I'm still learning everyday on networking and all the many many confusing things you can configure within it. I have googled and youtubed as much as I can read/watch to educate myself, but i have some specific noob questions that I'm sure you guys find very easy. Specifically within the IP camera world.

1. Is it crazy to not set up 2 separate networks within a home when using IP cameras throughout?

2. Would the proper way be to use 2 routers (one for normal internet/everyday use(router 1)) and the second dedicated to the cameras/NVR(router 2)?

3. I understand that this allows network traffic among the cameras to not interfere or bog down your normal network on router 1. However, if one wants to view the cameras from a local PC that sits behind Router 1 or even perhaps view cameras from an iphone remotely (thus needing access to the network), does this not contradict my thought process of having two routers for separation?

4. Does Router 2 (camera network) get configured with same gateway as Router 1 or do you set the gateway of router 2 to a static IP available within Router 1 outside its DHCP range?

5. Is it necessary to allow Router 2 to "talk" to router 1? or do you only need Router 1 to talk to router 2, in order to gain access to camera viewing remotely or outside of 2nd network? And i suppose the port forwarding for remotely viewing would need to take place in Router 1 only?

6. Is any of this really still necessary when you have a NVR with a built in switch/router?

7. Is there or are there - good educational videos or documents (with diagram pictures :-D )that you recommend?

Thanks so much for any advice offered - I know just enough to be dangerous but I feel like I'm real close to understanding the slightly more advanced stuff. The way a lot of this stuff is explained on the internet assumes you are an expert and doesn't give an explanation on the WHY? It just says to do this and do that...and thats the end of it. Lol

We typically don't separate them onto their own network in residential, but we did have one commercial job where we were forced to set up a separate VLAN for the NVR and IP cameras across multiple buildings... kept getting random camera lockups and all kinds of weird things. Took years to isolate the problem. IP cams and NVR on separate VLAN = problems all vanished.

In a home, especially if you're admittedly not 100% comfortable with networking, by far the simplest thing to do would be...

Get a switch big enough for every IP camera, plus the NVR, plus a connection back to the Router. The IP cameras will talk to the NVR directly through the switch and that traffic won't even go over to the Router.

Now this doesn't stop broadcasts coming from the cameras or NVR, but I don't think (don't quote me) that IP cameras do a lot of broadcasting. This also doesn't stop the cameras and NVR from seeing broadcasts from anything else on the home network. But, the actual IP video traffic will only go from that camera's port on the switch to the NVR's port on the switch - unless someone is viewing that particular camera from a web browser on a PC/phone/etc.

My 2 cents, but it's only worth half that.

1. Yes, use a router that has the ability to do a Vlan to isolate traffic.

2. See 1, use one router.

3. In the router, the communication between the Vlans can be set.

4. Yes

5. This is done with DNS and Port forwarding.

6. Debatable, but if it is only a 4 or 8 camera system and the NVR has a builtin switch you should be fine.

7. Beats me, I sub out my networks. I use Springs, let me know if you want hs contact info.

For your first question, are you asking about seperate network, copper and all, or just a VLAN?

Personally I would separate them with VLANS, or their own network. Both of these can be achieved with the Ubnt ERL, Mikrotik and others. I would personally use UBNT, and their APs, so its pretty easy.

With the ERL you can set one port to do the main network, and another port to do a different network. You can create a static route from the main network to the CCTV network, which gives the main network, access to the CCTV network.

If you are not familiar with this setup, I would recommend contacting Springs (Chris). He is great, works with a lot of integrators, and knows his stuff. Let one of us know, and we can get you his contact info.

As others have indicated, VLANs are the way to go. Here's an example topology to get you started:

Network 1: PCs, Servers, etc
Network: 192.168.1.0/24
Gateway: 192.168.1.1
VLAN: 1

Network 2: IP cameras, NVR, etc
Network: 192.168.100.0/24
Gateway: 192.168.100.1
VLAN: 100

Following conventional topology, if PC1 (192.168.1.100) needs to connect to CAM1 (192.168.100.100), it would need to follow this path:

PC1 ----- Switch1----- Router1 ----- Router2----- Switch2 ----- CAM1

Using VLANs we can collapse this into one switch and one router:

Router
| |
| |
Switch -- PC1 (VLAN1)
|
|
CAM1 (VLAN100)

Devices on VLAN1 do not see devices on VLAN100. This is Layer 2 segmentation. Devices on separate VLANs need a router (Layer 3) to talk. If PC1 attempts to access CAM1, it will need to send the traffic to the gateway (192.168.1.1) which must have a route to the gateway for VLAN 100 (192.168.100.1). Those gateways can be on the same router, different VLANs.

In practice, then: PC1 sends the packet to the switch, which sends it to the router (VLAN1). VLAN1 sends it to VLAN100, which then sends it back to the switch, which forwards it on to CAM1. Functionally it is the same topology in the first diagram, with a lot less equipment.

To setup a network with VLANs, you need managed switches and advanced routers. Some switches are Layer 3 capable and can perform both Layer 2 (VLAN, switching) and Layer 3 (routing) functions.

Helpful topics include:

Trunk Port (can carry multiple VLANs)
Access Port (only 1 VLAN)
802.1Q (VLAN encapsulation)
Layer 2
Layer 3

Here's a more in-depth explanation: [Link: 9tut.com]

If you have questions on something specific, I can probably point you in the right direction.

I know little about VPN's. I assume having a 32 IP cam system on a network would be not such a great idea unless you had a VLAN? Would having a VLAN limit the access to cams via mobile apps and control systems? Are there any downsides to VLANS?

IP cameras are data intensive by nature - especially if you are recording full-time. With that number of cameras, moving them on to their own broadcast domain (VLAN) is generally recommended. In a residential install you could still get away with it, but the cameras can saturate the network and cause other devices to experience poor performance.

In the corporate realm the networks are generally segmented for that reason and to provide additional security. Best practice is to put the cameras on a non-routed Layer 2 network. You cannot access the cameras unless you are plugged into that network and have an IP on the same subnet. It prevents helpful employees from accessing the cameras. An NVR that is VLAN-capable or has two NIC ports is used. One interface is on the camera network and one interface is on the routed network. You can access the NVR, but not the cameras.

Using a VLAN does not preclude you from making the cameras available outside the network. You forward ports as you normally would. That is a Layer 3 function so you tell the router the next hop is the VLAN gateway.

Access from other control systems should not be a problem, unless that control system is limited to Layer 2 (devices on the same broadcast domain; i.e., same subnet). It forwards the request to the router and routes the traffic across the VLAN.

Using VLANs adds complexity to the network. That could be considered a downside. It requires more understanding of the routing and switching protocols. It also requires more expensive equipment. Managed switches are generally more expensive. And routers capable of VLAN routing are also more expensive than the run-of-the-mill consumer equipment.

Good info. Thanks.

Ubiquiti ERL provides VLANs, and the UAP-US has VLAN Tagging. Use a basic Layer2 switch. ERL - $99 UAP-US -$79 Mikrotik is slightly more.