The Bandwidth Math That Makes NVRs Essential
A single 4K IP security camera streaming at 15 frames per second with H.264 encoding generates approximately 8 to 12 Mbps of sustained throughput. Upgrade to H.265 and that drops to roughly 4 to 6 Mbps — better, but still significant. Now multiply that by 20 cameras in a mid-size office building. You are looking at 80 to 240 Mbps of continuous video traffic. Add that to a standard business internet connection of 100 to 200 Mbps symmetrical, and the arithmetic is straightforward: the cameras would saturate the connection entirely, leaving nothing for actual business operations.
This is why professional surveillance installations use a Network Video Recorder (NVR) with a dedicated PoE switch. The architecture keeps all camera traffic on a private, isolated subnet. Video never touches the main corporate network or the internet — it flows directly from camera to NVR over a physically separate switch. Only the NVR itself connects to the corporate network for remote access, and only when someone is actively viewing footage.
Understanding how to design, deploy, and secure this architecture is the difference between a surveillance system that works reliably for years and one that either cripples your network or gets compromised within months of installation.
How an NVR Network Actually Works
The NVR is simultaneously a network switch, a DHCP server, a video management system, and a storage array. Most standalone NVRs include built-in PoE ports on the back — typically 8, 16, or 32 ports depending on the model. Cameras plug directly into these ports with a single Cat5e or Cat6 cable that carries both data and power (Power over Ethernet, or PoE).
When a camera connects to the NVR's built-in switch:
- The NVR's internal DHCP server assigns the camera a private IP address — typically in a range like
192.168.254.xthat is completely isolated from your main network. - The camera streams video continuously to the NVR using the RTSP (Real Time Streaming Protocol) or ONVIF protocol. The NVR decodes, processes, and records the stream to its internal hard drives.
- The NVR itself has a second network port that connects to your corporate network or internet router. This port gets an IP address on the main network (static or DHCP reservation).
- When a user opens the NVR's web interface or mobile app, the viewing request goes through this second port. The NVR streams only the requested camera feed at reduced resolution and bitrate — typically H.265 at 1 to 2 Mbps for remote viewing — to the viewer's device.
The result: 20 cameras generating 160 Mbps of raw video traffic produce zero load on your corporate network 99% of the time. The only traffic that crosses to the main network is the low-bitrate stream when someone is actively watching remotely.
PoE: Power and Data Over One Cable
PoE (Power over Ethernet) is one of the features that makes IP camera deployments practical. IEEE 802.3af provides up to 15.4W per port; 802.3at (PoE+) provides up to 30W; and 802.3bt (PoE++) provides up to 60W or 100W depending on the type. Most IP cameras with integrated IR illuminators need 802.3at or higher.
Before purchasing cameras and NVR, verify the power budget. An NVR with a 16-port PoE switch rated at a 200W total PoE budget cannot simultaneously power 16 cameras that draw 15W each (which would require 240W). Calculate the per-camera power consumption from the spec sheet and ensure your NVR's total PoE budget is sufficient with margin for growth.
NVR vs. DVR vs. Cloud Camera Systems
| Feature | NVR (Network Video Recorder) | DVR (Digital Video Recorder) | Cloud Camera System |
|---|---|---|---|
| Camera connection | IP cameras via Cat5e/Cat6 | Analog cameras via coaxial cable | Wi-Fi or wired IP cameras |
| Video quality | Up to 4K and beyond | Up to 1080p (HD-TVI/HD-CVI) | Up to 4K depending on model |
| Storage | Local HDD inside NVR | Local HDD inside DVR | Cloud storage (monthly fee) |
| Bandwidth usage | Near-zero on main network | Near-zero (analog to DVR) | Continuous upload to cloud |
| Privacy | High — footage stays local | High — footage stays local | Lower — footage on vendor servers |
| Scalability | High — add cameras to PoE switch | Limited by coax runs | High — add cameras to Wi-Fi |
| Installation cost | Moderate — Cat6 cabling | Moderate — coax cabling | Low — Wi-Fi cameras |
| Ongoing cost | Low — no monthly fees | Low — no monthly fees | High — cloud storage subscription |
Real-World Use Cases
Small Business (8-16 cameras): A retail store with 12 cameras uses an NVR with a built-in 16-port PoE switch. All cameras connect directly to the NVR via Cat6. The NVR records continuously to a 4TB RAID array (sufficient for approximately 30 days of motion-triggered recording). The store manager views footage remotely via the NVR's mobile app using DDNS addressing. No camera traffic ever appears on the store's main Wi-Fi network.
Multi-Site Corporate (50+ cameras per site): Each site has a dedicated PoE switch connected to the NVR. The NVR VLAN is isolated from corporate traffic by a managed firewall. Remote access to each NVR is via a site-to-site VPN rather than exposing the NVR's web interface directly to the internet. Security personnel access a central video management software (VMS) platform that aggregates feeds from all sites.
Parking Structure: Long-distance camera runs require fiber optic media converters or PoE extenders for spans beyond 100 meters (the Cat6 PoE distance limit). The NVR remains in a secure server room; cameras communicate back over fiber to a managed PoE switch at the server room.
IP Camera Security: The Overlooked Risk
IP cameras are one of the most commonly compromised device categories in enterprise networks. Default credential attacks against cameras with factory-set usernames and passwords account for a significant fraction of observed IoT compromises. The Mirai botnet, which conducted record-setting DDoS attacks, was built largely from compromised IP cameras and DVRs running default credentials.
Security requirements for any IP camera deployment:
- Change default usernames and passwords on every camera and the NVR before network connection.
- Audit firmware versions at deployment and establish a update schedule — camera manufacturers release firmware patches for CVEs, but many deployments never apply them.
- Isolate the camera network from corporate systems. The camera VLAN should have no route to Active Directory, file servers, or any corporate system. The only permitted outbound connections are to the NVR.
- Do not expose the NVR's web interface directly to the public internet on its default port. Use a VPN for remote access, or at minimum change the port and enable HTTPS with a valid certificate.
- Review NVR access logs periodically. Unexpected login attempts or successful logins from unfamiliar IP addresses indicate compromise or reconnaissance.
ONVIF and Protocol Standards
ONVIF (Open Network Video Interface Forum) is the interoperability standard that allows cameras from different manufacturers to work with any ONVIF-compliant NVR. When selecting cameras and NVRs from different vendors, confirm ONVIF Profile S compliance at minimum. Profile T adds H.265 support. Profile G adds edge storage. Knowing which profiles a camera supports determines what features the NVR can use.
RTSP (Real Time Streaming Protocol) is the transport protocol cameras use to stream video. The RTSP URL for a camera typically looks like rtsp://username:password@192.168.254.10:554/stream1. This URL can be used in any RTSP-compatible player (VLC, for example) to view the camera feed directly, independent of the NVR interface.
Common Misconceptions
Misconception 1: More Megapixels Always Means Better Surveillance
Resolution is one variable in surveillance quality. Lens quality, sensor size, frame rate, compression algorithm, and lighting conditions all matter equally or more. A 4K camera with a poor lens and inadequate IR illumination in a dark parking lot will produce worse usable footage than a well-configured 2MP camera with a quality lens and appropriate lighting. Buy cameras appropriate for the specific environment and use case rather than maximizing megapixels across the board.
Misconception 2: Local Recording Means the Footage Is Safe from Theft
An NVR with hard drives is a physical device that can be stolen. In high-risk environments, NVRs should be in locked server rooms or hardened enclosures, not under a reception desk. Additionally, hard drives fail. For critical surveillance, NVRs with RAID 1 mirroring protect against single-drive failures, and some deployments replicate selected footage to a secondary off-site system or cloud storage for backup — not primary storage, but insurance against physical theft or failure.
Misconception 3: PoE Works Over Any Ethernet Cable
PoE requires quality copper Ethernet cabling. Cat5e or Cat6 at proper installation quality works reliably. Old, damaged, or improperly terminated cables may pass data but deliver insufficient current for PoE, causing cameras to brown out or fail to power on. Always use quality cable and proper termination when running new surveillance cabling, and test with a cable tester before committing runs in finished walls.
Misconception 4: DDNS Alone Provides Secure Remote Access
DDNS (Dynamic DNS) maps a hostname to your changing public IP address, making the NVR accessible from the internet. But DDNS alone just makes the NVR easier to find — it provides no security. An NVR accessible via DDNS is visible to internet scanners within hours of connection. Remote access to NVRs should use a VPN connection to the site, or at minimum should be protected by strong passwords, non-default ports, HTTPS, and ideally IP allowlisting.
Pro Tips for Surveillance Network Engineers
- Calculate storage requirements before purchasing drives: Estimate daily footage volume based on camera count, resolution, bitrate, and recording schedule (continuous vs. motion-triggered). Most NVR manufacturers provide storage calculators. Err on the side of more storage — hard drives are cheap, and finding out you only have 3 days of retention during an incident investigation is a bad situation.
- Use H.265 encoding wherever supported: H.265 (HEVC) produces equivalent video quality at approximately half the bitrate of H.264. For a 20-camera system, switching from H.264 to H.265 can roughly double your storage capacity and halve the NVR's processing load. Confirm both the cameras and NVR support H.265 before purchasing.
- Label every camera port on the NVR with the camera's physical location: When reviewing footage after an incident, knowing that NVR port 7 corresponds to the northwest parking lot entrance saves significant time. Document port-to-location mapping in a diagram and store it with the NVR.
- Enable motion detection recording rather than continuous 24/7: Motion-triggered recording typically reduces storage consumption by 60-80% compared to continuous recording, while capturing all relevant events. Configure detection sensitivity and zones carefully to avoid false triggers from trees, lights, or HVAC vents within the camera's field of view.
- Plan cable runs before installation, not after: IP camera installations where cable routes are planned during construction or renovation are significantly cleaner and more reliable than retrofits. Conduit, accessible cable pathways, and proper cable management in the NVR location reduce ongoing maintenance burden substantially.
- Test remote viewing quality on your target internet connection before finalizing the deployment: Remote viewing over a cellular or residential internet connection may be constrained by upload bandwidth at the site. The NVR's remote viewing bitrate settings need to be calibrated to what the site's upload capacity can reliably support during peak hours.
A properly architected NVR deployment provides years of reliable, high-quality surveillance recording without burdening your network infrastructure or creating unnecessary security exposure. Check your network's current bandwidth capacity and IP allocation.