Suggestions for a PoE switch for home network and surveillance systems?

[Bill Burton]

I'm setting up a home network and surveillance system and want to run all the cables to a patch panel and then to one or two switches. As I understand it, the best practice is to keep the surveillance network separate from a home network. So I could go for two 8-port PoE switches or one 16-port managed switch if it provides the flexibility to separate two or more networks and is not too expensive. As this setup will be rack-mounted, I would prefer a 1U height switch or a combination of switches. Some of the outdoor cameras are in remote locations so outdoor shielded cable is used with a shielded patch panel.

I'm still looking at what kind of rack to get as since it will be mounted in a shed with an open floor, it should probably be enclosed.

The reason for wanting the home network to have PoE support is to allow for wired access points. The shed is within 20' of the house, the garage is 75' away and another shed is 200' away. There will probably be two or three access points for outdoors and two for the house indoors. I haven't settled on which AP's would be suitable.

At this point, I've not decided whether to purchase an NVR or a NUC type computer or NAS with dual network interfaces. In any case, the video recorder would be added to the rack in the shed where there are no temperature controls so the temperature range could be from below 0F to over 100F (-18C to 38C).

Thanks for any input.
-Bill

 

[Teken]

I'm setting up a home network and surveillance system and want to run all the cables to a patch panel and then to one or two switches. As I understand it, the best practice is to keep the surveillance network separate from a home network. So I could go for two 8-port PoE switches or one 16-port managed switch if it provides the flexibility to separate two or more networks and is not too expensive. As this setup will be rack-mounted, I would prefer a 1U height switch or a combination of switches. Some of the outdoor cameras are in remote locations so outdoor shielded cable is used with a shielded patch panel.

I'm still looking at what kind of rack to get as since it will be mounted in a shed with an open floor, it should probably be enclosed.

The reason for wanting the home network to have PoE support is to allow for wired access points. The shed is within 20' of the house, the garage is 75' away and another shed is 200' away. There will probably be two or three access points for outdoors and two for the house indoors. I haven't settled on which AP's would be suitable.

At this point, I've not decided whether to purchase an NVR or a NUC type computer or NAS with dual network interfaces. In any case, the video recorder would be added to the rack in the shed where there are no temperature controls so the temperature range could be from below 0F to over 100F (-18C to 38C).

Thanks for any input.
-Bill

If this is a serious installation you’ll need to purchase hardware that is IP rated for the outdoor environment it’s expected to operate in.

The phrase you’ll often see is hardened / rugged.

A hardened industrial switch will have a IP rating. The operating range will be at least -40’C ~ 75’C.

The device will be tested to meet vibration, RFI / EMI, Surge / Spike, Temp / Humidity etc.

The vast majority are fan less as such are not impacted by dust / debris. More expensive units all of the components are covered in a conforming material which negates all air born contamination.

Dual power input is typically offered to provide redundant input power. More expensive units offer optical SFP / SFP+ ports to provide higher bandwidth and lightning protection.

As it relates to lightning protection more expensive units incorporate time tested component’s such as SAD, GDT, MOV’s.

All of them are provided with a ground point and the entire case is metal.

The average person on a limited budget will typically just install an indoor rated switch - Don’t!

Buy once - Cry Once!

 

[The Automation Guy]

You are correct that the best practice is to keep the surveillance network separate from a home network. This can certainly be achieved by using completely separate networks, but you can also use VLANs if your network equipment supports it. VLANs are "virtual" lan segments and they can easily be set up to isolate traffic on one vlan segment from reaching another vlan segment.

If you want the option to use VLANs at some point in the future, you'll need to make sure the network switches you choose will support that functionality. Completely "dumb" switches will not have this functionality. Switches that support "layer 3" networking will definitely support it, but there are plenty of switches that fall somewhere in the middle - they support VLANs, but aren't fully "layer 3" capable. (Layer 3 functionality is NOT needed in a typical home setting and you don't need to base your purchase on whether a switch supports layer 3 or not).

 

[Bill Burton]

If this is a serious installation you’ll need to purchase hardware that is IP rated for the outdoor environment it’s expected to operate in.

The phrase you’ll often see is hardened / rugged.

A hardened industrial switch will have a IP rating. The operating range will be at least -40’C ~ 75’C.

The device will be tested to meet vibration, RFI / EMI, Surge / Spike, Temp / Humidity etc.

The vast majority are fan less as such are not impacted by dust / debris. More expensive units all of the components are covered in a conforming material which negates all air born contamination.

Dual power input is typically offered to provide redundant input power. More expensive units offer optical SFP / SFP+ ports to provide higher bandwidth and lightning protection.

As it relates to lightning protection more expensive units incorporate time tested component’s such as SAD, GDT, MOV’s.

All of them are provided with a ground point and the entire case is metal.

The average person on a limited budget will typically just install an indoor rated switch - Don’t!

Buy once - Cry Once!

Thank you very much for this feedback. Based on the information you provided, I found that searching for "industrial" or "hardened" PoE switch brings up some candidates, most of which can be mounted on a DIN rail and also require a 48-volt power supply.

Here are a few standard indoor switch types and their low-end operating temperatures and lightning protection (if any):

• MokerLink: 14F/-10C (some models down to -4F/-20C);
  Lightning protection: ±6kV(contact), ±8kV(air)
• UniFi Lite 16 PoE wall mountable: 5F/-15C;
  Lightning protection: Unknown
• UniFi Standard 16 PoE rack-mount: 23F/-5C;
  Lightning protection: Unknown
• TP-Link and most other switches: 32F/0C;
  Lightning protection: Unknown

Although some of these switches support an operating temperature range that I need, most of them appear to have no lightning or surge protection.

A few industrial/hardened switches (all can be DIN rail mounted):

• MokerLink 8 Port Gigabit Industrial DIN-Rail: -40F/-40C;
  Lightning protection: ±8kV(contact), ±15kV(air)
• LINOVISION Industrial 8 Ports Remote Cloud Managed PoE Switch: -40F/-40C;
  Lightning protection: ±8kV(contact), ±15kV(air)

There are also outdoor weather-proof switches that support wide operating temperatures but I didn't consider them.

Another option is the UniFi DreamWall which would meet my needs but is a bit too expensive for my budget.

-Bill

 

[Flintstone61]

We see a particular Netgear POE switch has a good reputation in the forum. I'm thinkin it has vLan... @looney2ns

 

[looney2ns]

I have had one of these in a weather proof enclosure outdoors for going on 3 yrs now. No problems.
Weather during that time has been down to 0F and as high as 100F.
POE+ Switch.

 

[Bill Burton]

You are correct that the best practice is to keep the surveillance network separate from a home network. This can certainly be achieved by using completely separate networks, but you can also use VLANs if your network equipment supports it. VLANs are "virtual" lan segments and they can easily be set up to isolate traffic on one vlan segment from reaching another vlan segment.

If you want the option to use VLANs at some point in the future, you'll need to make sure the network switches you choose will support that functionality. Completely "dumb" switches will not have this functionality. Switches that support "layer 3" networking will definitely support it, but there are plenty of switches that fall somewhere in the middle - they support VLANs, but aren't fully "layer 3" capable. (Layer 3 functionality is NOT needed in a typical home setting and you don't need to base your purchase on whether a switch supports layer 3 or not).

My original thinking was to use one 16-port switch with VLAN support which if I understand correctly, would also require a router that has VLAN support. Otherwise, using a dumb 8-port switch for each network is possible but I'm unclear as to how a router would be configured to support multiple networks.

My preference is the VLAN approach but I'm still trying to get a better understanding of it and the equipment that supports it.

From what I've seen so far, there are switches that have VLAN support but are layer 2(+).

Thanks for the input,
-Bill

 

[looktall]

would also require a router that has VLAN support

Start there.
What router do you have and does it support vlans and multiple IP addresses.

 

[Bill Burton]

I have had one of these in a weather proof enclosure outdoors for going on 3 yrs now. No problems.
Weather during that time has been down to 0F and as high as 100F.
POE+ Switch.

Thank you for this suggestion. It looks like a nice switch with VLAN support at a good price. I eventually found the datasheet for this Netgear "Smart" switch family at:

https://www.downloads.netgear.com/f...5EPP_GS308EP_GS308EPP_GS316EP_GS316EPP_DS.pdf

in case anyone is interested.

Upon reviewing the hardware specs, the lower operating temperature is 32F/0C and there doesn't appear to be any lightning protection.

I would imagine that due you having the switch in an enclosure, the heat emitted from the switch and other devices (if any) brings the ambient temperature in the enclosure closer to 32F.

In my case, the switch and router would be in a shed so they are protected from rain and snow but not ambient temperature changes. My concern with having lightning protection is that at least three of the cameras are freestanding on poles in the woods so they could be subject to lightning strikes which have happened in that area before.

 

[looney2ns]

Then you should be properly using shielded ethernet cable, and surge suppressors at each end of the line.
Nothing says you can't use an enclosure inside your shed for the switch.
Like THIS

 

[Bill Burton]

Start there.
What router do you have and does it support vlans and multiple IP addresses.

I haven't selected a router yet although I've been looking at many options.

Router requirements:

• Low operational temperature (below 20F)
• 2 WAN ports to support dual ISP's
• 1 GB support
• VLAN support
• VPN/WireGuard/Tailscale, etc. for remote administration and access
• (optional) Router, switch and WiFi access points can be managed together

Routers considered - Home lab/business class, no built-in WiFi:

• UniFi Cloud Gateway Ultra
• Netgate 2100 with pfSense. Very capable but pricey at $349 USD.
• pfSense with third-party hardware. Not yet investigated.
• TP-Link Omada ER605
• TP-Link Festa FR205
• ASUS ExpertWiFi EBG15
• UniFi Edgerouter X12 (no VLAN support?)

Since I made my original post, I've been learning more about VLAN's (in particular with tagging) and it appears that with only one switch, the router does not need VLAN support as the VLAN configuration is entirely contained within the switch. However, most of the routers I've been looking at do have VLAN support.

Thanks for any assistance,
-Bill

 

[Bill Burton]

Then you should be properly using shielded ethernet cable, and surge suppressors at each end of the line.
Nothing says you can't use an enclosure inside your shed for the switch.
Like THIS

View attachment 204432

Thank you for the surge protector suggestion.

My plan is to use:

• Direct burial shielded Cat5e cable
• Shielded RJ45 connectors
• Shielded keystones
• Shielded and grounded patch panel
• PoE switch with lightning/surge protection

Yes, I was planning on building an insulated enclosure for the equipment in the shed. My current plan is to purchase a 9U enclosed rack and line the outside with insulation but I may end up using an old beverage cooler for this winter.

In any case, my thinking is to purchase a switch and router that have an operational temperature low end of 20F/-6.7C or better.

Thanks,
-Bill

 

[looktall]

UniFi Cloud Gateway Ultra

I have one of these. It's brilliant.
VPN access via teleport is zero config and just works.
Amazingly cheap for what it can do.

it appears that with only one switch, the router does not need VLAN support as the VLAN configuration is entirely contained within the switch.

If the router doesn't support vlan, how will it manage the different IP addressing?

 

[Bill Burton]

I have one of these. It's brilliant.
VPN access via teleport is zero config and just works.
Amazingly cheap for what it can do.

The Cloud Gateway Ultra is currently my top pick for many reasons.

If the router doesn't support vlan, how will it manage the different IP addressing?

With a switch that supports 802.1Q VLAN tagging, a header is added to the TCP/IP packets with the tag information. So, for instance, ports on the switch that have cameras and an NVR connected would be configured in the switch admin interface to be on the same VLAN and configured with a tag. If the traffic stays on the switch, then having a subnet doesn't matter. But if the VLAN needs to be routed outside the switch, then the router or other switch needs 802.1Q VLAN support with an associated configuration.

A router that supports VLAN's can also be configured to use a different subnet for different ports. Any devices connected directly to such a port or indirectly via a dumb (unmanaged) switch will be on the associated subnet. In this case, each subnet represents physical network connections.

In contrast, when both a router and switch(s) have 802.1Q VLAN support and are configured to work together, multiple VLAN's on a switch can be passed to the router over a single cable which could associate them with different subnets and rules, etc. on the router. The advantage to this approach is the VLAN's are a logical mapping on top of the physical network. There's also more flexibility as the VLAN configuration can be changed through administration of the router and switch without necessarily requiring any changes to the physical network connections.

So while it may be possible to use a layer 2 802.1Q VLAN capable switch without a router which has that support, there will be some limitations so also having a router with the same VLAN capabilities provides the maximum flexibility.

-Bill

 

[looktall]

If you're planning to VPN in you're gonna need a router that supports vlans otherwise it can get you to the switch but I don't think it's gonna get you into the vlan.

 

[The Automation Guy]

Since I made my original post, I've been learning more about VLAN's (in particular with tagging) and it appears that with only one switch, the router does not need VLAN support as the VLAN configuration is entirely contained within the switch. However, most of the routers I've been looking at do have VLAN support.

Any local traffic that begins on a particular VLAN and stays on the same VLAN as it travels to it's destination will be handled at the switch level and the router will play no part in that data's journey. However, any traffic that needs to travel between VLANs (including any incoming/outgoing traffic outside of the local network - ie the "internet") will have to be handled by the router. If your router/firewall cannot support VLANs, your VLAN experience will be extremely limiting and frustrating.

Of course this is all assuming your switches are not set up as true layer 3 devices. If you set the switches up as true layer 3 devices, all the routing, firewall rules, etc are all handled at the switch level. In that case, you won't even have a normal router/firewall device, so obviously it's a moot point on whether it is VLAN capable or not because it won't exist in your network. PS - I am not suggesting that anyone set up layer 3 switches on their home network (unless they are an experienced IT professional that just wants to do it that way). Layer 3 switches in a typical home network just add a layer of unnecessary complexity IMHO and the learning curve required is not worth the tiny benefits (if there was any actual improvement at all) that a typical home network would gain from this type of setup.