Most physical security deployments I walk into are not engineered. They are assembled. Somebody ran cable, somebody plugged in cameras, somebody configured the NVR, and at some point it started recording. The fact that it works is treated as evidence that it was done correctly.
The difference between assembled and engineered shows up later. When the client wants to add cameras. When something fails and troubleshooting takes three days instead of three hours. When a vendor remotely accessing the system gets onto a network that has no business being accessible from the outside. When the camera count doubles because of an expansion and the existing switches cannot handle the load.
This post covers how to approach a physical security network from the start. Not just which cables to run and which switches to buy, but how to think about the design so that the system you commission is the same one that performs well in two or three years.
Physical Layer First
The physical layer is where a lot of projects quietly go wrong. Problems in the physical layer surface slowly. A cable with a marginal connection will often work at installation and start dropping frames months later when the termination degrades. An undersized conduit gets filled at commissioning and becomes a problem when the client wants to add cameras during an expansion.
Cable selection
For standard IP cameras, Cat6A is the right choice. Not Cat5e, not Cat6. Cat6A. The reasons are straightforward. Cat6A is rated for 10Gbps up to 100 metres and handles PoE better than Cat6. The tighter specifications reduce crosstalk and noise, which matters in environments with long cable runs, high camera densities, or significant electrical interference. The price difference over the project is minimal. The performance difference when the environment is not ideal is not.
Run conduit where you can. Cameras get moved. Systems get expanded. A camera that was adequate two years ago gets replaced by one with four times the resolution. Pulling new cable through an occupied building with no conduit is expensive and disruptive. Pull conduit during construction and save that cost and disruption later.
For inter-switch links, run fibre where the distance exceeds the 100-metre copper limit or where runs pass through areas with significant electrical interference. Industrial environments, mechanical rooms, and areas near heavy equipment are candidates. Fibre also provides galvanic isolation between buildings, which eliminates ground loop issues.
PoE budgets
Every camera that draws power over Ethernet adds to the PoE budget requirement on that switch. Add them up. A switch with a 370W total PoE budget and 24 ports does not mean you have 370W on each port. It means you have 370W to split across all active PoE ports.
Standard PoE
PoE Plus
PoE++
Most fixed IP cameras draw between 5 and 12 watts. PTZ cameras draw 20 to 30 watts. Cameras with built-in heaters or specialty features can draw more. Get the specifications for the equipment you are installing and calculate the actual draw before specifying the switch. A 24-port switch with a 15W PTZ camera on each port needs 360W of PoE capacity, which most mid-range 24-port PoE switches cannot deliver simultaneously.
That is before adding any spare capacity for expansion. Specify switches with at least 20 to 30 percent headroom above the calculated load. Switches running at their maximum PoE budget throttle power, which causes cameras to power cycle at unpredictable times and generates the kind of intermittent problem that is extremely frustrating to track down.
Bandwidth Planning
Cameras are the largest bandwidth consumer on a physical security network. The amount of bandwidth each camera generates depends on resolution, frame rate, codec, and scene complexity. The numbers below are representative estimates for typical scenes.
| Resolution | Megapixels | H.264 (Mbps) | H.265 (Mbps) | Notes |
|---|---|---|---|---|
| 1080p | 2MP | 4 – 6 | 2 – 3 | Standard indoor fixed camera |
| 4MP | 4MP | 6 – 8 | 3 – 4 | High-detail indoor or entrance |
| 5MP | 5MP | 8 – 12 | 4 – 6 | Wide-area outdoor coverage |
| 4K / 8MP | 8MP | 15 – 25 | 8 – 12 | Forensic or licence plate capture |
| PTZ | Varies | 8 – 20 | 4 – 10 | Depends on configuration and scene |
H.265 (HEVC) typically cuts bandwidth in half compared to H.264 for equivalent quality. If your VMS and cameras both support H.265, use it. The bandwidth savings add up quickly on a 50 or 100-camera deployment.
Calculate total bandwidth for the camera VLAN by adding up the maximum expected bitrate for each camera. Add 30 percent overhead. That is your minimum camera VLAN capacity. The uplink from the camera switch to the rest of the network needs to handle that total, plus whatever management traffic traverses it.
The Network Architecture
Each layer is isolated by VLAN. The firewall enforces what can cross between segments. Camera traffic stays in VLAN 101.
The diagram above shows the architecture that most mid-sized physical security deployments should target. Internet access terminates at a firewall, which provides the perimeter and handles routing between VLANs. The core switch connects to the firewall via a trunk carrying all production VLANs. Access layer switches connect downstream to the core and have cameras, access control panels, and other field devices on access ports in their respective VLANs.
This is not a complicated design. Every component in it is standard. What makes it work is that it is planned before the first cable goes in the wall.
Switch Selection and Placement
The switch selection conversation usually starts with port count and ends with price. There is a third item that matters as much as both of those: PoE budget. Calculate your PoE requirement before you specify the switch. This was covered in the physical layer section above, but it is worth repeating: more projects have PoE problems than port-count problems.
Managed switches only. An unmanaged switch has no VLAN support, no port security, no QoS, no logging, and no ability to restrict what connects to it. In a physical security context, unmanaged switches on the camera network are a liability. They are also not significantly cheaper than entry-level managed switches on a per-port basis. Specify managed switches throughout.
Placement matters for PoE efficiency. PoE runs on the cable between the switch and the camera. The longer the cable run, the more power is lost to resistance. Keep switch closets or IDF rooms positioned so that most camera runs are under 60 metres. Runs approaching 100 metres will see meaningful voltage drop on the PoE circuit. On longer runs, check the camera’s minimum operating voltage and confirm it is within spec at the end of the cable.
Uplinks need to handle aggregated camera traffic. A 24-port access switch with 24 cameras generating 6 Mbps each has 144 Mbps of camera traffic going up the uplink. A single 1Gbps uplink handles that comfortably. A 48-port switch fully loaded with 5MP cameras generating 10 Mbps each has 480 Mbps going upstream. In that scenario, a 2-port 1Gbps LACP uplink or a 10Gbps uplink is appropriate.
Firewall and Remote Access
Every physical security network that has any external access needs a firewall. This is not optional.
Remote access for the VMS and for system management should go through a VPN. Not an open RDP port. Not a camera exposed directly to the internet with a port forward. A VPN with MFA. The integrator accounts should exist only when access is needed and be disabled when it is not.
Port forwards to cameras and VMS servers are a significant security risk. Every exposed port is a potential attack surface. Camera firmware vulnerabilities are real and discovered regularly. If you are maintaining installations with direct camera access via port forwarding, it is worth having that conversation with the client.
The firewall inter-VLAN policy for a security network should be explicit rather than permissive. The default stance is deny. You then add specific permit rules for the communication that needs to happen. Cameras need to reach the VMS server on specific ports. The VMS server needs to be able to query cameras on specific ports. Operators on the SYSTEMS VLAN need to reach the access control server on the ports the access control software uses. Everything else is denied.
Document the firewall policy as part of the project. What is allowed, from where, to where, on which ports. That document is the reference when something stops working and you need to figure out whether it is a firewall rule, a VLAN problem, or something else.
Documentation as Infrastructure
The network documentation for a physical security deployment should include:
- IP address map, every device, its address, its MAC, its physical location, its switch port
- VLAN assignment table, which VLAN each device is in and why
- Switch port map, which device is on which port of which switch, with port configuration notes
- Trunk diagram, which VLANs traverse which uplinks
- Firewall policy summary, what is permitted between VLANs
- Credentials inventory, what accounts exist, where, with a rotation schedule
- PoE budget worksheet, actual measured draw per switch vs rated budget
This documentation does not need to be elaborate. A well-organized spreadsheet and a network diagram cover most of it. What matters is that it exists, it is accurate at commissioning, and there is a process for keeping it current when changes are made.
I have worked on remediation projects where the documentation for a 200-camera deployment was a photograph of a whiteboard that was taken before the install and never updated. The system had changed significantly in the three years since commissioning. Troubleshooting took days longer than it should have because nobody knew what was at most of the addresses.
Common Deployment Mistakes
Flat network as a cost-saving measure. The conversation usually goes: “We’ll add segmentation later.” Later becomes never, because re-segmenting a live deployment is more work than doing it at commissioning and requires a maintenance window on a production system.
Undersized PoE budget. A switch with 48 PoE ports and a 370W PoE budget seems like it has room for 48 cameras. At 8W each, 48 cameras draw 384W. The switch will throttle power. Cameras will restart unpredictably. The troubleshooting path to “undersized PoE budget” is longer than it should be the first time you encounter it.
Cameras on the corporate network. Cameras on the same flat network as user workstations, printers, and guest Wi-Fi. This is more common than it should be. It provides zero lateral movement protection if something on the user network is compromised.
No firewall on VPN access. A VPN concentrator that terminates VPN connections directly into the camera VLAN, with no firewall between the VPN exit and the production network. Everything the VPN user can reach from their laptop, they can reach after connecting. That is not a VPN policy. That is full network access.
Default credentials left in place. Every camera and switch that ships with default credentials and is never changed is an open door. This is covered in depth in the security controls post, but it belongs on any list of common deployment mistakes because it remains pervasive.
No spare capacity. Switches specified for exact port count with no room for expansion. PoE budgets specified to within 5% of load with no headroom. Uplinks sized for current traffic with nothing left for growth. Every system expands. Specify for where the system will be, not just where it is.
Putting It Together
A well-designed physical security network is not complicated. It is a managed infrastructure with logical segmentation, appropriate switch capacity, a clear firewall policy, and accurate documentation. The design decisions that matter most are made before the first cable goes in: the VLAN scheme, the IP addressing plan, the PoE budget calculation, and the uplink sizing.
The previous two posts in this series, IP Addressing for Security Integrators and VLAN Segmentation for Physical Security Networks, cover the addressing and segmentation decisions in more detail. Read those before sitting down to design the network for a new project.
If you have a specific deployment you want to think through or questions about any part of the design process, reach out through the site.