Put your Management and Streaming Ports on Different Networks

Most professional network equipment have separate Ethernet ports for device management and data streaming.

When configuring these ports, it is of vital importance to make sure that they are each on different subnets, networks, or VLANS.

For many of our customers this requirement is a source of great confusion. So much so, that it is the first thing that we check for when troubleshooting a networking issue with a customers’ device. Some may even inquire as to why it is necessary to have different data/streaming ports when you can do both on the same one.

In this post we’ll try to answer this question and go over some of the practical and technical reasons for keeping the ports on separate networks.

There are many practical reasons to have separate Ethernet interfaces, on different networks/subnets, for streaming and management.

• Better security
• Role based network access
• Network flooding protection
• Advanced Switch/Router Functionality
• Technical Limitations

Let’s go over these in further detail.

Better Security

Only certain people should be able to access the admin web interface of the device, however the amount of people that could view the video stream can be much greater. For example, you could easily use an encoder to stream out over the public internet, however you absolutely must not open the admin web interface to the internet as it will be a prime target for hackers. Different firewall rules could be established for streaming and admin access.

Role based network access

Even on an internal network, it is a good idea to separate administrators from the content consumers of the device. This is easily accomplished by making sure that the device management Ethernet port is only accessible on a network IP address space reserved for administrator duties. This makes sure that even local company employees do not have access to the admin interface of the device. This can prevent accidental or malicious tampering.

Network flooding protection

Sometimes a misconfigured or a broken device can inadvertently send out massive amounts of packets over its network Ethernet port, thus creating what is referred to as “network flooding”. If the device is flooding the same network that is used by other services, such as email servers, active directory, phone systems, these might become inaccessible. It is not uncommon for a network flood to bring down the entire network. Having the streaming port on a special network dedicated to streaming, will ensure that no services are affected in the event of an accidental network flood.

Advanced Switch/Router Functionality

Broadcast video streaming applications often require advanced features enabled on the router or switch. These can be IGMP for multicast video streaming, QOS (Quality of Service) to make sure that live video streams get higher routing priority than other network traffic, and others.
These advanced routing features should not necessarily be enabled for simple networks with traditional services, and thus separating the streaming and management ports allows us to have the advanced functionality only where it is required.

Technical Limitations

Aside from practical reasons there are also technical ones that require us to have the stream and admin Ethernet interfaces on different networks/subnets. This has to do with the way operating systems handle IP based communications.

During an incoming IP connection that requires a response, such as a web page request, the operating system compares the incoming IP address with the local Ethernet ports that are capable of responding to that IP address range. When a system has two Ethernet ports on the same network, the operating system could get confused as to which port to send the reply to, since both ports are capable of responding (they are on the same network).

This might create a situation where a request comes in on port Eth0 but the server sends out a reply on Eth1. This mismatch can create undeliverable packets and make it seem that the unit is unreachable. Indeed, this is the #1 reason for customer support requests.

---

Contact Us

Do you need an H.264 encoder, decoder, transcoder? Do you need to transfer multichannel video+audio point-to-point over a network or the Internet? Contact sales@advanceddigital.ca for a quote. Don’t forget to visit our online store DVBGear.