar represents the selected range (see below).
6 Range Bar selectorsDrag the range bar selectors to narrow the timespan of video you want to review.
For example, drag the selectors to create a 10 minute range. You can then drag that range left or right to the
appropriate place in the recorded span.
In the following example, the entire range of recorded video is selected (the range bar selectors are to the far right
and left). To display the timestamps, click a selector.
Click and drag the range bar selectors to choose a shorter period of time. In the followi ng example, the range bar
selectors are used to select approximately 10 minutes of video. Drag the selected range left or right to locate the
desired range of recorded video.
Tip
The green seek bar represents the selected span. If the span in the top range bar is 10 minutes, then the green seek bar
represents 10 minutes of video. Slide the seek bar selector to choose the playback time (see below).
Double-click a range bar selector to playback the video from the beginning of that range.
7 Seek Bar Represents the video range, and is used to select a playback time.
For example, if the range is 10 minutes, then the seek bar represents 10 minutes of video.
Tip
Right-click the seek bar and select Seek to... to select a specific date and time.
Note
Gaps in the recorded video are shown in gray. Recording gaps occur if recording was manually started or stopped, if recording
was stopped by a schedule, or if video was unavailable due to network connectivity issues, device malfunctions, or other even ts.
8 Seek Bar selectorDrag the selector to play video from the selected time (as indicated by the timestamp).
Note
When you move the scroll bar for a video pane that is synchronized, that pane becomes the new synchronization master pane. Th e
other synchronized panes play video according to the master pane.
9 BookmarksCreate bookmarks to save a video clip or a repeating segment.
To create a bookmark, Ctrl-Click-drag the seek bar. The bookmark span is shown in orange.
10 Bookmarks menuRight-click the seek bar to display the bookmark menu. You can save the bookmarked video as a
clip in one of the supported formats, remove all bookmarks, or create a repeating segment.
11 Indicates live or recorded video. Click the icon to switch between live and recorded video.
Tip
The first time you select a cameras recorded video, the playback begins slightly behind the live (current) time.
When you toggle between live and recorded, recorded video returns to the previously selected timestamp .
Step Reverse button(Archived video only) Pauses the playback and steps back one frame at a time.
Play Reverse button(Archived video only) Plays the video archive in reverse at normal speed.
Pause buttonPause the video playback.
Play Forward buttonPlay the video forward at normal speed.
Step Forward button(Archived video only) Pauses the playback and steps forward one frame at a time.
Right-click the Play Reverse or Play Forward button to play the video slower or faster.
For example, select 0.50X to play the video at half speed (for ward or reverse). Select 4.00X to play at 4 times the
normal rate (forward or reverse).
13 Click the triangle to pin the control bar to the screen, or auto -hide it when the cursor is moved.
Note
The control bar and audio icon will not display if your workstation monitor is set to 16-bit color setting. Change your monitor
color setting to 32-bit.
14 Camera feature icons. For example:
or Audio is supported by the camera and enabled or disabled in the viewing pane.
The synchronization icon appears in video panes that play synchronized video.
Note
The PTZ icons are enabled only for live video
The control bar and audio icon will not display if your workstation monitor is set to 16 -bit color setting. Change your monitor
color setting to 32-bit
Usage Notes
Multi-pane video clips can also be saved to your desktop and played using the Cisco Video
Surveillance Review Player.
If a camera is soft-deleted, you can still access the cameras recorded video but cannot display live
video. Recordings are retained on the system until removed according to the recording retention settings.
Click the icon to toggle between live and recorded video. The icon appears when recorded
video is displayed.
The first time you select a cameras recorded video, the playback begins slightly behind the live
(current) time. When you toggle between live and recorded, recorded video returns to the previously
selected timestamp.
To maximize the video screens, move the new workspace to a separate monitor and double-click a
pane to fill the entire browser window. To fill the entire monitor screen, right -click the image and select
Full screen mode.
To control the playback in multiple video panes, press Shift-Click to select multiple concurrent
panes, or Ctrl-Click to select individual panes. The borders of all selected panes turn to orange. Controls
and actions performed in one pane also affect the other selected panes. To deselect panes, select a single
pane, or use Shift-Click or Ctrl-Click to deselect the panes.
When the Privacy Mask is enabled on a compatible camera all live video from that camera is blocked
and cannot be viewed by any operator or monitor, or recorded by the Cisco Video Surveillance system.
This feature is typically used with the Virtual Sitter feature for health care providers, allowing
operators to temporarily block video from a Cisco Video Surveillance camera when the patient requires
privacy. Figure shows the icons used to enable or disable the Privacy Mask.
Note
You must belong to a User Group with Control Privacy Mask access permissions to use this feature.
Privacy Mask Controls
Note
The function of the privacy mask icons was reversed in Cisco VSM release 7.5. Click the privacy icons
to turn the video on or off:
Note
The Privacy Mask is not disabled automatically; an operator must disable the
Privacy Mask by clicking the icon to allow live video to be transmitted,
viewed and (optionally) recorded.
For example, when you click the icon, the video frame for that camera is blank
The same blank (blue) screen is recorded (if recording is configured).
Privacy Mask Enabled
When the Privacy Mask Timer expires, the video frame flashes to remind the operator that the mask is
still on. To display video, click to turn the Privacy Mask off and display and record video normally.
Note
If the camera reboots due to a power cycle or other reason, the camera will power up with the Privacy Mask in the
state it was before the reboot. For example, if the mask was enabled and there was 5 minutes remaining on the
timer, the camera will remember the state after the reboot.
Step 1 Log is as a admin or other user who has Users & Groups access permissions.
Step 2 Create a Role that includes Control Privacy Mask access permissions.
Step 3 Create a user group and assign the new role to the group.
For more information about Cisco Virtual Patient Observation, see the following:
Use the Backup & Restore tab in the server configuration page to backup a single server.
You can schedule automatic backups, or perform an immediate one-time backup. Each backup creates:
A separate backup file for each server service running on that server (such as the Media Server
and Operations Manager).
To restore a backup, you must restore the files for each server service, and restore the CDAF backup file.
Note
We recommend backing up all servers on a regular basis to ensure configuration and event data is not lost if a
hardware failure occurs. Backups are also used to restore configurations and historical data when upgrading or
moving to a new system. Backup files can be saved to the server (local) or to a valid FTP/SFTP server.
Configuration Plus Historical Data(Default) Includes the configuration for the server
service, data plus events, health notifications, logs, and other information regarding the status,
use and health of the system.
Note
Recordings are backed up using a Long Term Storage server
Usage Notes
Each backup includes a separate backup file for each active service on the server, plus a file for
the CDAF service.
CDAF runs on all servers and provides the Cisco VSM Management Console user interface and
features. CDAF backups include the server database, system information, console jobs and other
data. The CDAF service must be restored along with the other server services or information
may be missing and system errors can occur.
The maximum number of allowed backups are:
o Map server service1 manual and 1 automatic backup.
o All other server services5 manual and 3 automatic backups.
When the maximum number of backups is reached, an existing backup file must be deleted to
make room for the new backup file. Automatic backups will automatically delete the oldest
backup file. To perform a manual backup, you must manually delete an existing backup file.
Use Bulk Operations to set the schedule for multiple servers.
The Media Server configuration data is backed up automatically to the local server every day by
default (and cannot be disabled). Automatic backups must configured for the other server
services.
Each Cisco VSM server can be configured with a single FTP or SFTP server. The same FTP or
SFTP server can be used by multiple Cisco VSM servers using the Bulk Operations feature.
Manual backups can be triggered for a single server, or for multiple servers (using Bulk
Operations). Bulk action is supported for Media Servers only. The Bulk Action feature does not
support Map or Metadata servers.
Server restore can be performed for a single server only. Bulk server restores are not supported.
Failed backup(s) are only visible for a single server (on the Server Management page). There is
no bulk filtering or display of failed backups in the Bulk Operations page.
Prior to Cisco VSM release 7.5, automatic backups to local storage could include configuration
and historical data. In release 7.5 and later, however, automatic backups to the local disk
support configuration data only. When upgrading from release 7.2 or earlier to release 7.5 or
later, any automatic backups will be changed to the configuration only option.
Backup Settings
Automatic Backups
Server Backup Settings
Field Description
Enable Select the check box to enable or disable the automatic backup schedule.
Destination Select where the backup file will be stored
Note
This field is disabled for daily backups. Select the time from the At field.
At Enter the time of day the backups will occur.
Remote Storage
Note
These settings define the remote server used to store backup files if the Remote option is enabled. Click Test to
verify the settings are correct and the remote server can be accessed.
Enable Select the check box to enable or disable the remote network storage option. If enabled,
backups will be saved to the remote destination.
Protocol Select the type of remote server: FTP or SFTP.
Address Enter the server network address.
Username Enter the username used to access the server.
Password Enter the server password.
Path Enter the directory path where the backup file will be stored
Backup File Format
Backup files are saved using the following formats:
ServiceThe service acronym that defines the data stored in the file. For example:
VSOM=Operations Manager, VSMC=Management Console, VSF=Federator, etc.
HostNamethe host name of the server running the Cisco VSM Operations Manager service.
yyyyMMdd_HHmmssthe date and time when the backup file was created.
For example, if the PSBU-ENG14 server configuration and historical data was backed up on August 17,
the resulting filename would be: VSOM_psbu-eng14_backup_20130817_174250.tar.gz
AutomaticThe amount of storage used for automatic backups. The number of backups available
on the system is shown in parenthesis ().
Manual and TransferredThe amount of storage used for manual backups. The number of backups
available on the system is shown in parenthesis ().
Failed Backups
Tip
Click an entry to view additional details about the failure reason.
Procedure
Note
When the maximum number of backups is reached, an existing backup file must be deleted to make room for the new
backup file.
Step 5 From the pop-up, select the destination and backup type .
A separate file is created for each server service, plus an additional file for the DDAF server.
If saved To Local, the backup files are saved on the server (in the Restore From Backup tab).
Failed backups are displayed in the Failed Manual Backups field.
Backup Now
Note
The Media Server configuration data is backed up automatically to the local server every day by default (and
cannot be disabled). Automatic backups must configured for the other server services.
When the maximum number of backups is reached, an existing backup file must be deleted to make room for
the new backup file. Automatic backups will automatically delete the oldest backup file.
Only the Configuration option is supported when the automatic backups are stored on the Local server.
If a scheduled backup fails, a health notification is sent.
Procedure
Step 1 Select System Settings > Servers
A separate file is created for each server service, plus an additional file for the DDAF server.
If saved To Local, the backup files are saved on the server (in the Restore From Backup tab).
Automatic Backups
Note
The CDAF service provides the servers Management Console functionality, including the server database, system
information, console jobs and other data. If the CDAF service is not restored at the same time as the other services,
information may be missing and system errors can occur.
For example, if the server is running Operations Manager (VSOM) and Media Server (VSMS) services, a
separate backup file is created for each service plus the CDAF (Console) service. You must restore each
service backup file, one service at a time.
Caution
Restoring a backup deletes any existing configurations, settings and historical data.
Procedure
To restore the server configuration from a backup file, do the following.
Step 4 (Optional) Select Restore System Config to exclude the server configuration from the restore
operation.
The server configuration is the non-Cisco VSM portion of the backup data that includes OS-related
settings, such as the server network configuration. Excluding the system configuration can be used to
replicate a server configuration on additional servers: create a backup from the original server and restore
it to a new server while selecting the Restore System Config option.
Step 5 (Optional) If the backup file does not appear in the list, you can copy a backup file stored on a
PC or remote server.
Note
You must first enter the Remote Storage settings in the Manage Backup tab before you can transfer a file from a
remote server..
c. Click Save.
d. Repeat these steps to upload the backup file for each service, plus the CDAF (Console) service.
Step 6 Select the backup file for the service you want to restore.
The Service Type displays the server service: For example: VSOM (Operations Manager),
VSMS (Media Server), CDAF (Console), Geoserver, or Metadata.
Step 11 Repeat these steps to restore the configurations and data for additional service on the server.
Step 12 Repeat these steps to restore the backup for the CDAF (Console) service.
Restore Backups
Procedure
Step 4 (Optional) To first save the file to a PC disk or remote server, click Transfer and then To
Remote or To PC.
To Remotethe file will be transferred to the location specified in the Remote Storage section
of the Configure tab.
Overview
Events represent incidents that occur in the system and devices. Alerts aggregate (group) those events
together for notification purposes. For example, if a camera goes offline and comes back online repeatedly,
the individual events for that issue are grouped under a single alert, which results in a single notification. This
prevents operators from being flooded with notifications for every event that occurs for the same issue.
Note
The alert severity reflects the severity of the most recently generated event. For example, if a camera becomes
unreachable and the streaming status is Critical, the alert is Critical. When the camera becomes reachable again, and the
streaming status normal event occurs, and the alert severity is changed to INFO.
2. The Cisco VSM Operations Manager aggregates the events into alerts:
3. The browser-based Operations Manager can be used to view events, send notifications, or
(optionally) perform actions that are triggered by security events (such as motion detection).
4. Additional monitoring applications can also be used to view events and alerts:
The Cisco Video Surveillance Safety and Security Desktop (Cisco SASD) application can be
used to view alerts, related events, and related video. You can also change the alert state, add
comments, close the alert, and perform other management options.
Custom applications can be written gather information, change the alert status, add comments, or
trigger actions when an event or alert occurs.
Note
Custom applications can also subscribe to ActiveMQ topics to receive notifications about device and system
changes. For example, the Alerts topic notifies subscribers when any alert occurs in the system. The custom
application can use the ActiveMQ message contents to optionally trigger additional notification or actions.
Event Types
Cisco VSM generates two types of events: device health events and security events:
Health Events are generated when a device health change occurs, such as reachability, fan speed, file
system usage, or other device-related issues. Critical health events generate alerts by default.
Security EventsEvents such as motion stop or start, analytics, contact closures, or soft triggers
from an external system can be configured to generate alerts, or perform other actions. Security
events do not generate alerts by default.
Triggering Actions
Action Description
Critical health notifications Use the Health Notifications feature to send notifications when a critical
device error occurs. Critical errors are health events that impact the device
operation or render a component unusable. For example, a Media Server that
cannot be contacted on the network, or a camera that does not stream or record
video.
Motion event notifications Click Alert Notifications in the camera template to enable or disable
the alerts that are generated when a motion event stops or starts.
Trigger actions when a Use the Advanced Events feature (in the camera template) to trigger a
security event occurs variety of actions when a security event occurs. For example, you can send
alerts only on motion start, on motion stop, stop or start video recording,
record video for a specified length of time, invoke a URL, move a camera
position to a specified PTZ preset, or display video on a Video Wall.
Monitoring Device Heath Using the Operations Manager
The Health Dashboard displays a summary of all device errors in your deployment, allowing you to
quickly view the health of all cameras, encoders and Media Servers. You can also click a link for any
affected device to open the device status and configuration pages.
Monitoring Features
Monitoring Feature Location Description
Health Dashboard: Operations > Health Dashboard Open the Health Dashboard to view a summary
Device Health Faults on of Warning or Critical errors for all configured
an Operations Manager devices. Click on an entry to open the device
status and configuration page and further
identify the issue.
Device Status: Cameras > Status Click the Status tab in the device configuration
Identifying Issues for a page to view the specific type of error for a
System Settings > Server > Status
Specific Device device. The status categories show where the
System Settings > Encoder > Status error occurred.
Click the Status History to view the
alert messages for the device.
Click the Affecting Current Status
radio button to view only the alerts that
are causing the
Sending Alert Emails Operations > Health Notifications Send emails to specified recipients when a critical
(Notification Policies) device error occurs.
Reports Operations > Reports Generate and download information about the
Cisco Video Surveillance user activity, device
configuration, and other information.
Synchronizing Device Device configuration page. If a configuration mismatch error occurs, you can
Configurations. click the device Repair button to replace the
Click the Repair or Replace Config
configuration settings on the device with the
button. settings in Operations Manager.
Viewing the Server Operations > Management Console Displays logs, hardware status, and system trend
Management Console information for the Cisco Video Surveillance
Status and Logs. server. The Management Console is a separate
browser-based interface that requires a separate
localadmin password.
Understanding Jobs and System Settings > Jobs Displays a summary of current and completed
Job Status jobs triggered by user actions.
Viewing Audit Logs Operations > Audit Logs Displays successful configuration changes. You
can sort or filter the results by user, device, and
other categories.
Health Dashboard: Device Health Faults on an Operations
Manager
Use the Health Dashboard to view a summary of the critical or warning faults that are occurring on
servers, encoders and cameras.
For example, select from the Monitor Video page to open the Health Dashboard
window. Choose a location that displays a Health icon . Click the number next to a category (such as
Configuration) or Issue type (such as Motion Unconfigured) to display additional details about the
issue(s) and device. Click the icon to open the device status and configuration page.
Tip
To view the health issues for multiple Operations Managers,
Health Dashboard
By CategoryDisplays the number of health issues for the location grouped into categories such as
Configuration, Reachability, Hardware and Software. Click the number next to the device type (such as
Servers) to display the issues for all categories.
By IssueDisplays the number of health issues for each type of issue. For example, server issues can
include hardware problems such as temperature or fan speed. Cameras issues can include items such as
Motion Unconfigured.
Note
The number represents the total number of issues for all devices at that location, based on the selected category or issue.
2 The Health icon is displayed if a location or any of its sub-locations includes an issue.
Click a location to view the device issues for the location and its sub-locations. If a sub-location has a device with a
health issue, the Health icon is also displayed for the parent location(s).
3 The device type (such as Servers, Encoders, or Cameras) where the issues occurred.
Click a number to display a list of critical or warning faults for the category, issue type, or device
type. For example, click the number 23 next to Hardware to display a list of the hardware issues for all
servers (multiple issues can occur for a single device).
4 Last UpdateRefresh the Health Dashboard page to view updated results. The dashboard does not automatically
refresh.
5 The specific health issues that occurred for the selected category or issue type.
All issues are listed. Multiple issues can be displayed for the same device
Click the icon to open the devices status and configuration page
Tip
Device errors are cleared automatically by the system or manually cleared by an operator using
the Cisco SASD or another monitoring application. Refresh the page to view the latest
information. Some alerts cannot be automatically reset. For example, a server I/O write error
event.
If the system or server is performing poorly, use the diagnostic tools available in the server
Management Console to view performance, hardware and system information.
Understanding Warning and Critical Faults
Warning and Critical Faults
Icon Error Type Description
Warning Warnings are based on activity that occurs without incapacitating a component, for example,
interruptions in operation due to packet losses in the network. These activities do not change the
overall state of the component, and are not associated with up and down health events.
Critical Critical errors are health events that impact the device operation or render a component
unusable. For example, a server or camera that cannot be contacted on the network, or a
configuration error.
Components in the critical state remain out of operation (down) until another event restores
them to normal operation (up). Critical errors also affect other components that depend upon
the component that is in the error state. For example, a camera in the critical error state cannot
provide live video feeds or record video archives.
Procedure
Complete the following procedure to access the Health Dashboard and view device health issues:
Step 2 Choose a location to view a summary of the health issues at that location, including its sub-
locations.
Step 4 Click a number to display the specific issues for the device type, category or issue type.
The number represents the total number of issues for all devices at the selected location and its
sub-locations (the number is the consolidated sum of issues in that location and its sub-
locations).
Step 5 (Optional) Click the icon to open the device status and configuration pages.
Step 6 Continue to the Device Status: Identifying Issues for a Specific Device.
Step 7 Take corrective action to restore the device to normal operation, if necessary.
Overall Status
Status Color Color Description
Enabled: OK Green The device is operating normally.
Enabled: Warning Yellow A minor event occurred that did not significantly impact device
operations.
Disabled Yellow The device is disabled and unavailable for use. The configuration can be
modified, and any existing recordings can be viewed, but the camera
cannot stream or record new video.
Enabled: Critical Red An event occurred that impacts the device operation or renders a
component unusable.
Status Color Color Description
Pre-Provisioned Brown The camera is waiting to be added to the network and is not available for
use. A pre-provisioned camera can be modified, but the camera cannot
stream or record video until you choose Enable from the Device
Settings menu.
Soft Deleted Grey The device configuration is removed from the Operations Manager but
(Keep Recordings) the recordings associated with that device are still available for viewing
(until removed due to grooming policies).
To view the recordings, select the camera name in the Monitor Video
page. Soft-deleted cameras are still included in the camera license count.
Hard Deleted None None The device and all associated recordings are permanently deleted from
(Delete Recordings) Cisco VSM.
Note
You can also choose to place the camera in the Blacklist
Note
Devices states can change due to changes in the device configuration, or by manually changing the status in
the device configuration page
Device Status
Understanding Device Status
From the device configuration page, click the Status tab to locate the category where the error occurred
(such as configuration or hardware), and the alert messages that provide additional details regarding the
cause of the error.
For example, if a critical configuration error occurs, the Configuration entry displays a Critical message
in red. If a configuration mismatch occurs (where the device configuration is different than the Operations
Manager configuration), click the icon to view additional details in a pop-up window.
To resolve the issue, revise the device configuration, or select Device Settings > Repair Configurations
or Replace Configurations to replace the device configuration with the Operations Manager version.
Table describes the status categories. The categories are different for each type of device. For example, Media
Servers include a Software category to indicate the health of server processes. An encoder does not include
streaming or recording categories.
Device Status Categories
Device Status
Associated Servers
Note
The status of Failover, Redundant and LTS servers does not affect the overall status of a device.
Server Cameras and Indicates that the device can communicate with a Media Server.
Encoders only
Failover Server HA server Indicates the state of the Failover Media Server, when HA is enabled.
configurations only
Failover Status HA server Indicates if the HA servers are in failover mode.
configurations only
Redundant HA server Indicates if a Redundant server is available for streaming live video.
Streams Server configurations only
Long Term Storage HA server Indicates if a server is available to store recorded video beyond a
Server configurations only specified date for archiving purposes.
Viewing the Status Error Details and History
If a device error is displayed in the Status page do one of the following:
A Configuration error indicates that a configuration mismatch occurred (the configuration on the
device is different than the Operations Manager settings). Click the icon to view additional
details
Click the Status History tab to view the specific events that determine device status.
Tip
Click Affecting Current Status to view only the items that are currently affecting the summaries in the Device
Status tab.
Camera Events
Lesson 9
Tip
All applications in the suite are installed using the Operations Manager browser-based interface
Video workspace
Wall workspace
Alert workspace
Maps workspace
Forensic Analysis Tools
Cisco SASD Advanced An advanced monitoring application that includes the following
Video Player monitoring workspaces:
Video workspace
Wall workspace
Cisco SASD Wall Launches a monitoring application for unattended workstations.
Launcher Unattended mode allows video monitoring windows to display
Video Walls without access to the Cisco SASD configuration
interface. The unattended screens can remain open even is the
keyboard and mouse are disconnected, and can (optionally) re-
appear when the workstation is rebooted.
Cisco SASD Wall A utility for adding and modifying the video Walls that can be selected and
Configurator displayed in the monitoring workstations.
Cisco SASD Federator A monitoring application that allows Federator users to monitor
video from multiple Operations Managers.
Main Features of the Cisco SASD Application
The Cisco Video Surveillance Safety and Security Desktop application (Cisco SASD) is the main
application in the Cisco SASD suite, allowing you to monitor live and recorded video surveillance using a
variety of tools. For example:
View a list of available cameras based on the camera location or camera name.
View the cameras and related video on a map.
View system alerts and the camera that generated the alert.
View multiple cameras in a grid.
Create multiple viewing windows and drag them onto additional monitors connected to the PC
workstation.
Create Video Walls to display the same pre-defined set of viewing panes on multiple
workstations.
Use Unattended Mode to automatically open the Video Walls on workstations that do not have a
mouse or keyboard.
Use the Forensic Analysis tools to locate recorded video, search for motion events, and locate
video clips.
1 The Cisco Video Surveillance system (and optional Site) to which you are logged in.
2 Select a menu to logout, launch forensic analysis tools, or open help documents.
File
LogoutLog out of the application and disconnect from the Operations
Manager. Unattended screens will still be displayed on the workstation, if
configured.
Forensic Analysis
Thumbnail SearchUse Thumbnail Search to quickly locate specific scenes or events
in recorded video without fast-forwarding or rewinding. Thumbnail Search displays a
range of video as thumbnail images, allowing you to identify a portion of the recording
to review.
Clip ManagementUse Clip Management to view, download and delete MP4 clips.
that are stored on the server.
Motion AnalysisUse Motion Analysis to view a summary of motion events for
recorded video.
HelpView additional information and documentation.
3 The video monitoring workspaces:
VideoUse the location tree to select a camera or search a camera by name. Select a View to
view multiple cameras in a a grid.
WallDisplay video from multiple cameras in a simple grid that maximizes the viewing
area. Drag the window to a separate monitor, if necessary.
AlertView and modify system alerts, including the alert video (if the alert is associated with
the video)
MapDisplay maps of the Cisco VSM locations, including the camera and alerts at those
locations. Single-click a camera icon to display a dragable icon, or double-click the icon to
view video in a pop-up window.
Duplicate Click to create a duplicate workspace window that can be dragged to a
separate monitor.
4 Click the triangle to display or hide the side panel.
5 SearchEnter the full or partial name of a camera to display matching camera names.
6 Side PanelSide panels include the controls and search options for the workspace (side
panels vary for each workspace).
For example, select a location to display the cameras for that location (cameras from
sub-locations are not displayed). Then drag a camera onto a viewing pane.
7 Playback Controls
8 Viewing Pane and control icons
9 Multi-Pane Grid
LayoutsCreate a blank matrix from the available layouts and drag cameras onto
each viewing pane.
Select ViewSelect a pre-defined matrix of cameras. The cameras can be
configured to automatically rotate.
10 NotificationsNotify errors, such as task or software exceptions
11 Performance MeterDisplays the workstations CPU performance based on available
memory and bandwidth.
Green indicates that the workstation is meeting the demands of the Cisco SASD
activities.
Yellow is a performance warning.
Red indicates that the workstation performance is poor and processing delays may
occur.
Tip
Hover your mouse over the meter network and memory usage details.
Requirements
Cisco Video Surveillance Safety and Security Desktop (Cisco SASD) requires the following.
At least one Cisco VSM server must be installed on the network with the following services
enabled:
o Cisco Media Server
o Cisco VSM Operations Manager
Additional services are required to enable features such as the location maps and Video Motion
Search.
At least one camera physically installed and configured on Cisco VSM Operations Manager
The IP address or hostname of the Cisco Video Surveillance system (same as the Operations
Manager).
A valid Cisco Video Surveillance username and password.
Workstation Requirements:
o A PC or laptop running Windows 7 64-bit operating system.
o The Microsoft .NET Framework 4.0 (full setup) must be installed on the client PC.
o A standard Windows 7 user account.
Note
Logging in with a Guest account can prevent video streaming and result in an error to be displayed
in the video pane: Cannot create RTSP connection to server. Check network connection and
server health status.
Cisco Multi-Pane Video Surveillance client software, an Active X client that enables video
playback and other features.
Note
You will be prompted to install this utility when installing or updating the Cisco SASD application.
Complete the on-screen instructions, if prompted. You must have administra tive privileges on
the PC workstation to install the software.
Note
You will be prompted to install this utility when installing or updating the Cisco SASD application.
Complete the on-screen instructions, if prompted. You must have administrative privileges on the PC
workstation to install the software.
Installing the Application Suite
Procedure
Step 1 Verify that the system and workstation requirements are met.
Step 2 Install the Microsoft .NET Framework 4.0, if necessary.
Step 3 Log in to the Cisco VSM browser-based Operations Manager.
a. Launch the 32-bit or 64-bit version of Internet Explorer 8 on your Windows 7 computer.
b. Enter the URL for the Cisco VSM Operations Manager.
c. Enter your username and password.
d. From the Domain menu, choose the default localhost if your account was created using the
Operations Manager. Select a different Domain only if you are a user from an external database
(Active Directory LDAP domain) and are instructed to do so by your system administrator.
e. Enter a new password if prompted.
Note
You must enter a new username the first time you log in, or when your password periodically expires.
Step 5 Click Safety and Security Desktop (under the Software heading).
Step 7 Complete the on-screen instructions to install or upgrade the Cisco Multi-Pane Video Surveillance
client software on your computer. This application is an Active X client that enables video playback and
other features. Video will not play unless the Cisco Multi-Pane client software is correctly installed. You
must have administrative privileges on the PC workstation to install the software.
Tip
To access the application on your workstation, double-click the Safety And Security Desktop icons on your desktop,
or go to Start > All Programs > Cisco Safety And Security Desktop.
You can save the installer file and use it to install the application on multiple workstations, if
necessary. Users must have a valid Cisco VSM username and password to access the system.
An error appears if the Microsoft .NET Framework 4.0 is not installed. Go to
http://www.microsoft.com/en-us/download/confirmation.aspx?id=17851 to download the
installer, then repeat this procedure.
Logging In
Log in to the Cisco SASD application using the username and password supplied by your administrator.
Note
The first time you log in, you must use the browser-based Cisco VSM Operations Manager to change your password
(you will be prompted to change a new password on first login).
Users are configured using the Operations Manager.
You must log in with a standard Windows 7 user account. Logging in with a Guest account can prevent video
streaming and result in an error to be displayed in the video pane: Cannot create RTSP connection to server. Check
network connection and server health status.
Procedure
Step 1 (First log in only) Log in to the browser-based Operations Manager and change your initial
password.
a. Launch the Internet Explorer web browser on your PC and enter the IP address or hostname of the
Operations Manager server.
b. Enter your username and password (provided by your system administrator).
c. Complete the form to enter a new password.
d. Log out of the Operations Manager.
Users with Site access are prompted to select a Site. Users with no Site access are not prompted
for a Site.
To change your Site, you must log out and log back in.
Step 5 If prompted, ask your manager or other administrator to enter their Approver Login.
Approver Login
If the system is configured with Sites, and you are a member of a User Group that is assigned to a Site
location, you will be prompted to select a Site when you log in (Figure).
Users with Site access are prompted for a Site. Users with no Site access are not prompted for a
Site.
Users who do not select a Site, are not assigned a Site, or select Not in Any Site will receive
video from a Dynamic Proxy server for cameras in any Site where Dynamic Proxy is enabled.
To change your Site, or log in to Lot In Any Site, log out of Cisco SASD and log back in.
Understanding Login Approval
Dual Login requires that a second user (such as a manager) approve a users access by entering their
credentials. When the user logs in, a second prompt appears for the managers credentials (Figure). This
optional feature appears every time the user logs in.
Login Approval
Procedure
Step 1 Launch the Internet Explorer (IE) web browser.
Step 2 Enter the same IP address/hostname used to access Cisco SASD.
Step 3 Enter the same username and password used to access Cisco SASD.
Step 4 Click your username in the upper right corner of the Cisco VSM Operations Manager.
Step 5 Enter and reenter your new password.
Procedure
Step 1 Select the Video workspace.
Step 2 Select a blank Layout or click Select View to select a pre-defined layout and set of cameras.
Step 3 (Optional) Select a video source (camera) for each pane:
a. Search for a camera name or select a location.
b. Drag-and-drop camera names onto the available viewing panes (you can also highlight a
pane and double-click the camera name).
Step 4 Use the video playback controls.
Step 5 (Optional) Double-click a video pane to fill the Cisco SASD viewing area with that video. A
preview of the other video panes is shown in a smaller grid at the bottom of the screen.
Double-click the video pane again to return the grid to normal size.
Tip
To fill the screen, right-click the image and select Full screen mode.
Step 6 Click to create a duplicate workspace window that can be dragged to a separate monitor.
Viewing Camera Video in a Multi-Pane Grid
Use the Video or Wall workspace to view video in a grid.
Procedure
Step 1 Select the Video or Wall workspace.
Step 2 Select a blank Layout or pre-defined View
Step 3 Drag cameras onto the available panes to change the video source.
Note
Unattended video walls are backed by the SASD Monitor windows service. If a wall is closed or
stop streaming, it will be bring up automatically. However, this feature is only possible if the PC
is rebooted. SASD walls will not be backed up if user log off then log in.
Displaying a Duplicate Workspace on a Separate Monitor
A duplicate workspace is an additional window that does not include menus or links to other workspaces.
Duplicate workspaces maximize the video viewing area and can be dragged to another screen to monitor
multiple workspaces or video grids at a single time. You can create a duplicate of any workspace (Video,
Wall, Alerts or Maps) available in your monitoring application.
To create a duplicate workspace, click the duplicate icon . You can then select a layout, view, map or
alert to view video, and drag the window to another monitor, if necessary.
Tip
Closing the Cisco SASD or Cisco SASD Advanced Video Player window also closes the duplicate
workspace windows. Logging out of the application also closes all windows.
To maximize the video screens, move the new workspace to a separate monitor and double-click a pane to
fill the entire browser window. To fill the entire monitor screen, right-click the image and select Full
screen mode.
Wall Workspace
Video Walls are pre-defined Views that can be displayed on multiple workstations or viewed by
unattended workstations.
Overview
Video Walls are pre-defined Views that can be displayed on multiple workstations (Figure). All
workstations that display the Video Wall will display the same set of pre-defined panes. Walls can be
modified and published to the other workstations viewing the wall, and used as unattended
workstations that can be monitored without user input or control.
For example, a Lobby Door Video Wall includes cameras in buildings 1 through 4. Each workstation
that selects the Lobby Door Wall will display the same set of cameras. If an attendant at one
workstation changes the camera for a pane, they can click Publish To Wall to display the modified scene on
all other workstations that display that Wall.
Tip
Walls can also be displayed on unattended workstations using the Cisco SASD Wall Launcher.
Note
The operator must have access permissions to use the Wall feature.
Video Walls
1 The Wall Workspace.
Tip
Click to create a duplicate workspace window that can be dragged to a separate monitor. This allows you to view multiple
Walls at the same time.
Tip
Drag and drop cameras onto the video panes to change the displayed video. Click Publish To Wall to
display the modified Wall on all workstations that are viewing the Wall (the Wall reverts to the default
view after the rollback time defined in the Operations Manager).
4 Publish To WallClick to display a View or modified Wall on all other workstations and
monitors that are viewing the Wall.
Usage Notes
Video Walls are configured by system administrators using the Cisco Video Surveillance
Operations Manager browser-based administration tool.
Video Walls can display a populated View or a blank matrix.
Note
When a pane is updated, all panes in the Video Wall will refresh, which can cause a loss of video for a few
seconds.
Step 5 (Optional) Display a different View on all instances of the selected Video Wall (such as other
workstations that display the same Video Wall).
Tip
The Wall reverts to the default view after the rollback time defined in the Operations Manager.
The Publish to Wall option is enabled only when you change the video displayed in the video
panes.
An unattended workstation is a PC that is used to monitor Video Walls without user input or interaction.
Unattended workstations can be operated without a mouse or keyboard, and do not have access to the
Cisco SASD or Cisco SASD Advanced Video Player interface.
For example:
Once the unattended workstation is configured, you can exit all other Cisco SASD applications
(such as the Cisco SASD Wall Configurator or Cisco SASD Advanced Video Player). The
unattended screens remain open and will (optionally) re-appear when the workstation is
rebooted.
If the keyboard and mouse are removed, the operator can view video, but cannot interact with the
video playback. The workstation can also be placed out of reach (such as below a desk or in a
cabinet).
If the keyboard and mouse remain connected, the operator can interact with the video, and close
and reopen the unattended screens (using the Cisco SASD Wall Launcher).
You can create multiple unattended windows for display on different monitors. For example, one
monitor can display a Video Wall of all Lobby Doors, and a second monitor can display a Video
Wall that rotates the panes among all side entrances.
Unattended mode can be set to launch automatically when the workstation is rebooted (it does
not re-launch when a user logs off and logs back on). You can also use the Cisco SASD Wall
Launcher (installed on the desktop) to relaunch the unattended screens (the Launcher closes any
open unattended windows, and re-launches the unattended Video Wall windows configured on
the PC).
If an unattended Video Wall is shutdown (for example, the application crashes or is closed), or if
all panes in the wall are not streaming video, the unattended Video Wall will re-start
automatically.
If the workstation is rebooted, the same unattended windows will automatically reappear on the
monitor(s) in the same position (unless the monitor resolution was changed).
Unattended video walls are backed by SASD Monitor windows service. If a wall is closed or stop
streaming, it will be bring up automatically. However, this feature is only possible if the PC is
rebooted, not log off then log in.
Figure describes the main features of the Cisco SASD Wall Configurator.
Using Cisco SASD Wall Configurator to Define Unattended Video Walls
1 AddClick to add a Video Wall that will appear on the workstation in unattended mode, and
then select the Wall Name.
2 Launch on Startup
Select to automatically launch the Walls in unattended mode when the workstation is
restarted.
Deselect to manually launch the unattended walls using the Cisco SASD Wall Launcher.
3 Wall NameSelect the Video Wall(s) that will appear when the workstation is restarted or when
Cisco SASD Wall Launcher is launched.
Note
The Video Walls are configured using the Operations Manager.
4 Window StateDefines the size and location of the Video Wall when the workstation is restarted
or when Cisco SASD Wall Launcher is launched.
NormalThe Video Wall window appears in the size and location defined using the Cisco
SASD Wall Configurator.
MinimizedThe Video Wall window is minimized on the monitor.
MaximizedThe Video Wall window fills the entire screen.
5 PositionThe size and location of the Video Wall in Normal window state.
Move the Video Wall on the screen to automatically change the settings, or enter the coordinates
manually.
6 Launch/ShutdownOpen or close the Video Walls for testing and positioning in the Cisco
SASD Wall Configurator.
Launch. Opens the Video Wall so you can resize and re-position the window.
Tip
All Video Walls will appear when you save and exit the Cisco SASD Wall Configurator, when
you launch the Cisco SASD Wall Launcher, or (optionally) when you restart the workstation.
7 Delete. Removes the Video Wall from unattended mode. The Video Wall window will not
launch.
9 CloseQuits the Cisco SASD Wall Configurator and launches the Video Walls in unattended
mode.
Requirements
The following are required to use the Cisco SASD Wall Configurator to configure unattended
workstations:
Note
Video Walls are configured using the browser-based Operations Manager.
Usage Notes
If the admin account password is changed on the monitoring workstation, then the unattended
windows must be re-configured.
To change the video displayed in the Video Wall panes (such as changing the camera source),
revise the Video Wall configuration using the browser-based Operations Manager. The
unattended windows revert to the Video Walls Default View when the system is rebooted.
Unattended configuration applies only to a single Cisco Video Surveillance system. If you log
into a different Cisco Video Surveillance system on the same workstation, you cannot revise the
existing unattended windows.
Unattended SASD Wall can be changed by remote or local user who is running SASD main app,
SASD ADP, and publish a different view to the wall, or a different camera to a pane.
The unattended mode will repeatedly restart if video to all panes is lost. This can be caused by
network or system issues, or if a Video Wall without a default view is selected. This allows
unattended mode to recover when the problem is resolved. For example, if the video streams for
all panes are provided by a single Media Server, and that Media Server goes down, then the
unattended mode will restart until communication with the server is reestablished. If the Media
Server fails over to another server, then the new server will provide video streaming and the video
will be displayed.
If the video stream is lost for one (but not all) of the video panes, unattended mode will not
restart and the pane will display an error message and icon. The video will automatically re-
appear only if the video is in unattended mode and the camera is enabled for failover.
Procedure
Step 1 Before you begin, create one or more Video Walls.
Step 7 Click to launch (display) the Video Wall.
Step 8 Position the Video Wall window(s) on the workstation monitors.
The window will re-display in the same position if you selected the Normal window state.
Step 9 Repeat Step 4 through Step 8 to select a Video Wall for each unattended window and position
the window on the workstation display(s).
Step 10 Select or deselect Launch on Startup to launch unattended mode when the workstation is
restarted.
Tip
If deselected, the unattended windows will not appear when the workstation is restarted. Use the
Cisco SASD Wall Launcher to open the unattended windows.
Step 12 Close the Cisco SASD Wall Configurator window to quit the application and launch the Video
Walls in unattended mode.
Note
If all video panes are blank (no camera was selected as a video source in the Operations Manager), then
unattended window will be repeatedly re-start since video streaming is not available
Step 13 (Optional) Move the Video Wall windows to display any unattended mode windows placed
directly behind each other, if necessary.
Step 14 (Optional) Remove the keyboard and mouse.
If the keyboard and mouse are removed, the user can only view video.
Leave a mouse (and/or keyboard) attached to allow the user to control video playback
Launch Options
Launch Option Description
Save and exit the Cisco SASD Wall The Video Walls are launched automatically when the Cisco
Configurator SASD Wall Configurator closes.
Launch the Cisco SASD Wall The Cisco SASD Wall Launcher opens all Video Walls in
Launcher unattended mode that were added in the Cisco SASD Wall
Configurator.
The Launcher also closes any open unattended windows, and
re-launches the unattended Video Wall windows configured
on the PC.
Restart the workstation (Optional) If the Launch on Startup option is selected in the
Cisco SASD Wall Configurator, the Video Walls will launch
in unattended mode when the workstation restarts. .
Note
The Video Walls will no longer appear when the unattended windows are launched
Step 1 Launch Cisco SASD Wall Configurator and log in to the application.
Note
If the window is in Offline mode, changes by another user to the Video Wall or View not updated until the window
returns to Online mode.
Offline appears in the window title bar when the unattended window is operating in offline mode.
If the network connection to the Operations Manager is lost, the unattended windows will
relaunch in offline mode.
If the Operations Manager is unavailable when the unattended windows launch, the unattended
windows will restart in offline mode.
Transition Times
The Unattended windows periodically check for Operations Manager connectivity, and automatically
switch between online and offline mode, if necessary. The system performs this check periodically to
avoid switching back and forth if a intermittent network issue occurs (such as a jitter).
Health Events are generated when a device health change occurs, such as reachability, fan
speed, file system usage, or other device-related issues. Critical health events generate alerts by
default.
Security EventsEvents such as motion stop or start, analytics, contact closures, or soft triggers
from an external system can be configured to generate alerts, or perform other actions (security
events do not generate alerts by default). Security alerts can also be forwarded to the Federator
(if installed).
Note
When a camera is configured for stream redundancy (for example, stream 1 to the primary Cisco Media
Server and stream 2 to a redundant server), events from both streams are added to the same alert.
Alert Workspace Overview
Select the Alert Workspace, to view alerts and events related to that alert. You can also take numerous
action depending on the alert or event type. For example
Alert Workspace
The Alert Workspace is available in the Cisco SASD and Cisco SASD Federator applications
only. Alerts are not included in the Cisco SASD Advanced Video Player.
Click to create a duplicate workspace window that can be dragged to a separate monitor.
2 SearchDisplay alerts in a static list based on the filter criteria (including a time span).
The alerts already displayed on the search result table are auto updated if their status changes.
However, the search result table itself is not auto refreshed (new alerts are not inserted, the table
is auto re-sorted etc.). Re-search the alerts to view current results.
Dynamic FilterDisplay alerts in a auto-updating list based on the filter criteria (such as
location, alert type and severity). Click the lock icon to stop or start auto-updates
When unlocked , new alerts will be added to the list as they occur.
When locked , dynamic updating is paused and only the currently displayed alerts are
shown. Unlock the display to refresh the results.
3 Click the triangle to display or hide the side panel.
4 Filter criteria. Select the criteria described below and click Apply.
Tip
If a filter criteria is not selected, the all alerts for that filter are displayed.
LocationClick to select a specific location where the alert(s) were created. Only alerts
from that location will be displayed.
DeviceClick to select a location and a specific device (camera). Only alerts from that
device will be displayed.
Time(Search only). Select a span of time. Only alerts that were generated during that time are
displayed. For example, Today or Month.
Alert TypeHealth or Security.
SeveritySelect CRITICAL, MAJOR, MINOR, WARNING, or INFO.
Note
The alert severity reflects the severity of the most recently generated event. For example, if a camera becomes
unreachable and the streaming status is Critical, the alert is Critical. When the camera becomes reachable again,
and the streaming status normal event occurs, and the alert severity is changed to INFO.
Note
INFO requests also display CRITICAL alerts.
6 Events associated with the alert (multiple events for the same issue are grouped under a single
alarm).
7 If the URL icon appears, right-click the event to open a new web browser window with
additional information or images
9 Select the number of items that are displayed on a page, or navigate through the available pages.
10 The camera icon appears if video is available for the event. Double-click the event to
open a a 2-pane pop-up playback window. The left pane displays live video, the right pane
displays the recorded video (starting from the event trigger point). This popup window can be
enlarged and dragged to another monitor for better viewing.
If video is not available (for example, if the video was automatically deleted after the duration
defined by the camera retention rules), an error message appears when attempting to view the
video.
Video is available for the following event types:
Motion start/stop
Contact closure open/close
Soft trigger
Analytics
Selecting a Soft Trigger Event URL in the Cisco SASD Monitoring Application
Task Description
Narrow the list of displayed alerts Click the tabs at the top of the alert list to filter the displayed alerts:
Search keywords
Dynamic Filter (narrow the results based on alert type, status, or
severity, time, location, and/or device).
Tip
Any filter criteria that is not selected will return all alerts for that filter.
Display the events associated with Select an alert to view the associated events.
the alert
Acknowledge the alert Right-click an alert and select Acknowledge.
Close, re-open, or flag the alert as a Right-click an alert and select an option.
false alarm
When an alert is closed, no new events can be added (unless the alert
is reopened by a user). Any new events for the same device and issue
are added to a new alert entry.
Users can still modify closed alerts, including the following:
Add a comment (the alert state is not changed).
Re-open the alert. New events for that device and issue will be
added to the alert.
Add a comment Right-click an alert and select Comment. Add the comment and click Apply.
View event video (motion and The camera icon appears if video is available for the event. Double-click
analytics alerts only) the event to open a playback window.
View alerts on a larger location Open the Map Workspace.
map
New events show the new location, but are added to the existing (and open) alert at the old
location.
When the alert is closed by an operator, any new events create a new alert at the new location
(the location reference in the alert is now consistent with the device location in the event).
For example:
5. New events are associated with a new alert in the new Location 2 (the location reference in the
alert is now consistent with the device location in the event).
Alert 2 Location 2 Device 1
Event 103 Location2 device1
Event 102 Location2 device1
Etc.
Map Workspace
Overview
The Map Workspace displays maps of the region, city, building or other areas where the Cisco VSM is
deployed Figure. Use maps to view a physical representation of the camera locations in your deployment,
or as an alternative way to locate cameras and drag and drop them onto a Video Wall.
For example, click a location to view the associated map(s). Cameras at that location are represented by a
camera icon . Single-click the icon to display a dragable icon, or double-click the icon to view video in a
pop-up window.
Tip
Maps can include an aerial view of the camera location (such as a street map or satellite view), or an image of the
physical location, such as a building layout, floor plan or other image).
Note
The Map Workspace is available in the Cisco SASD application only. Maps are not included in the Cisco SASD
Advanced Video Player or Cisco SASD Federator applications.
Note
When upgrading to Release 7.5 from Release 7.2 or lower, you must migrate the map images from the
previous system and reconfigure the map image layers. The Cisco VSM mapping system has been
replaced with GIS map support which is not compatible with the earlier map support. Accessing cameras on
maps now requires the use of a Cisco VSM Map Server
Map Workspace
1 Map Workspace tab.
Cisco SASD application only. Maps are not included in the Cisco SASD Advanced Video Player or
Cisco SASD Federator applications.
Click to create a duplicate workspace window that can be dragged to a separate monitor.
2 Locations. Select a location to display the maps for that location and its sub-locations.
3 Map for the selected location.
A number is displayed when multiple cameras are present and the map is too small to display
individual icons. Zoom in to view the individual icons.
Single-click a camera to view video and alerts from that device. Click anywhere on the map to dismiss
the video feed.
Double-click a camera icon to view video from the camera in a pop-up window. Click anywhere on
the map to dismiss the video feed.
Right-click the icon and select Filter Alert by Camera to view the alerts for that device.
The camera icon color represents the device status:
GreenEnabled: OK
YellowEnabled: Warning
Enabled: Critical
Tip
A selector icon is also used to choose image layers (such as floor plans in a building)
9 Click the triangle to hide or show the alerts related to the location or camera.
Requirements
The following requirements must be met to use the Cisco SASD Maps workspace:
Requirements
A Cisco Maps Server must be installed and added to the Operations Manager configuration.
Note
The location maps and image layers configured in Operations Manager are available for use in the Cisco SASD Maps
workspace.
Internet Explorer (IE) 9 or 10 must be installed on the monitoring workstation:
Note
Do not install IE 11 on the monitoring workstation. Cisco SASD Maps workspace uses IE to communicate
with the Operations Manager Maps Server service and configuration. IE 11 can cause incompatibility issues.
The Cisco SASD desktop application installed in the monitoring PC.
Note
The Maps workspace is not supported on the Cisco SASD Federator or Cisco SASD Advanced Video
Player applications.
Image layers (Figure) represent additional details on a location map. For example, if a location map
shows an aerial view of a building, image layers can show images of each floor in that building.
Click the selector icon to display and select the image layers available for a location. Camera icons
represent the real-word location of cameras in each image, allowing you to view video and alerts from
specific cameras.
Working With Image Layers
Image layers (Figure) represent additional details on a location map. For example, if a location map
shows an aerial view of a building, image layers can show images of each floor in that building.
Click the selector icon to display and select the image layers available for a location. Camera icons
represent the real-word location of cameras in each image, allowing you to view video and alerts from
specific cameras.
Image Layers
3. Camera icon.
Select a camera to view video and alerts from that device.
Right-click the icon and select Filter Alert by Camera to view the alerts for that device.
The color represents the device status:
o GreenEnabled: OK
o RedEnabled: Critical
4. Video playback window for the selected camera
5. Dragable icon.
Single-click a camera icon to display a dragable icon.
Drag and drop the icon onto a duplicate workspace (icons cannot be dragged onto an
unattended Video Wall).
Step 2 Expand the location hierarchy and select a location from the list.
Step 3 (Optional) Click the selector icon to choose a map provider (such as a MapQuest or
OpenStreetMap).
Step 4 (Optional) Click a image layer to display an enlarged version of the image.
Step 5 (Optional) Click the selector icon to choose an image layers (such as a building floor
plan).
Step 6 (Optional) Double-click a camera icon to view video for that camera in a pop-up window.
Step 7 (Optional) Single-click a camera icon to display a dragable icon, then drag and drop the icon
to a Video Wall.
Step 9 (Optional) Right-click the icon and select Filter Alert by Camera to view the alerts for that
device.
GLOSSARY
Alarm The action or event that triggers an alarm for which an event profile is logged.
Events can be caused by an encoder with serial contact closures, a motio n detected
above defined thresholds, or another application using the soft-trigger command
API.
Alarm Trigger The action or event that triggers an alarm for which an event profile is logged.
Events can be caused by an encoder with serial contact closures, a motion detected
above defined thresholds, another application using the soft-trigger command API,
or a window or door opening/closing.
Alert The action or event that triggers an alarm for which an event profile is logged.
Events can be caused by an encoder with serial contact closures, a motion detected
above defined thresholds, or another application using the soft-trigger command
API API.
Application Programming Interface
Archive A place in which records or historical documents are stored and/or preserved. An
archive is a collection of video data from any given proxy source. This enables a
feed from a camera-encoder to be stored in multiple locations and formats to be
viewed at a later time. There are three types of archives: Regular, where the
archive recording terminates after a pre-set time duration lapses and is stored for
the duration of its Days-to-Live. Loop, where the archive continuously records until
the archive is stopped. Loop archives reuse the space (first-in-first-out) allocated
after every completion of the specified loop time. Clip, the source of the archive is
Archive Clip extracted
The sourcefrom onearchive
of the of the previous two types
that is extracted andone
from is stored
of thefor the two
other duration
typesofand
its
Days-to-Live.
stored for the duration of its Days-to-Live.
Archive Server Programs which receive incoming video streams or loops, interprets them, and
takes the applicable action.
Archiver An application that manages off-line storage of video/audio onto back-up tapes,
floppy disks, optical disks, etc.
Camera Permits users to change the camera lens direction and field view depth. Panning
Controls
a camera moves its field of view back and forth along a horizontal axis. Tilting
commands move it up and down the vertical axis. Zooming a camera moves
objects closer to or further from the field of view. Many of these cameras also
include focus and iris control. A camera may have a subset of these features such
as zoom, pan, or tilt only
Camera Drivers Responsible for converting standardized URL commands supported by the
module into binary control protocols read by a specific camera model.
Child Proxy An agent, process, or function that acts as a substitute or stand-in for another. A
proxy is a process that is started on a host acting as a source for a camera and
encoder. This enables a single camera-encoder source to be viewed and recorded
by hundreds of clients. There are three types of proxies:
A direct proxy is the initial or direct connection between the edge camera-
encoder source. By definition at least one direct proxy exists for a given video
source.
A parent proxy is the source of a nested or child proxy. Parent proxies may be
from remote or local hosts. Proxies are nested in a hierarchy with inheritance
rights.
A child proxy is the result of a nested or parent proxy. Child proxies run on the
Clip local host.
A place Proxies
in which are nested
records in a hierarchy
or historical with are
documents inheritance rights.preserved.
stored and/or A child proxy
An
has the issame
archive resolution,
a collection quality,
of video and
data media
from any type
givenofproxy
its parent,
source.but
Thiscan have a
enables
lower framerate
feed from for motion JPEG.
a camera-encoder to be stored in multiple locations and formats to be
viewed at a later time. There are three types of archives:
Regular: where the archive recording terminates after a pre-set time duration
lapses and is stored for the duration of its Days-to-Live.
Loop: where the archive continuously records until the archive is stopped. Loop
archives reuse the space (first-in-first-out) allocated after every completion of
the specified loop time.
Clip: the source of the archive is extracted from one of the previous two types
and is stored for the duration of its Days-to-Live.
D
Direct Proxy An agent, process, or function that acts as a substitute or stand-in for another. A
proxy is a process that is started on a host acting as a source for a camera and
encoder. This enables a single camera-encoder source to be viewed and recorded
by hundreds of clients. There are three types of proxies: A direct proxy is the
initial or direct connection between the edge camera-encoder source. By
definition at least one direct proxy exists for a given video source. A parent
proxy is the source of a nested or child proxy. Parent proxies may be from remote
or local hosts. Proxies are nested in a hierarchy with inheritance rights. A child
proxy is the result of a nested or parent proxy. Child proxies run on the local host.
Proxies are nested in a hierarchy with inheritance rights. A child proxy has the
DVR Digital Video Recorder/Recording:
same resolution, broadcasts
quality, and media type ofonitsa parent,
hard disk drive
but canwhich
have can then
a lower
be played
frame rateback at a later
for motion time
JPEG.
J
JPEG JPEG (pronounced jay-peg) stands for Joint Photographic Experts Group, the
original name of the committee that wrote the standard. JPEG is designed for
compressing full color or gray-scale images of natural, real-world scenes. JPEG is
lossy, meaning that the decompressed image is not exactly the same as the
original. A useful property of JPEG is that the degree of lossiness can be varied by
adjusting compression parameters. This means that the image maker can trade off
file size against output image quality. The play rate is the number of frames-per-
second or fps.
K
Kbps The rate at which the source is being recorded. For motion JPEG sources, the play
rate is the number of frames-per-second or fps. For MPEG sources, the play rate is
the number of megabits-per-second or Mbps and kilobits per second or Kbps.
Mbps The rate at which the source is being recorded. For motion JPEG sources, the play
rate is the number of frames-per-second or fps. For MPEG sources, the play rate is
the number of megabits-per-second or Mbps and kilobits per second or Kbps.
Pan-Tilt-Zoom Permits users to change the camera lens direction and field view depth. Panning a
camera moves its field of view back and forth along a horizontal axis. Tilting
Controls commands move it up and down the vertical axis. Zooming a camera moves objects
closer to or further from the field of view. Many of these cameras also include focus
and iris control. A camera may have a subset of these features such as zoom, pan, or
Parent proxy tilt only.
An agent, process, or function that acts as a substitute or stand-in for another. A
proxy is a process that is started on a host acting as a source for a camera and
encoder. This enables a single camera-encoder source to be viewed and recorded
by hundreds of clients. There are three types of proxies: A direct proxy is the
initial or direct connection between the edge camera-encoder source. By definition
at least one direct proxy exists for a given video source. A parent proxy is the
source of a nested or child proxy. Parent proxies may be from remote or local
hosts. Proxies are nested in a hierarchy with inheritance rights. A child proxy is
the result of a nested or parent proxy. Child proxies run on the local host. Proxies
are nested in a hierarchy with inheritance rights. A child proxy has the same
Proxy resolution, quality, and
An agent, process, media type
or function thatofacts
its parent, but can have
as a substitute a lower for
or stand-in frame rate for
another. A
motionisJPEG.
proxy a process that is started on a host acting as a source for a camera and
encoder. This enables a single camera-encoder source to be viewed and recorded
by hundreds of clients. There are three types of proxies: A direct proxy is the
initial or direct connection between the edge camera-encoder source. By definition
at least one direct proxy exists for a given video source. A parent proxy is the
source of a nested or child proxy. Parent proxies may be from remote or local
hosts. Proxies are nested in a hierarchy with inheritance rights. A child proxy is
the result of a nested or parent proxy. Child proxies run on the local host. Proxies
are nested in a hierarchy with inheritance rights. A child proxy has the same
Proxy Command A URL-based API that is neither application-platform nor programming language
resolution, quality, and media type of its parent, but can have a lower frame rate for
specific. Commands are sent to dynamically loaded modules (e.g. info.bwt,
motion JPEG.
command.bwt, event.bwt, &c.) using arguments in the form of name-value pairs.
Proxy Server An agent, process, or function that acts as a substitute or stand-in for another. A
proxy is a process that is started on a host acting as a source for a camera and
encoder. This enables a single camera-encoder source to be viewed and recorded
by hundreds of clients. There are three types of proxies: A direct proxy is the
initial or direct connection between the edge camera-encoder source. By definition
at least one direct proxy exists for a given video source. A parent proxy is the
source of a nested or child proxy. Parent proxies may be from remote or local
hosts. Proxies are nested in a hierarchy with inheritance rights. A child proxy is
the result of a nested or parent proxy. Child proxies run on the local host. Proxies
are nested in a hierarchy with inheritance rights. A child proxy has the same
resolution, quality, and media type of its parent, but can have a lower frame rate for
motion JPEG.
Proxy Source An agent, process, or function that acts as a substitute or stand-in for another. A
proxy is a process that is started on a host acting as a source for a camera and
encoder. This enables a single camera-encoder source to be viewed and recorded
by hundreds of clients. There are three types of proxies: A direct proxy is the
initial or direct connection between the edge camera-encoder source. By definition
at least one direct proxy exists for a given video source. A parent proxy is the
source of a nested or child proxy. Parent proxies may be from remote or local hosts.
Proxies are nested in a hierarchy with inheritance rights. A child proxy is the
result of a nested or parent proxy. Child proxies run on the local host. Proxies are
PTZ: Pan Tilt Zoom nested
Permitsinusers
a hierarchy
to changewith inheritance
the rights.
camera lens A child
direction proxy
and fieldhas thedepth.
view same Panning
resolution,
a
quality, and
camera movesmedia typeofofview
its field its parent, butforth
back and can along
have aa lower frame
horizontal rateTilting
axis. for motion
JPEG.
commands move it up and down the vertical axis. Zooming a camera moves objects
closer to or further from the field of view. Many of these cameras also include focus
and iris control. A camera may have a subset of these features such as zoom, pan, or
tilt only.
Rate The rate at which the source is being recorded. For motion JPEG sources, the play
rate is the number of frames-per-second or fps. For MPEG sources, the play rate is
the number of megabits-per-second or Mbps and kilobits per second or Kbps.
Record Rate The rate at which the source is being recorded. For motion JPEG sources, the play
rate is the number of frames-per-second or fps. For MPEG sources, the play rate is
the number of megabits-per-second or Mbps and kilobits per second or Kbps.
Recording A place in which records or historical documents are stored and/or preserved. An
archive is a collection of video data from any given proxy source. This enables a feed
from a camera-encoder to be stored in multiple locations and formats to be viewed
at a later time. There are three types of archives: Regular, where the archive
recording terminates after a pre-set time duration lapses and is stored for the
duration of its Days-to-Live. Loop, where the archive continuously records until the
archive is stopped. Loop archives reuse the space (first-in-first-out) allocated after
every completion of the specified loop time. Clip, the source of the archive is
Recording Archive extracted
An archivefrom
whoseonestate
of the previous two typesAand
is running/recording. is stored
running for the
regular duration
archive of its
gathers
Days-to-Live.
additional data and increases in size. A running loop archive gathers more data
and reuses its allocated space. Regular archives that have not reached their
duration and loops that are still recording are running. Running archives have a
Days-to-Live value of v-1 which does not update until they have stopped.
Repository A central place where data is stored and maintained. A repository can be a place
where multiple databases or files are located for distribution over a network, or a
repository can be a location that is directly accessible to the user without having to
travel across a network.