Network devices for security

The network switch is the system as far as the traffic is concerned. Every camera frame, every reader event, every intrusion signal goes through it. The wrong switch becomes the limiting factor on the install’s reliability; the right switch with a managed configuration becomes invisible infrastructure that does its job for ten years. Pick managed switches at every layer, size the PoE budget against the actual load, segregate traffic with VLANs, harden the configuration at commissioning, and the network layer holds up for the institution’s planning horizon.

Switch class by role

When the rule applies

Every switch on the project. The role determines the class: access-layer switches in IDFs serve devices, distribution switches aggregate traffic between IDFs, core switches anchor the network. The institutional default is enterprise-grade managed switches at every layer; consumer or SOHO switches do not appear on production installs.

The spec

// SWITCH CLASS BY ROLE

Access layer (IDF, equipment closet): managed Layer 2 or Layer 3 switch with PoE++, 24 to 48 ports, 1 Gbps copper access ports, 10 Gbps fibre uplinks, full configuration baseline (below)
Distribution layer: managed Layer 3 switch with 10 Gbps or 25 Gbps interfaces, aggregating multiple access switches, providing inter-VLAN routing
Core layer: high-throughput Layer 3 switch with 40 Gbps or 100 Gbps interfaces, redundant power supplies, redundant supervisor modules where the design calls for them
Industrial / environmental: DIN-rail managed switch rated for the environmental conditions (temperature range, vibration, dust ingress); used in outdoor IDFs, transit stations, industrial buildings
Unmanaged switches not used on institutional installs, regardless of port count or budget pressure
Consumer-grade switches (SOHO equipment) not used on institutional installs

Field note

// WHAT I USE

Cisco Catalyst 9300 series at the access layer for institutional projects on a Cisco network (48-port PoE++ at 1.4 kW budget). Aruba CX 6300M series at the access layer for institutional projects on an HPE Aruba network (48-port PoE Class 6 at 1.4 kW budget). Both deliver Class 6 (60 W) on every port simultaneously up to the switch budget.

For distribution and core, the institution’s network team owns the platform choice; the security install aligns with whatever the institutional network standardises on. The security network team specifies the access layer; the institution’s network team specifies the distribution and core.

For industrial / environmental: Cisco IE3300 or Aruba CX 4100i DIN-rail switches, depending on the platform choice. Both rated for temperature range and vibration in outdoor IDFs and industrial cabinets.

PoE budget sizing

When the rule applies

Every PoE-capable switch on the install. The PoE budget is the sum of every port’s draw across the switch; exceed it and the switch cuts power to lower-priority ports in port order until the budget balances. Design at 75 percent of the published budget and the system has headroom for inrush, for incidental loads, and for the next device the institution adds.

The spec

Worked example

VLAN segmentation

When the rule applies

Every managed switch on the install. VLAN segmentation isolates traffic types onto separate broadcast domains, providing both security and performance benefits.

The spec

// VLAN ASSIGNMENT

Minimum five VLANs on the security network::
- VLAN: Cameras (IP cameras and recording servers)
- VLAN: Access Control (controllers, readers, head-end server)
- VLAN: Intrusion (alarm panels, sensors)
- VLAN: Security Servers (head-end systems, management workstations)
- VLAN: Management (switches, UPS, monitoring devices)
Inter-VLAN routing controlled at the distribution layer with ACLs (access control lists) restricting traffic to documented flows
Per-VLAN IP addressing: institutional subnet plan with sufficient address space for current load plus 100 percent growth
VLAN trunk ports between switches: 802.1Q tagged with the institution’s standard native VLAN (typically the management VLAN or VLAN 1 disabled)
Voice VLAN, building automation VLAN, guest wireless VLAN: not on the security network; isolated at the institutional network boundary
VLAN identifiers (1-4094) per the institutional network standard; coordinated at design

Field note

Configuration baseline

When the rule applies

Every switch starts from a documented configuration baseline at commissioning. The baseline is the hardening standard the institution expects on every device on its network.

The spec

// CONFIGURATION BASELINE

Default credentials changed from factory defaults; new credentials managed in the institutional password vault
SSHv2 enabled for management; Telnet disabled
SNMPv3 enabled with authentication and encryption; SNMPv1 and v2c disabled
HTTP web management disabled; HTTPS enabled with the institutional certificate authority
NTP configured to the institutional time source; clock verified before any other configuration
Syslog forwarding configured to the institutional SIEM or NMS
TACACS+ or RADIUS authentication for administrative access, with local accounts as backup only
Spanning Tree Protocol enabled (RSTP or MSTP), with PortFast on access ports and BPDU Guard enabled
Port security configured per VLAN: maximum MAC addresses per port, violation action (shutdown or protect) per institutional policy
Unused ports administratively shut down
Banner message configured with the institutional access policy
Configuration backed up to the institutional configuration management system before commissioning sign-off

Field note

Redundancy and high availability

When the rule applies

Switches in head-end, recording, and critical IDF locations on projects where the institutional design calls for high availability. The two main redundancy patterns are stacking (multiple physical switches operating as one logical switch) and MC-LAG (multi-chassis link aggregation for redundant uplinks).

The two patterns

Stacking: Two or more switches connected with a stacking cable, presenting as a single logical switch with one IP address, one configuration, and shared uplinks. Stack supports hot-swap of failed stack member. Used at the access layer where one failed switch should not bring down the IDF.
MC-LAG (Multi-Chassis Link Aggregation): Two independent switches sharing an LACP-bonded link to a single downstream device. The downstream device sees a single LAG even though the two uplinks terminate on two different switches. Used between distribution and access where uplink redundancy matters but full stacking is not warranted.

The spec

Industrial and outdoor switches

When the rule applies

Switches installed in environments outside the typical office or equipment-room conditions: outdoor IDFs, transit stations, industrial buildings, parking structures, environmental cabinets.

The spec

Field note

Network management and monitoring

When the rule applies

Every managed switch on the install. The switches integrate with the institutional Network Management System (NMS) for monitoring, alerting, configuration backup, and capacity planning.

The spec

Field note

// THE PRACTITIONER POSITION

Managed switches on every IDF and every equipment room. Cisco Catalyst 9300 or Aruba CX 6300M as the institutional default at the access layer; the institution’s network team picks the distribution and core. Industrial DIN-rail switches (Cisco IE3300 or Aruba CX 4100i) in environmental cabinets and outdoor IDFs. PoE budget at 75 percent or below on each supply, with per-port priority and monitoring. Five VLANs minimum (cameras, access, intrusion, servers, management). Configuration baseline before commissioning: changed credentials, SSHv2 only, SNMPv3, NTP, syslog, TACACS or RADIUS, spanning-tree with PortFast and BPDU Guard. Integrate with the institutional NMS at commissioning. Do this and the network layer holds up for the institution’s planning horizon.