Networking for Edge AI: VLANs, PoE Switches, and Bandwidth Math
Last updated: February 2026
TL;DR
Network design for edge AI is straightforward when approached methodically: calculate camera bandwidth, select a PoE switch with adequate port count and power budget, segment camera and management traffic with VLANs, and size the uplink appropriately. Most 8-camera deployments run comfortably on a single managed Gigabit PoE switch with a VLAN configuration that takes under an hour to implement.
Bandwidth Math
Camera bandwidth is the starting point for all network sizing decisions. H.264 and H.265 bitrates depend on resolution, frame rate, scene complexity, and encoder quality settings. Use these conservative estimates for planning:
| Resolution | Frame Rate | Codec | Typical Bitrate | 8-Camera Total |
|---|---|---|---|---|
| 720p | 15 fps | H.264 | 1–2 Mbps | 8–16 Mbps |
| 1080p | 15 fps | H.264 | 3–5 Mbps | 24–40 Mbps |
| 1080p | 30 fps | H.264 | 6–10 Mbps | 48–80 Mbps |
| 1080p | 15 fps | H.265 | 1.5–3 Mbps | 12–24 Mbps |
| 4K | 15 fps | H.265 | 8–15 Mbps | 64–120 Mbps |
A Gigabit (1000 Mbps) link to the compute node handles up to ~900 Mbps of usable bandwidth after protocol overhead, which is more than sufficient for any 8-camera configuration above. The switch's internal switching fabric must also handle this traffic — verify the switch's backplane capacity in its datasheet.
For complete node-level bandwidth and storage requirements, see the 8-camera reference architecture.
VLAN Basics for Edge AI
A VLAN (Virtual Local Area Network) creates a logically separate network segment within a single physical switch. Traffic on VLAN 10 cannot communicate with traffic on VLAN 20 without passing through a router or layer-3 switch that explicitly permits it.
For edge AI deployments, VLANs solve three problems:
- Security isolation: IP cameras are a common attack surface. Placing cameras on an isolated VLAN prevents a compromised camera from reaching the compute node's management interface or the site's corporate network.
- Broadcast containment: Camera RTSP streams generate multicast and broadcast traffic. Confining this to a dedicated VLAN prevents it from polluting other network segments.
- Simplified firewall rules: A single "block all inter-VLAN traffic from camera VLAN except RTSP to compute node" rule is easier to audit than per-device ACLs.
Recommended VLAN Design
A minimal two-VLAN design for a standalone edge AI node:
- VLAN 10 — Camera Network (192.168.10.0/24): All PoE cameras, no internet access, no route to corporate network. The compute node has an interface on this VLAN for RTSP ingestion.
- VLAN 20 — Management Network (192.168.20.0/24): Compute node management interface, PoE switch management IP, uplink to site router. This VLAN has internet access (filtered) for OTA updates and alert forwarding.
The compute node (e.g., Jetson) runs two virtual interfaces — one on VLAN 10 for camera traffic, one on VLAN 20 for management — either via a trunk port to the switch or via two physical Ethernet ports if the carrier board supports it. A trunk port with 802.1Q tagging is the cleaner solution.
Camera IP addresses should be assigned statically (or via DHCP with MAC reservations) to ensure RTSP stream URLs remain stable across camera reboots. Document each camera's IP and physical location in a configuration manifest stored in the repository.
PoE Switch Selection
Key specifications to evaluate when selecting a PoE switch for an edge AI deployment:
- Port count: At minimum, one PoE port per camera plus one or two uplink ports for the compute node and WAN connection. For 8 cameras, a 10- or 12-port switch provides ports for cameras, compute, and router with spares.
- PoE power budget: Total watts available for PoE-powered devices. At 12W per camera × 8 cameras = 96W minimum. Select a switch with 120W+ PoE budget for margin.
- PoE standard: 802.3af (15.4W/port) is sufficient for most fixed cameras. 802.3at PoE+ (30W/port) is needed for PTZ cameras, cameras with integrated heaters, or cameras with built-in illuminators.
- Management capability: VLAN support (802.1Q) requires a managed switch. Unmanaged switches cannot implement VLANs. Smart managed switches provide VLAN and basic QoS at lower cost than full managed switches.
- Switching capacity: Verify the backplane can handle full-duplex Gigabit on all ports simultaneously. Most quality managed switches are non-blocking at Gigabit speed.
Uplink Sizing
The uplink from the edge node to the WAN (corporate network, cloud, or cellular modem) carries only inference outputs and alert clips — not raw video under normal operation. Typical uplink traffic:
- JSON alert records: 1–10 KB per event, negligible bandwidth
- Event video clips (H.264, 30 seconds at 2 Mbps): ~7.5 MB per clip
- Telemetry and heartbeat: under 100 KB/hour
- OTA update download: burst, scheduled off-peak
For most deployments, a 10–50 Mbps uplink is sufficient for all operational traffic. If live remote viewing of raw streams is a requirement, add 4 Mbps × camera count to the uplink requirement.
Cellular (4G LTE or 5G) uplinks are viable for sites without fixed-line internet, with data plans sized for alert traffic plus OTA. Ensure the compute node can continue operating and recording locally if the uplink is interrupted.
For power implications of the networking layer, see power and UPS for edge deployments. For the full storage implications of retaining event clips, see storage layout and ring buffer design.
PoE Switch Tier Comparison
| Switch Tier | VLAN Support | Typical PoE Budget | Port Count | Relative Cost | Best For |
|---|---|---|---|---|---|
| Unmanaged PoE | No | 60–120W | 5–8 | Low | Prototype only; not for production |
| Smart managed PoE (web UI) | 802.1Q VLANs | 120–240W | 8–16 | Medium | Most edge AI deployments |
| Full managed PoE (CLI + SNMP) | Full 802.1Q + ACL | 240–740W | 24–48 | High | Multi-node installations, IT-managed sites |
| Industrial managed PoE | Full 802.1Q + redundancy | 120–480W | 8–24 | Very High | Harsh environments, DIN-rail mounting, -40°C rated |
QoS Considerations
Quality of Service (QoS) configuration on the switch prioritizes RTSP camera traffic over management or telemetry traffic. For most 8-camera deployments on a dedicated switch, QoS is not strictly necessary — there is ample bandwidth. It becomes relevant when the edge switch is shared with other traffic sources (corporate Wi-Fi, VoIP, etc.).
If configuring QoS, mark camera RTSP traffic as DSCP AF31 (medium priority) and management traffic as DSCP CS1 (low priority). Inference alert traffic can be marked DSCP AF11 (low-medium priority). This ensures that during any transient congestion, camera streams are not dropped before alert forwarding.
Common Pitfalls
- Underestimating PoE budget: Switches advertise total PoE budget, but this is shared across all ports. A switch advertising 120W with 8 PoE ports cannot power 8 cameras at 15.4W each (123W total). Verify that the PoE budget matches your actual camera draw.
- Using unmanaged switches for production: Unmanaged switches cannot implement VLANs. Camera traffic and management traffic sharing an unmanaged switch creates security risk and broadcast pollution. Managed or smart managed switches are required for production deployments.
- Configuring cameras with DHCP and no MAC reservations: DHCP-assigned camera IPs can change on reboot if leases expire or the DHCP server changes. Static IP assignment or DHCP with MAC-bound reservations prevents RTSP stream URL changes that break the inference pipeline configuration.
- Skipping switch management VLAN configuration: If the switch management IP is on the same VLAN as cameras, a camera firmware vulnerability could expose switch management. Place switch management on VLAN 20 with appropriate ACLs.
- Not labeling ports: Physical port labels on the switch (or a documented port-to-camera mapping) save significant time during troubleshooting. Label the switch patch panel during installation, not after.
- Ignoring SFP uplink options: Many managed PoE switches include SFP ports for fiber uplinks. If the WAN connection is fiber or if the compute node is more than 100m from the switch, an SFP-to-fiber connection avoids the PoE cable distance limit.
FAQ
Can I use a consumer home router instead of a managed switch?
Consumer routers with a built-in switch do not support 802.1Q VLANs in the way required for camera isolation. They also typically lack the PoE power budget for 8 cameras. A dedicated managed PoE switch is the correct component for this role.
Do cameras need to be on the same subnet as the compute node to stream RTSP?
If cameras and the compute node are on the same VLAN, they are on the same Layer 2 segment and can communicate directly. If they are on different VLANs, inter-VLAN routing must be configured to allow RTSP traffic (TCP port 554, UDP for RTP) from the camera VLAN to the compute node's camera-side interface.
What RTSP URL format do most IP cameras use?
Common formats: rtsp://<ip>/stream1, rtsp://<user>:<pass>@<ip>/ch01/main. The exact path varies by manufacturer. Consult the camera's manual or ONVIF Device Manager to discover stream URLs automatically.
How do I prevent cameras from accessing the internet?
On a managed switch with a router, create an ACL on the camera VLAN that blocks all traffic destined outside the local subnet except traffic to the compute node's camera interface. Alternatively, configure the router to block all outbound traffic from the camera VLAN subnet.
Is multicast better than unicast for RTSP from multiple cameras?
For dedicated edge AI nodes consuming each camera's stream once, unicast RTSP is simpler and more reliable. Multicast RTSP becomes relevant when multiple consumers need the same stream simultaneously (e.g., inference node + NVR). For a single-consumer deployment, use unicast.
What is the maximum number of cameras a single Gigabit uplink can support?
At 4 Mbps per camera, a Gigabit link (approximately 900 Mbps usable) theoretically supports 225 cameras. In practice, 8–32 cameras is the typical range for a single edge AI node. The practical limit is compute capacity, not network bandwidth.