Deployment Architecture · 01
Small commercial 8-door + 16-camera security architecture.
A deployment blueprint for a 5,000–10,000 sq ft commercial site requiring access control on 8 doors, 16-camera surveillance coverage, and code-compliant commercial intrusion monitoring. Hardware stack, infrastructure topology, reliability provisions, and procurement-phased rollout — all specified end-to-end.
01 / Deployment scenario
The site we're spec'ing.
A representative small-commercial site — single-tenant office or small multi-tenant retail/professional building in Ottawa or Eastern Ontario. Physical footprint ~5,000–10,000 sq ft, single-story or two-story, with the following door and zone inventory:
3× exterior entrances (front, side, rear/loading)
1× vestibule (interior secondary)
2× IT / server / records rooms (high-security interior)
2× tenant or department-level partitions
Camera inventory (16 total):
4× perimeter 4K long-range IR bullets (parking, loading)
4× outdoor vandal domes (exterior soffits, building corners)
2× PTZ cameras (parking lot oversight)
4× interior 4K AI turrets (lobbies, primary corridors)
2× interior dome cameras (back-of-house, IT room)
Intrusion footprint:
8 hardwired zones + 4 wireless (PowerG)
2 partitions (front-of-house / after-hours secured)
This pattern repeats across the bulk of the small-commercial market — professional services, light medical, financial branch offices, small retail, mid-tier institutional. The architecture below scales cleanly from 8 to 12 doors and 16 to 24 cameras without re-spec'ing the head-end.
02 / System objectives
What the deployment has to deliver.
Measurable, operational, non-negotiable. These determine every hardware decision below.
- →30-day continuous video retention at 1080p baseline / 4K on AI-flagged channels. RAID-6 storage redundancy survives 2-disk failure during rebuild.
- →Centralized access control with audit trail across all 8 doors. Per-user, per-door, per-time-window audit logs retained 90+ days.
- →Multi-credential support — DESFire EV3 cards as primary, mobile credentials as optional secondary, no legacy 125 kHz prox in the new build.
- →4-hour code-minimum fail-safe operation on all access doors during AC outage. Realistic Ottawa-winter ice-storm tolerance.
- →ULC-S304 commercial burglary monitoring path — dual-path LTE + IP supervised at 60-second polling intervals.
- →NDAA Section 889 compliance documentation for the full surveillance + network path. Federal-adjacent procurement requirement default.
- →VLAN-segregated traffic — surveillance, access control, intrusion, and management on isolated VLANs. No flat-network architecture.
- →Single-supplier procurement for the bulk of the catalog, project-priced, with compatibility verified before order ship.
03 / Recommended architecture
Three subsystems, one head-end rack.
Three independently-functioning subsystems converge at the head-end rack. Each subsystem operates if the others fail — no shared point of failure across access, video, and intrusion.
Access control subsystem
Architecture: Networked on-prem via Kantech EntraPass Corporate — see Controller Architecture Guide for the cloud-vs-on-prem decision logic. EntraPass selected because the customer wants project-cost predictability without recurring per-door subscription, plus integration with on-prem video (BVMS or 3rd-party VMS) at a later date.
Topology: Two 4-door Kantech KT-400 controllers (one per partition) on the same EntraPass server. Each controller hosts 4 doors with reader + lock + REX + power.
Credentials: HID iCLASS SE R40 wall readers on primary entrances, R10 mullion readers on narrow door frames. DESFire EV3 cards as primary credential — see the Credential Selection Guide for why we're skipping prox.
Surveillance subsystem
Architecture: Single 16-channel Hanwha XRN-1620SB NVR with RAID-6 storage. All cameras Hanwha (NDAA-compliant). Future expansion path to a 32-channel XRN-3210B2 without ripping out the camera stack.
Topology: Star topology — every camera home-runs to the central PoE switch via Cat6. No daisy-chain. PoE+ on every port (30W per port). Multi-imager and PTZ on 60W PoE++ where required.
Retention: ~5 TB raw storage at H.265 SmartStream baseline = 30-day retention with RAID-6 overhead. See Camera Storage Planning Guide for the per-camera bitrate math driving this.
Intrusion subsystem
Architecture: DSC PowerSeries Neo HS2128 panel — 128-zone capacity (we're using 12), 2-partition setup mirroring the access partitions, dual-path LTE/IP via TL880LE for ULC-S304 supervised monitoring.
Detection mix: Hardwired Bosch TriTech motion + glassbreak in primary occupied zones (HVAC-noise resistance), PowerG encrypted wireless in retrofit areas where running cable would mean ceiling damage.
Cross-system bridge: Fire-alarm relay (via Altronix RBSNTTL) ties into the access maglocks for code-compliant emergency egress. After-hours intrusion event triggers Hanwha Wave for video verification.
04 / Infrastructure topology
What the IT closet actually looks like.
Single 42U head-end rack houses every active component. Cable management arms on the rear posts; vented front and rear doors for thermal management.
──────────────────────────────────────────
U42 Cable management arm + Panduit patch panel (24-port)
U41 Panduit patch panel #2 (24-port — access + alarm)
U40 Cisco CBS350-24FP 24-port PoE+ managed switch [1U]
U38 Hanwha XRN-1620SB 16-channel NVR [2U]
U36 Open bay (4K capable NVR future-proofing)
U32 LifeSafety Power FPO150 modular access power [4U]
U28 DSC PowerSeries Neo HS2128 panel + TL880LE [4U mount]
U24 Altronix VertiLine24CD camera power distribution [2U]
U20 Free bay — future analytics server
U16 Free bay — future second NVR
U12 Free bay — future expansion
U8 APC SurgeArrest PNET1GB network surge protector
U6 APC Smart-UPS SRT 3000VA online double-conversion [2U]
U2 Two 33Ah SLA batteries — access + alarm backup
U1 Cable entry chase, ground bar, label panel
──────────────────────────────────────────
Approximate U usage: 18 of 42 — 57% headroom for growth.
VLAN segmentation
VLAN 20 – Access Control (controllers + EntraPass server)
VLAN 30 – Intrusion (DSC panel + TL880LE communicator)
VLAN 40 – Management (switch mgmt + UPS network card)
VLAN 99 – Native uplink to corporate LAN (or quarantine)
Inter-VLAN routing: deny-all except specific application allowlist
(e.g., VMS event server → access controller for unlock-on-alarm)
Cabling plan
Cat6 from rack to all 16 cameras (max run 100m — confirm pre-install). Cat6 from rack to each access reader and intrusion device. 4× PowerG wireless areas receive a panel-side antenna position only — no field cable. All outdoor cable runs receive APC PNET1GB inline surge protection at the rack entry point.
Conduit / pathway depends on building structure — see PoE Switch Sizing Guide for the rack-side power-budget math driving the Cisco CBS350-24FP selection.
05 / Reliability considerations
Failure modes designed against.
Every commercial deployment fails on the same five things. We design against each.
Utility power outages
APC Smart-UPS SRT 3000VA (online double-conversion) carries the rack through 25-minute typical outages; extendable via external battery modules. Access control gets independent 4-hour SLA backup via FPO150 + dual 33Ah batteries — code-minimum on egress doors. See Power Supply Sizing Guide.
Brownouts & voltage sag
Online UPS topology means the rack sees clean 120VAC regardless of utility quality. No transfer-time gap. NVR data corruption from dirty power eliminated.
Central station communication loss
DSC TL880LE provides dual-path LTE-M + IP with 60-second supervised polling. Single-network outage triggers failover within 90 seconds — meets ULC-S304 requirement.
Storage failure during recording
XRN-1620SB configured RAID-6 — survives 2 simultaneous disk failures during rebuild window. Surveillance-grade drives (WD Purple Pro or Seagate SkyHawk AI) only — not consumer disks.
Lightning-induced surge on outdoor cable
APC PNET1GB inline surge protection on every outdoor camera cable entry to the rack. Grounded to the rack ground bar. A single compromised cable can cascade-fry a 24-port PoE switch — the $25 surge protector is the cheapest insurance in the build.
False alarms triggering customer fatigue
Cross-zoning logic on the DSC panel, dual-tech (PIR + microwave) Bosch TriTech detectors in HVAC-noise zones, FlexCore glassbreak with acoustic differentiation. Supervised wireless polling on PowerG. Pre-commissioning walk-test mode.
06 / Procurement notes
How we actually ship this build.
Procurement realities for a stack of this size — phased delivery, compatibility verification, and single-source consolidation.
- →Phased delivery in 3 waves. Wave 1: rack + power + cabling infrastructure (10-14 day lead). Wave 2: PoE switch + NVR + access controllers (in-stock typically). Wave 3: cameras + readers + intrusion + commissioning gear (in-stock typically). Avoids storing $40K+ of hardware on site during rough-in.
- →NDAA Section 889 documentation bundled with the quote. Every camera, NVR, and PoE switch verified against current manufacturer compliance letters. See NDAA Compliance Checklist.
- →Compatibility pre-flight. Reader-to-controller, controller-to-EntraPass, camera-to-NVR, panel-to-communicator verified per SKU before the order ships. Failed-compatibility events at install are the most expensive thing on a commercial project — eliminate them upstream.
- →Project pricing on the full stack. Trade-account terms and bulk discounts apply. Pricing held for 60 days post-quote.
- →Lead time bands: stocked items 24-48hr Ottawa local; rack and enterprise power supplies 5-10 business days; configured items (multi-channel NVRs with specific drive configurations) 7-14 days.
- →Single-source consolidation. The entire stack ships from one supplier with one BoM, one set of compatibility verifications, one invoice. Reduces project-management overhead vs splitting buys across distributors.
07 / Recommended product stack
The bill of materials.
Field-verified product pairings for this deployment shape. Every SKU links to the product page with deployment context, compatibility notes, and commonly-paired hardware.
Access Control · 8 doors
- 2× Kantech KT-400 4-door controller
- 6× HID R40 wall reader
- 2× HID R10 mullion reader
- 1× DESFire EV3 50-pack
- 6× Securitron M62 maglock
- 2× HES 1006 strike
- 6× Bosch DS150i REX motion
NDAA Cameras · 16 channels
- 4× XNO-9082R 4K long-range bullet
- 4× XNV-6081Z vandal dome
- 2× XNP-6321 PTZ
- 4× XNV-9082R 4K AI turret
- 2× XND-6080R indoor IR dome
- 1× XRN-1620SB 16-ch NVR
Networking / PoE
- 1× Cisco CBS350-24FP 24-port PoE+
- 1× Tripp Lite SR42UB 42U rack
- 2× Panduit Cat6 patch panel
- 4× APC PNET1GB surge protector
Power Infrastructure
- 1× LifeSafety FPO150 access power
- 1× Eaton 9PX 1500VA rack UPS (alt: APC SRT 3000VA)
- 2× Panasonic 42Ah SLA battery
- 1× Altronix VertiLine24CD (if heated PTZ)
Alarm Hardware
- 1× DSC HS2128 commercial panel
- 1× DSC TL880LE dual-path communicator
- 1× DSC HS2LCDPRO commercial keypad
- 2× Bosch TriTech motion
- 2× Bosch DS1108i glassbreak
- 4× DSC PG9914 PowerG wireless PIR
- 1× DSC PG9920 PowerG repeater
Architecture Review
Spec'ing a deployment in this shape?
Send the building footprint, door count, camera count, and target compliance posture. We come back with a sized BoM, pricing on the full stack, phased delivery schedule, and compatibility verification — before any hardware ships.