🌐 CCTV Knowledge Hub

CCTV Networking & Infrastructure

The network is the backbone of every IP CCTV system. This guide covers structured cabling, PoE standards, switch selection, VLAN segmentation, QoS configuration, network security, and wireless options — written for facility managers and security professionals, not just IT engineers.

Contents

In an IP CCTV system, the network carries every frame of video from every camera to every recording server, storage device, and operator screen. A poorly designed network will undermine even the most expensive cameras — causing dropped frames, choppy playback, recording gaps, and vulnerability to cyberattack. A well-designed network, on the other hand, ensures reliable 24/7 recording, smooth live viewing, fast playback, and protection against both physical and cyber threats.

1. Network Fundamentals for CCTV

An IP CCTV system is, at its core, a local area network (LAN) with specialised devices. Understanding a few fundamental concepts helps facility managers communicate effectively with IT teams and evaluate vendor proposals.

IP Addressing

Every IP camera, switch, server, and workstation on the CCTV network has a unique IP address — its identity on the network. CCTV systems typically use private IP address ranges (e.g., 10.10.x.x or 192.168.x.x) that are not routable on the public internet. Addresses are assigned either statically (manually configured on each device — preferred for cameras because the address never changes) or dynamically via DHCP (simpler to deploy but can cause issues if a camera's address changes unexpectedly).

Subnetting

Subnetting divides a large network into smaller, manageable segments. In a CCTV context, you might place all cameras on one subnet (e.g., 10.10.10.0/24), all recording servers on another (10.10.20.0/24), and operator workstations on a third (10.10.30.0/24). This organisation simplifies management, improves security, and makes troubleshooting easier.

VLANs (Virtual Local Area Networks)

A VLAN is a logical division of a physical network. Even though CCTV cameras and corporate laptops may connect to the same physical switch, VLANs ensure they operate on completely separate logical networks — as if they were on different switches entirely. CCTV traffic on VLAN 100 cannot see or interact with corporate data on VLAN 200 unless a router or firewall explicitly permits it. This is a fundamental security requirement for any professional IP CCTV installation.

Quality of Service (QoS)

QoS is a set of switch and router configurations that prioritise certain types of traffic over others. In a CCTV network, video packets must be delivered with minimal delay and zero packet loss. QoS ensures that even during periods of heavy network activity, CCTV video streams receive priority treatment — preventing dropped frames, recording gaps, and degraded image quality.

💡 For Facility Managers: You don't need to configure these settings yourself — that's the job of your IT team or network integrator. But understanding these concepts ensures you can verify that your CCTV network has been designed correctly: dedicated VLAN (not shared with office traffic), static IP addresses for all cameras, proper QoS configured on every switch, and a documented IP address scheme.

2. Structured Cabling Infrastructure

Cabling is the physical foundation of the CCTV network. Poor cabling causes intermittent connectivity, voltage drop on PoE, and packet loss — problems that are extremely difficult to diagnose once the building is occupied and cable routes are concealed.

Copper Cabling — Cat6 vs Cat6A

Parameter	Cat5e	Cat6	Cat6A
Max data rate	1 Gbps	1 Gbps (10 Gbps up to 55m)	10 Gbps (full 100m)
Bandwidth	100 MHz	250 MHz	500 MHz
Max PoE distance	100 metres	100 metres	100 metres
PoE suitability	Adequate for PoE (802.3af)	Good for PoE+ (802.3at)	Best for PoE++ (802.3bt) — lower voltage drop
Shielding	Typically UTP	UTP or STP	Shielded (F/UTP or S/FTP) standard
Cost (relative)	Lowest	Moderate	Higher (~30% more than Cat6)
Recommendation	Legacy only — avoid for new installations	Standard choice for most CCTV	Best choice for future-proofing, PoE++, and noisy environments

⚠️ The 100-Metre Rule: The maximum cable length for any copper Ethernet run (camera to switch port) is 100 metres, including patch cables at both ends. Beyond this distance, signal attenuation and PoE voltage drop cause unreliable connectivity. For longer runs, use fibre optic cable with media converters, or install an intermediate switch or PoE extender.

Fibre Optic Cabling

Fibre optic cable is used for high-speed links between floors, between buildings, and between edge switches and the core switch. Fibre is immune to electromagnetic interference (EMI), supports distances up to 10 km (single-mode) or 550 metres (multi-mode), and provides 10 Gbps or higher throughput.

Fibre Type	Max Distance (10GbE)	Typical Use in CCTV	Connector
Multi-mode (OM3/OM4)	300–550 metres	Between floors within the same building	LC duplex
Single-mode (OS2)	Up to 10 km	Between buildings, campus-wide links	LC duplex

Cabling Best Practices

Use Cat6 minimum for all new CCTV installations. Cat6A is recommended for future-proofing and PoE++ support. Never use Cat5e for new projects.
Test every cable run with a cable certifier (not just a simple tester) after installation. Verify pass/fail against TIA/EIA-568 standards. Demand test reports from the cabling contractor.
Label every cable at both ends with a unique identifier that matches the floor plan and camera schedule. This saves enormous time during troubleshooting and maintenance.
Maintain proper bend radius. Sharp bends in cable degrade performance and can damage internal conductors. Follow manufacturer's minimum bend radius specifications.
Separate CCTV cables from power cables. Running data cables parallel to high-voltage power cables introduces electromagnetic interference. Maintain at least 300mm separation, or use shielded cable (Cat6A STP) in areas where separation is not possible.
Use conduit or cable tray for all cable routes. Never leave cables hanging loose or draped across ceiling tiles — this invites damage, rodent chewing, and makes maintenance impossible.

3. CCTV Network Topology

A well-designed CCTV network follows a three-tier architecture: access layer (cameras and edge switches), distribution/aggregation layer (fibre uplinks), and core layer (core switch, servers, and storage). The following diagram illustrates this topology for a typical multi-floor building.

4. Power over Ethernet (PoE) for CCTV

PoE delivers electrical power and data over the same Ethernet cable, eliminating the need for separate power cabling at each camera location. This is one of the most significant practical advantages of IP CCTV — reducing installation cost by up to 30% and enabling centralised power management from the switch room.

PoE Standards

Standard	IEEE Designation	Max Power at Device	Cable Pairs	Typical CCTV Use
PoE	802.3af	12.95W	2 pairs	Fixed dome, bullet, turret cameras
PoE+	802.3at	25.5W	2 pairs	PTZ, cameras with IR, heater, or fan
PoE++ Type 3	802.3bt	51W	4 pairs	High-power PTZ, multi-sensor panoramic
PoE++ Type 4	802.3bt	71.3W	4 pairs	Speed domes with wiper, heater, blower

PoE Budget Calculation

Total PoE Budget Required = (Fixed cameras × 15W) + (PTZ cameras × 30W) + (High-power devices × 60W)

Always add 20% margin: Required Budget × 1.20 = Minimum switch PoE budget

Example: 20 fixed (20 × 15 = 300W) + 2 PTZ (2 × 30 = 60W) + 2 multi-sensor (2 × 60 = 120W)
Total = 480W × 1.20 = 576W minimum PoE budget for this switch

PoE Distance Extension

When cameras are located beyond the 100-metre copper cable limit, three options exist:

PoE extenders: Inline devices that regenerate both data and power signals, extending reach by an additional 100 metres per extender (can be cascaded). Some extenders draw their own power from the incoming PoE, requiring no local power source.
Fibre with media converter: Run fibre optic cable to the remote location, convert back to copper at a media converter or micro-switch with PoE output. Requires local power at the remote end.
Intermediate switch: Install a small PoE switch at the remote location connected via fibre to the core. Provides PoE to multiple cameras in that area. Requires local power and UPS.

5. Network Switches for CCTV

Managed vs Unmanaged

For any CCTV installation above 8 cameras, managed switches are mandatory. Managed switches provide VLAN configuration, QoS, IGMP snooping, port monitoring, PoE scheduling, 802.1X authentication, and remote management — all essential for a secure, reliable CCTV network. Unmanaged switches are acceptable only for the smallest installations (4–8 cameras) where cost is the primary constraint and network isolation is achieved by physical separation.

Edge Switch Selection Guide

Cameras per Floor	Switch Type	PoE Budget	Uplink	Key Features
1–8	8-port PoE+ managed	120–150W	1 × 1GbE SFP	VLAN, QoS, IGMP
9–16	16-port PoE+ managed	240–380W	2 × 1GbE SFP	VLAN, QoS, IGMP, LAG
17–24	24-port PoE+ managed	370–500W	2 × 10GbE SFP+	All above + 802.1X, SNMP
25–48	48-port PoE+ managed	500–740W	2–4 × 10GbE SFP+	Full enterprise management

Core Switch Requirements

Layer 3 managed switch with inter-VLAN routing capability
Non-blocking switching fabric — all ports operate at full line rate simultaneously
10GbE or 25GbE SFP+ ports for server and storage connections
Redundancy: Dual power supplies, stacking capability, or active-standby failover for mission-critical deployments
Port count: Sufficient ports for all edge switch uplinks + server connections + management + 30% spare capacity for growth

6. VLAN Segmentation & QoS Configuration

Why Dedicated VLANs Are Non-Negotiable

Placing CCTV cameras on the same network as corporate computers, printers, and phones is a serious design error that compromises both security and performance. A dedicated CCTV VLAN ensures:

Security isolation: Corporate network users cannot directly access cameras or video streams. A compromised office computer cannot be used to attack the CCTV system.
Performance isolation: A large file download on the corporate network cannot cause CCTV recording to drop frames. Video traffic is guaranteed its own bandwidth.
Regulatory compliance: STQC Essential Requirements (ER:01), effective April 2026, mandate network isolation for CCTV systems. Auditors will verify VLAN configuration.
Simplified management: Network administrators can apply policies, monitor traffic, and troubleshoot the CCTV network independently of the corporate LAN.

Recommended VLAN Architecture

VLAN ID	Name	Purpose	Devices
VLAN 100	CCTV-Cameras	All IP cameras	Cameras, PoE switches (access ports)
VLAN 200	CCTV-Servers	Recording servers, storage	Recording servers, SAN/NAS, VMS server
VLAN 300	CCTV-Management	Operator workstations, remote access	Viewing workstations, admin PCs
VLAN 400	Corporate-LAN	Office computers, printers	No CCTV devices on this VLAN

QoS Configuration Principles

Mark CCTV traffic with DSCP value EF (Expedited Forwarding, decimal 46) or AF41 (decimal 34) at the edge switch port level.
Configure priority queues on all switches to service CCTV-marked traffic before best-effort corporate traffic.
Set bandwidth reservation: Reserve sufficient bandwidth on each uplink for the total calculated CCTV traffic plus 25% headroom.
Enable IGMP snooping on all switches to prevent multicast video streams from flooding every port.

7. Network Security for CCTV

IP cameras are network devices — and network devices are attack targets. Poorly secured CCTV systems have been exploited worldwide as entry points for corporate data breaches and as nodes in botnet attacks. Network security for CCTV is no longer optional — it is both a best practice and, in India, a regulatory requirement under STQC ER:01.

The 10-Point CCTV Network Security Checklist

#	Security Measure	Why It Matters
1	Change all default passwords on cameras, NVRs, and switches	Default credentials are the number-one attack vector. Attackers know every manufacturer's default password.
2	Isolate CCTV on a dedicated VLAN	Prevents lateral movement from compromised office devices to cameras and vice versa.
3	Enable HTTPS on all cameras and VMS — disable HTTP	Prevents eavesdropping on video streams and login credentials transmitted over the network.
4	Implement 802.1X port-based authentication	Prevents rogue devices from connecting to the CCTV network. Only authenticated cameras gain access.
5	Disable unused protocols (Telnet, SNMP v1/v2, UPnP, FTP)	Each enabled service is a potential attack surface. Disable everything not explicitly needed.
6	Disable all unused switch ports	An open port is an invitation. Administratively shut down every port without a connected device.
7	Update firmware quarterly on all cameras and switches	Manufacturers regularly patch vulnerabilities. Unpatched devices are easily exploited.
8	Use a firewall/VPN for all remote access	Never expose cameras or NVRs directly to the internet. All remote access via encrypted VPN tunnel.
9	Lock network cabinets physically	Physical access to a switch means complete control of the network. Cabinets must be locked and access-logged.
10	Maintain an access log and audit trail	Record who accessed the CCTV system (viewing, export, configuration changes), when, and from where.

⚠️ STQC ER:01 Compliance (April 2026): Under the mandatory STQC Essential Requirements, all CCTV cameras sold in India must demonstrate secure firmware architecture, encrypted communications, strong authentication, and tamper detection. Non-compliant cameras may need to be replaced. Network security is now a regulatory audit item — not just a best practice recommendation.

8. Wireless CCTV — When and How

Wired Ethernet is always the preferred connection method for IP cameras. However, there are situations where running cable is impractical or impossible — and wireless technologies provide a viable alternative.

When Wireless Makes Sense

Heritage buildings where drilling and cable routing would damage protected structures
Temporary installations — construction sites, events, emergency deployments
Remote perimeter cameras separated from the building by roads, landscaping, or open ground where trenching is impractical
Rapid deployment requirements where time constraints prevent cabling

Wireless Technologies for CCTV

Technology	Range	Bandwidth	Best For
WiFi 6 (802.11ax)	Up to 100m (indoor)	Up to 1 Gbps shared	Indoor cameras in areas where cabling is difficult. Maximum 4–6 cameras per access point for reliable video.
Point-to-Point Wireless Bridge	Up to 5+ km (line of sight)	Up to 450 Mbps dedicated	Connecting a remote building, gate house, or perimeter structure back to the main network. Dedicated link, not shared.
Point-to-Multipoint	Up to 3 km (line of sight)	Up to 300 Mbps shared	Connecting multiple remote camera locations to a central base station.
4G/5G Cellular	Anywhere with coverage	Variable (5–100 Mbps)	Temporary sites, mobile units, locations without any fixed infrastructure. Ongoing data costs.

💡 Wireless Limitations: Wireless connections are inherently less reliable than wired — subject to interference, weather, and bandwidth sharing. Never rely on WiFi for critical cameras (entrances, vaults, cash counters). Always configure cameras with edge storage (micro-SD) when using wireless, so recordings continue during connectivity interruptions. Point-to-point bridges are significantly more reliable than shared WiFi for CCTV backhaul.

9. UPS & Power Infrastructure

An uninterruptible power supply (UPS) is mandatory for every component in the CCTV signal chain — switches, servers, storage, and core network equipment. Without UPS protection, a power outage causes immediate recording failure and potential data corruption on the storage system.

UPS Sizing for CCTV

PoE switches: When the switch has UPS protection, all cameras powered by that switch are automatically protected. This is a major advantage of PoE — you don't need individual UPS units at each camera location.
Runtime target: Minimum 15 minutes runtime under full load — sufficient for graceful shutdown of servers or transition to generator power.
UPS type: Online (double-conversion) UPS for server rooms — provides the cleanest power and zero transfer time. Line-interactive UPS is acceptable for edge switch cabinets.

UPS Load Calculation:
Total load (VA) = Switch power draw + PoE load + Server power + Storage power

Example — 96-camera system:
4 × PoE switches (100W each) + PoE load (1,500W total) + 2 × servers (500W each) + storage (600W)
= 400 + 1,500 + 1,000 + 600 = 3,500W (~4,400 VA at 0.8 power factor)
For 15 min runtime: select a 6 kVA online UPS (provides headroom)

10. Network Documentation

A CCTV network without documentation is a maintenance nightmare. Ensure the following documents are created during installation and maintained throughout the system's life:

Network topology diagram: Visual representation of all network layers, switches, servers, and connections — as shown in Section 3 of this guide. Updated whenever changes are made.
IP address allocation table: Every camera, switch, server, and workstation with its IP address, MAC address, VLAN assignment, physical location, and switch port number.
VLAN configuration: VLAN IDs, names, purposes, and which ports belong to which VLAN on every switch.
PoE budget tracking: Per-switch PoE consumption vs available budget, updated whenever cameras are added or replaced.
Cable schedule: Every cable identified by its unique label, showing source (camera/device), destination (switch and port), cable type, length, and test certification status.
Switch configuration backups: Exported configuration files for every managed switch, stored securely and updated after every change.
Password register: Secure (encrypted) record of all device passwords, with a policy for regular rotation.

💡 Handover Requirement: Insist on complete network documentation as a contractual deliverable from the installation contractor. Without it, your maintenance team is working blind — and any future vendor will need to reverse-engineer the network before they can support it.

Need Help Designing Your CCTV Network?

Network design errors are the number-one cause of CCTV system underperformance. BuildingInfra provides independent network design, VLAN architecture planning, PoE budget calculations, and security audits — ensuring your surveillance network is reliable, secure, and future-proof.

Request a Free Consultation

📞 +91-9619111731 | ✉️ ashok8076@gmail.com | 💬 WhatsApp

← Back to CCTV System — Complete Guide