Deployment Architecture · 04
Multi-building fiber surveillance backbone architecture.
Campus-scale infrastructure blueprint for a 4–12 building deployment connected by diverse-path fiber — federated recording domains, inter-building bandwidth math, ground-potential isolation, distributed UPS zones, and the operational-boundary mapping that determines who owns what when the maintenance call comes at 2 a.m.
01 / Deployment scenario
The campus we're spec'ing.
A representative 6-building mid-institutional campus — could be a hospital with main building + 5 outbuildings, a university administrative + academic cluster, a corporate office campus, or a manufacturing facility with admin + warehouse + outbuildings. Buildings range 8,000–35,000 sq ft each, separated by 50–500m of paved or landscaped ground.
6 buildings (1 main + 5 outbuildings)
~12 acres footprint
~3,200 meters total inter-building fiber path
Mixed conduit topology: 60% buried · 40% aerial
Camera distribution (84 total):
Main Bldg: 24 cameras (executive + lobby + parking)
Outbldg A: 14 cameras (admin / outpatient)
Outbldg B: 12 cameras (lab / restricted access)
Outbldg C: 10 cameras (maintenance / loading)
Outbldg D: 14 cameras (satellite clinic / 24-hour)
Outbldg E: 10 cameras (parking structure)
Infrastructure:
6 IDF closets (one per building)
1 MDF (dedicated comms closet in Main Bldg)
6 utility electrical feeds (one per building)
6 grounding systems (independent per building)
Each building is electrically independent — its own utility feed, its own ground, its own UPS zone. This independence is the architectural premise, not a constraint to engineer around.
02 / System objectives
Campus-wide reliability targets.
- →Survive single fiber-path cut on the critical buildings (Main, Outbldg D 24-hour clinic). Diverse-path fiber to those two minimum.
- →Recording continuity during MDF maintenance — every building keeps recording locally even when the central archive is offline.
- →Building-level maintenance isolation — service one IDF without affecting other buildings.
- →Inter-building electrical isolation — no copper paths between buildings carrying surge, ground-potential, or fault-current risk.
- →Phased expansion to 12 buildings without backbone refactor — MDF aggregation sized for headroom.
- →Audit-ready evidence chain — every recording timestamped, retained ≥90 days, with documented chain-of-custody from camera to central archive.
- →NDAA Section 889 compliance across cameras, NVRs, switches — federal-procurement-suitable.
- →Cold-weather operations — outdoor cabinets at parking structure rated -40°C startup.
03 / Operational Boundary Mapping
Who owns what, when something fails.
Distributed infrastructure makes ownership ambiguous unless explicitly mapped. The boundary discipline below is the difference between a 30-minute restore and a 6-hour outage with two teams blaming each other.
Electrical domains
Each building is a discrete electrical domain. Its own utility feed, its own service panel, its own ground reference. Failure of one building's electrical service has zero direct effect on neighboring buildings — by physics, not by accident. The architecture preserves this independence: no shared circuits, no shared UPS, no copper grounding paths between buildings.
Maintenance boundaries
Three operational zones:
- →Building zone (× 6, one per building) — IDF rack, per-building NVR, in-building cameras + Cat6 cabling. Owner: building IT or facility-team.
- →Backbone zone — inter-building fiber, outdoor patch points, conduit. Owner: campus facilities or contracted fiber-plant vendor.
- →MDF zone — aggregation switch, central archive, campus-wide management, VMS server. Owner: campus IT / security operations.
UPS zones
Each building gets its own UPS — never shared. MDF has its own UPS independent of any building. Outdoor parking-structure cabinet has cabinet-internal UPS. No UPS spans a building boundary. This is non-negotiable: a single UPS feeding multiple buildings means a single UPS failure becomes a multi-building outage.
Fiber handoff points
Every fiber path has explicit handoff demarcation points — physical patch panels labeled with ownership transition. Standard pattern:
─────────────────────────────────
Building switch (Cisco CBS350) ─┐
[building IT] │
│ ← SFP+ transceiver (BLDG side)
Building Patch Panel A ─────────┤ ← handoff demarcation
[fiber plant team]│ ← inter-building fiber
MDF Patch Panel B ──────────────┤ ← handoff demarcation
[campus IT] │ ← SFP+ transceiver (MDF side)
MDF Aggregation switch ─────────┘
Each handoff panel has a label: ticket-escalation path, vendor contact, on-call number. Faults isolated to a specific patch-panel segment route directly to the responsible owner — no ambiguity at 2 a.m.
Responsibility transitions (runbook)
──────────────────────────────────────────────────────────────────
Building X all cameras offline → Building IT → IDF UPS check
Building X uplink dark → Fiber-plant → Test at Panel A
MDF NVR cluster down → Campus IT → Cluster status
VMS workstation can't play → Campus IT → VLAN connectivity
Multiple buildings dark → Backbone fail → MDF aggregation
04 / Recommended architecture
Per-building IDF, fiber spine, federated recording.
Hub-and-spoke fiber topology — each building's IDF uplinks to the MDF aggregation switch. Recording happens locally in each building (federated model), with optional archive replication to the MDF for centralized search. Discussion of federated vs centralized trade-offs in §07.
Per-building IDF
Each building runs a Cisco Catalyst CBS350-24FP managed PoE+ switch + Hanwha XRN-1620SB 16-channel NVR (smaller buildings) or XRN-3210B2 (larger buildings 16+ cameras). Fiber SFP+ uplink to MDF. Building UPS for IDF rack. The parking structure (outdoor environment) uses the Antaira LMP-0801G-SFP industrial switch in a NEMA cabinet — full -40°C operating range.
MDF aggregation
UniFi Aggregation 10G SFP+ switch in the Main Bldg dedicated comms closet. Collapses six 10G uplinks (one per building) into a 10G feed to the central archive and VMS workstations. Eaton 9PX online UPS for the MDF rack — clean power independent of any building's electrical events.
Central archive (optional but recommended)
Central Hanwha XRN-3210B2 NVR at the MDF receives selective archive replication from each building's NVR — AI-event clips, alarm-triggered recordings, and pre-determined "always retained" channels. Buildings still own primary recording; the central archive is for cross-campus search and long-term retention. Per the federated-vs-centralized discussion in §07, this hybrid is the institutional default.
05 / Diverse-path fiber logic
Two cables don't make redundancy — two paths do.
Conduit separation
"Diverse-path fiber" means two physical fibers running through two physically separate conduit paths. Two fibers in the same conduit are still vulnerable to the same backhoe strike, the same flood, the same rodent. Practical separation patterns:
│
└── Conduit Path 2 (south route, aerial, 420m) ──── MDF
Two paths · two pull-boxes · two trench segments · zero overlap.
Single backhoe strike on either path: bonded uplink fails over to surviving path.
Trench failure domains
Backhoe strikes are the #1 cause of buried-fiber failure — by an order of magnitude over rodents, water, or temperature. Construction work, landscaping, utility excavation, snow-clearing equipment all create trench risk. A diverse-path that runs both fibers parallel in the same trench (even in separate conduit) is not actually redundant — a single excavation event cuts both.
True diverse-path: minimum 5m horizontal separation OR completely different routes. On constrained campuses, "ring topology" with fiber going around the campus in opposite directions achieves equivalent diversity without parallel digs.
Aerial vs buried trade-offs
──────────────────────────────────────────────────────────────
Install cost Lower (~$8-15/m) Higher ($25-60/m)
Repair time 4-8 hr typical 24-48 hr typical
Repair access Bucket truck Trench reopen
Weather exposure High (ice, wind, fire) Low
Vehicle strike risk Yes (poles, vehicles) No (post-install)
Aesthetic Visible cables Invisible
Permit complexity Lower Higher (utility)
Lifespan 15-25 years 30-50 years
Diverse-path often pairs one aerial route + one buried route — different failure modes don't correlate. Storm taking down the aerial doesn't affect the buried; backhoe cutting the buried doesn't affect the aerial.
Maintenance sequencing
When servicing one fiber path, all uplink traffic shifts to the surviving path. Pre-maintenance procedure: verify the surviving path passes full-rate bandwidth test (not just "link up") before disconnecting the working path. LACP/LAG bonded uplinks fail over within seconds; ad-hoc primary/backup configurations may take longer or require manual intervention. Document the bonding mode at install.
Campus survivability map
Not every building needs diverse-path. Cost vs criticality:
────────────────────────────────────────────────────────────
Main Highest Diverse-path · 2 routes
Outbldg D (24h) High Diverse-path · 2 routes
Outbldg A Medium Single buried path
Outbldg B (lab) Medium Single buried path
Outbldg C Standard Single aerial or buried
Outbldg E (lot) Standard Single aerial (cheapest)
06 / Inter-building bandwidth math
Sized for peak, not average.
Camera bitrate is the easy half. The peak math has to account for PTZ spikes, multicast distribution, archive replication, failover-induced congestion, and the management overhead nobody specs for.
Per-building uplink load (continuous)
──────────────────────────────────────────────────────────
Camera streams to NVR ~70 Mbps (14 × 5 Mbps H.265+)
PTZ spike during fast pan +16 Mbps (4 PTZ × 4 Mbps burst)
Multicast viewing streams +8 Mbps (1-2 active viewers)
Archive replication to MDF +8 Mbps (event clips, asyncronous)
SNMP + management traffic +2 Mbps
Failover congestion margin +30% headroom
──────────────────────────────────────────────────────────
Sustained avg ~88 Mbps
Peak (PTZ + viewer + sync) ~130 Mbps
With failover margin ~170 Mbps recommended
1 Gbps uplink per building handles all of the above with 5× headroom — sufficient even when traffic shifts to the surviving path during diverse-path failover. 10G uplinks are over-spec'ed unless the building exceeds 32 cameras or runs heavy archive replication.
Aggregate MDF backbone
6 buildings × 130 Mbps peak = 780 Mbps peak
Plus MDF-to-VMS-workstation traffic = +50-100 Mbps
Aggregate sustained = ~880 Mbps
10G aggregation: 5× headroom · supports growth to 12 buildings.
Each building uses ~14-17% of available bandwidth at peak.
PTZ spike behavior
PTZ cameras during fast pan or rapid zoom transitions can spike 2-3× their average bitrate for 100-500ms — H.265 keyframes regenerate at scene transitions. Multiple PTZs spiking simultaneously during a coordinated event (e.g. operator tracking an incident across multiple cameras) can briefly congest a 100 Mbps building uplink. 1 Gbps per-building eliminates the concern.
Multicast traffic realities
If the VMS uses multicast distribution (Milestone XProtect Smart Wall, Genetec multi-stream), an active viewing session pulls the same stream once across the backbone regardless of viewer count. Without multicast, each viewer requires a unicast pull — a 4-viewer wall multiplies camera bandwidth 4×. IGMP snooping enabled on every switch in the path; multicast querier at the MDF aggregation. Failed multicast configuration is the #1 cause of unexplained "everything looks slow" surveillance complaints.
Failover congestion
When a diverse-path uplink fails over, traffic doubles on the surviving path. If both paths were at 60% load, post-failover the survivor is at 120% — saturated. Spec for failover headroom: each path must sustain 100% of expected total bandwidth alone. In practice: don't exceed 40% steady-state utilization on either path.
07 / Federated vs centralized recording
Decision framework, not a feature comparison.
Three deployment models. The right one depends on building count, criticality, IT operating capacity, and budget. None of them is universally correct.
Federated (per-building NVR)
When: 8+ buildings, mixed criticality, IT capacity to manage 6+ NVRs separately, >30-day retention per building, requirement for "buildings continue recording during backbone outage".
Pros: Buildings survive backbone or MDF outage · per-building maintenance isolation · local playback fast.
Cons: 6 NVRs to manage · 6 firmware update cycles · per-building VMS licensing · archive consolidation requires replication overhead.
Centralized (NVR cluster in MDF)
When: 4-6 buildings, lower IT operating capacity, single archive of truth required, sub-30-day retention acceptable, backbone considered "reliable enough".
Pros: Single point of management · easier firmware lifecycle · lower hardware count · single VMS license.
Cons: Buildings lose recording during MDF or backbone outage · fiber-cut = recording gap · MDF NVR cluster becomes single failure point for entire campus.
Hybrid (federated edge + central archive)
When: Critical infrastructure, government, healthcare with 90+ day retention, environments where recording loss is "unacceptable" rather than "inconvenient".
Pros: Survives every single failure mode · central search across all buildings · long-term archive separate from primary recording.
Cons: Highest cost · 6 building NVRs + central archive NVR · most complex replication configuration · double the firmware management.
Recommendation for this 6-building scenario: hybrid model — building-level recording (one NVR per building, RAID-6) with selective replication of AI-event clips and pre-designated "always retained" channels to a central archive at the MDF. Best balance of resilience and cost for institutional/healthcare scale.
08 / Grounding & electrical isolation
Fiber is mandatory because copper is dangerous.
Ground potential difference
Each building has its own utility service entrance, its own grounding electrode system, its own neutral-ground bond. The "ground" reference at Building A is electrically separate from the "ground" reference at Building B. During a fault event, a nearby lightning strike, or even during normal high-load operation, the potential difference between two building grounds can range from a few volts to several hundred volts.
A copper cable connecting equipment in Building A to equipment in Building B carries this potential difference as current. Best case: ground-loop hum, intermittent network errors. Worst case: equipment burnout, fire, lethal shock to a technician handling the cable. Inter-building copper is a code violation in most jurisdictions for these exact reasons.
Surge path isolation
A lightning strike near Building A induces voltage transients on every copper conductor in the building. If those conductors connect to Building B, the transient propagates across the campus. Optical fiber carries no copper continuity — the surge path stops at the fiber transceiver. Every inter-building fiber is a surge break.
Copper-vs-fiber implications
─────────────────────────────────────────────────────────────────
Copper Cat6/6a Intra-building only · within single ground domain
Inter-bldg fiber Singlemode (for runs > 300m)
OR multimode OM3+ (for runs ≤ 300m)
Coax Intra-building legacy only (analog cam transition)
DC power Intra-building only · UPS-bounded
UPS domain separation
Each building's UPS is electrically scoped to that building's service entrance. The MDF UPS is independent of every building's UPS — it has its own dedicated circuit from its own utility feed where available, or a building-scoped circuit in the Main Bldg. Sharing a UPS across buildings via long DC runs is electrically prohibited (voltage drop, ground potential, code) and operationally fragile.
Exterior cabinet protection
The parking-structure outdoor cabinet (IDF-C in this scenario) gets:
- →NEMA 4 weatherproof enclosure, grounded body
- →Internal heater (thermostat-controlled, -40°C startup capable)
- →Internal ventilation fan (summer cooling)
- →Surge suppression on AC, network copper, and signal cable entry
- →Internal UPS for ~1-hour bridge runtime
- →Cabinet-body grounding bonded to building electrode
- →Lock + tamper switch reporting to alarm panel
09 / Reliability + UPS domains
Outage taxonomy.
Six independent UPS domains (six buildings) + one MDF UPS + one outdoor-cabinet UPS = eight failure-isolated electrical zones. Outage of any single zone does not cascade.
──────────────────────────────────────────────────────────────────
Bldg X utility outage Bldg X only Bldg UPS ride-through
MDF utility outage MDF only MDF online UPS
Diverse-path: single fiber cut Surviving path LACP failover
Single-path bldg: fiber cut Bldg loses MDF Local NVR keeps rec.
MDF aggregation switch fails All bldgs lose Federated NVRs cont.
MDF connectivity recording locally
Building NVR fails Building only Replay from archive
Central archive fails Long retention Building NVRs intact
Outdoor cabinet thermal Parking cams only Cabinet heater/fan
Building generator transfer Brownout window Online UPS at MDF
line-int UPS at bldgs
Federated NVR architecture means "recording loss" is the worst-case for the worst-affected building only — not campus-wide.
10 / Failure cascades
Seven scenarios that take down distributed deployments.
Each cascade below has historically caused multi-building outages in real institutional deployments. The architecture designs against each — but they remain the failure modes worth knowing.
// Cascade · Conduit strike
Backhoe cuts the only fiber path to a building
Single-path building loses uplink instantly. Cameras continue PoE-powered, but cannot stream to NVR (if centralized) or replicate archive (if federated). Repair: 24-48 hours for trench reopen and splice.
Mitigation: Diverse-path fiber on critical buildings. Federated NVR architecture so single-path buildings continue recording locally during repair. Utility-marking compliance (Ontario One Call equivalent) on all conduit before any campus excavation.
// Cascade · Transceiver failure
SFP+ module dies in MDF aggregation switch
Single optic on the MDF side fails. Building uplink dark even though both physical fiber paths are intact. LAG/LACP bond breaks; failover to surviving optic depends on bonding configuration.
Mitigation: Spare SFP+ modules stocked on-site for hot-swap replacement. SNMP alerts on optic Tx/Rx power degradation before failure. Bonding configured for fast-failover (LACP fast timers).
// Cascade · STP instability
Spanning Tree reconvergence storms across the campus
Ring topologies with mis-tuned STP timers create reconvergence storms — every switch in the path flushes its MAC tables, packets flood, NVR records dropouts, VMS workstations lose video for 30-90 seconds at a time.
Mitigation: Hub-and-spoke topology (no rings — each building uplinks directly to MDF) eliminates STP entirely. If ring topology is required, use Rapid-PVST or MSTP with explicit root-bridge designation and short hello timers. Storm-control on every camera-facing port.
// Cascade · Broadcast storms
Looped switch or misconfigured port saturates campus VLAN
Someone plugs two switch ports together in a building IDF. Broadcast storm propagates across the camera VLAN trunk to every building. All cameras experience packet loss; archive replication times out; VMS loses video everywhere.
Mitigation: Storm-control thresholds on every access port (10% utilization triggers port shutdown). BPDU Guard on access ports detects accidental loops. Per-port multicast and broadcast suppression. VLAN trunk between buildings carries camera traffic only — no general-purpose broadcasts.
// Cascade · IDF overheating
Building HVAC zone fails; IDF closet climbs to 40+°C
Summer weekend; building HVAC zoned off; IT closet thermal climbs. PoE switch throttles PoE output to protect MOSFETs; NVR thermal-throttles then shuts down. Recording stops without alarm. Discovery happens Monday morning when the operator can't play back the weekend.
Mitigation: SNMP temperature polling at switch and NVR. Email + central station alert at +40°C threshold. Dedicated AC for the MDF closet — not zoned with building HVAC. Building IDFs spec'ed against the worst-case ambient (verify weekend HVAC schedule).
// Cascade · UPS boundary failure
Building UPS fails during outage
Building loses utility power. UPS attempts to bridge but its batteries are 5 years old and unmaintained — drops the load within 60 seconds. Cameras dark; NVR corrupts active recordings on hard cutoff.
Mitigation: Annual UPS battery testing on schedule (not waiting for failure). SNMP-monitored UPS reports battery health degradation pre-failure. Replacement schedule documented per-building.
// Cascade · Firmware mismatch
Major firmware push creates protocol incompatibility
One building's switch gets a major firmware update mid-cycle. LACP protocol mode subtly changes; uplink degrades to half-bandwidth or fails entirely. ONVIF event metadata format shifts; NVR misses analytics events.
Mitigation: Lock all switches in a campus to the same firmware revision. Quarterly firmware-update windows with cross-campus testing in lab before production push. Cisco/Aruba/Netgear management consoles for centralized firmware version enforcement.
11 / Procurement notes
Campus-scale procurement realities.
- →Fiber-plant installation is a separate trade. Specified through a fiber-plant contractor or general contractor, not the security integrator. Includes conduit work, splicing, terminations, OTDR test reports, and as-built drawings of every run. Budget separately; budget generously.
- →Utility marking + permits before any excavation. Ontario One Call (or local equivalent) clearance valid 30 days. Permit complexity scales with conduit length and easements; can add 4-12 weeks to project timeline.
- →Phased per-building rollout. Building-by-building commissioning lets each IDF go live independently — no campus-wide flag-day cutover. Building 1 (Main) first; outbuildings follow as their fiber paths complete.
- →Long-lead items. SFP+ transceivers (sometimes 4-6 weeks in chipset shortage cycles), specific switch models in vendor backorder, custom-length pre-terminated fiber runs. Order Wave 1 / Wave 2 items immediately on quote sign-off.
- →NDAA documentation retained 5+ years per federal procurement standard. Bundled with quote; refreshed at firmware updates affecting compliance posture.
- →Cross-team coordination is part of procurement. Security integrator + fiber-plant contractor + campus IT + facilities all need explicit demarcation per the Operational Boundary Mapping (§03). Pre-build meeting minimum; per-phase signoffs preferred.
12 / Recommended product stack
Bill of materials.
Per-building infrastructure × 6 + MDF aggregation + outdoor cabinet for parking structure. Fiber, conduit, and pre-terminated patch cords specified separately by the fiber-plant contractor.
Per-building IDF · ×5 indoor
- 5× Cisco CBS350-24FP 24-port PoE+
- 5× XRN-1620SB 16-channel NVR (federated)
- 5× APC SRT 3000VA rack UPS
- 5× Panduit Cat6 patch panels
- 5× Tripp Lite SR42UB 42U racks
Parking structure (outdoor IDF)
- 1× Antaira LMP-0801G-SFP industrial
- 1× Altronix NetWaySP1B NEMA cabinet
- 1× APC PNET1GB ×3 surge at entries
- 1× Panasonic 42Ah internal SLA
MDF aggregation + archive
- 1× UniFi Aggregation 10G SFP+
- 1× XRN-3210B2 central archive NVR
- 1× Eaton 9PX 1500VA online UPS
- 1× Tripp Lite SR42UB MDF rack
- 4× Panduit patch panels (fiber + copper)
Cameras · 84 across campus
- 20× XNO-9082R 4K perimeter bullets
- 16× XNV-6081Z outdoor vandal domes
- 20× XNV-9082R 4K AI turrets
- 12× XND-6080R indoor IR domes
- 10× XNP-6321 PTZ
- 4× Axis Q6135-LE long-range PTZ
- 2× PNM-9322VQP multi-sensor
Inter-building fiber, conduit, splicing, OTDR testing, and pre-terminated patch cords specified separately through fiber-plant contractor — typical $40-80K depending on conduit work scope.
Campus Architecture Review
Spec'ing a multi-building campus deployment?
Send the building count, inter-building distances, criticality posture, and target retention. We come back with a sized BoM, diverse-path fiber recommendation, operational-boundary map, NDAA documentation bundle, and phased delivery schedule before any hardware ships.