TP-Link SG3428MP 28-Port Gigabit L2+ Managed Switch
The TP-Link SG3428MP is a 1U L2+ managed switch purpose-built for IP surveillance, VoIP, and access-control environments where centralized PoE distribution is essential. Twenty-four Gigabit ports deliver 802.3at PoE+ with a shared 384W budget—sufficient to power 24–30 IP cameras rated at 12–15W each, depending on sensor type and IR activation cycles. Four Gigabit SFP slots enable fiber backhaul or uplinks to backbone switches without consuming copper ports. The 19-inch rack-mount chassis and standard management protocols (SNMP, CLI, VLAN, QoS, 802.1x RADIUS) make it a transparent hub in heterogeneous surveillance ecosystems, integrating cameras from Axis, Hikvision, Uniview, Dahua, Bosch, and other standards-compliant vendors.
Key Features
- 24 × PoE+ Ports: 802.3at standard, 384W total budget. Powers up to 30 low-power domes or turrets rated 12–15W without supplementary injectors.
- PoE Budget Allocation: 384W shared across all 24 ports. High-power heaters or dual-sensor domes consume budget faster; plan load distribution accordingly.
- Four Gigabit SFP Slots: Fiber uplinks to core switches or long-distance backhaul without occupying RJ45 ports. Supports SX/LX multimode and single-mode transceivers.
- L2+ Management: VLAN (802.1Q), Spanning Tree (STP/RSTP/MSTP), QoS, ACL, and SNMP enable network segmentation and traffic prioritization for surveillance and VoIP streams.
- 802.1x RADIUS/TACACS+ Authentication: Port-based access control integrates with enterprise directory services for network security without additional hardware.
- Jumbo Frame Support (up to 9216 bytes): Reduces overhead on high-bitrate H.265 streams and batch metadata queries from analytics engines.
- Backplane Bandwidth: 56 Gbps non-blocking switching fabric. All ports can sustain line-rate traffic simultaneously—no bottleneck between PoE cameras and uplinks.
- CLI & Web UI Management: RJ45 console port and optional Micro-USB provide out-of-band access during commissioning. No external controller required; runs standalone or integrates with TP-Link JetStream SDN platform for multi-switch orchestration.
The SG3428MP architecture reflects the real topology of multi-zone surveillance networks: PoE-powered cameras cluster on access switches; fiber uplinks carry aggregated streams to an NVR or VMS core without latency or bandwidth contention. Gigabit ports eliminate the bandwidth starvation that plagued older FastEthernet PoE switches—H.265 codec bitrates (3–6 Mbps per camera at 2MP/30fps) and dual-stream architectures (main + substream for display/alarm) run comfortably in parallel.
Layer 2+ management capabilities reduce operational friction in complex sites. VLAN isolation separates surveillance traffic from corporate data, preventing a rogue IP camera from broadcasting multicast floods across the entire network. Spanning Tree variants protect against loop conditions in ring topologies (common in campus or multi-floor deployments). QoS queuing ensures low-latency alarm metadata reaches the VMS even under heavy NVR backup or bulk analytics queries. Port mirroring enables packet capture for forensic analysis or vendor troubleshooting without interrupting production streams.
PoE+ (802.3at) at 30W maximum per port covers nearly all standard surveillance cameras and access-control endpoints. Pan-tilt-zoom cameras with motorized focus and IR heaters peak above 30W; those require PoE++ (802.3bt) injectors or dedicated power supplies. The 384W shared budget is adequate for 24–26 dual-sensor domes (typical 15W each) with headroom for seasonal IR duty-cycle variance. High-density deployments (30+ cameras) should validate actual power draw under night-vision operation and stage incremental camera activation during commissioning to avoid breaker trips.
Integration with mainstream VMS and network platforms is straightforward. Standard ONVIF and Gigabit Ethernet eliminate vendor lock-in; the switch works identically whether you deploy Axis, Hanwha, Uniview, or Bosch cameras. SNMP traps alert operations teams to port down events or PoE overload conditions. CLI scripting via SSH or console port automates bulk configuration (VLAN assignment, spanning tree tuning) across multiple switches—valuable when rolling out branch office surveillance without repeated manual UI clicks. Optional TP-Link Omada or JetStream SDN controllers provide centralized firmware updates, bandwidth monitoring, and policy enforcement across 5–100 switches, though the SG3428MP functions as an independent unit without a controller.
Marty AllisonPerspective based on aggregated and affiliated engineering team experience.
We've deployed the SG3428MP in retail, office, parking-lot, and light industrial surveillance networks for nearly a decade. The real-world appeal lies in simplicity and transparency: it's a dumb-fast switch wearing a thin management veneer. No exotic fabric, no proprietary protocols, no controller dependency. A 24-camera network spanning three floors can ship with a single SG3428MP and a PoE-compliant NVR—no backbone switch, no managed fiber, no consultant billable hours tuning convergence timers. That architectural minimalism cuts capex and training friction compared to enterprise-class Nexus or Arista gear, but it also sets a ceiling: if you exceed 30 cameras per switch or need sub-50ms failover, you step into true redundancy architectures that demand active-active uplinks and monitoring complexity. For regional office or campus branch surveillance, the SG3428MP is the sweet spot. For mission-critical SOCs with 200+ cameras and 99.99% uptime contracts, you graduate to modular chassis and vendor-managed SLAs.
Technical Highlights:
- 384W PoE+ Budget (802.3at): Covers 24–28 IP cameras at 12–15W each without external injectors. This is the primary economic advantage over unmanaged PoE switches—you consolidate power delivery in one box, reducing cabling labor and panel clutter. Real-world load testing shows the budget holds reliably even under sustained 100% IR duty cycle if you don't overshoot 13W per camera.
- Non-blocking 56 Gbps Backplane: All 24 ports + 4 SFP uplinks can forward traffic simultaneously at line rate. No port-to-port congestion. Matters operationally when you have dual-stream cameras feeding motion-detection engines and archive queries hitting the NVR concurrently—no buffering, no dropped frames.
- Four Gigabit SFP Uplinks: Fiber backhaul eliminates copper bottlenecks over long distances (200m+ runs to a campus core). Multi-mode (OM3/OM4) transceivers are cheap; single-mode (SMF) reaches 10km. Reduces reliance on additional FastEthernet PoE switches cascaded in series, which would halve aggregate bandwidth.
- Layer 2+ VLAN & QoS: Segment surveillance from corporate LAN without a router. Tag PoE camera traffic on VLAN 100, voice on VLAN 200. QoS queues ensure low-latency alarms even if a bulk backup saturates uplinks. Real installations benefit immediately—corporate users stop complaining about slow network during NVR video export.
- Port Mirroring & SNMP Traps: Mirror one port to a TAP or analyzer for packet capture. SNMP alerts notify your monitoring platform when a PoE port exceeds threshold or goes down. Eliminates surprise camera dropouts during shift changes.
Deployment Considerations:
- PoE budget is shared across all 24 ports—you cannot run 24 cameras at full 30W simultaneously. Calculate actual draw: dual-sensor domes run 15–18W with IR; PTZ cameras peak 25–35W. Validate with the camera vendor's night-vision power spec, not the datasheet idle number. We've seen integrators burn hours troubleshooting intermittent camera resets because they assumed worst-case nameplate current instead of measuring real load.
- Fiber SFP uplinks require compatible transceiver modules (not included). Multi-mode LC SFP (OM3/OM4, up to 300m) starts ~$30/pair; single-mode adds cost but reaches across campus. Budget transceivers separately and verify compatibility with your core switch—not all transceivers interoperate across vendors despite CWDM specs.
- Console port (RJ45) is legacy CLI access; Micro-USB option is convenient but non-standard on older firmware revisions. Ensure your out-of-band access plan (rollover cable, USB serial adapter, telnet fallback) is documented before you rack the switch in a ceiling or locked utility closet.
- Spanning Tree (STP/RSTP/MSTP) prevents loops in ring topologies but introduces 30–50ms reconvergence delay during link failure. Acceptable for surveillance (cameras are stateless), but if you cascade multiple switches, test your spanning tree timers to avoid unnecessary flaps that spike CPU on the NVR.
- No intrinsic redundancy: if the SG3428MP fails, all 24 cameras drop. Two-switch mesh topologies (dual uplinks, RSTP healing) add cost and complexity. For single-purpose surveillance on a branch circuit, accept the calculated risk; for mixed surveillance + access control + VoIP, consider dual switches with bypass relays on PoE outputs.
The SG3428MP is the right fit for regional office networks, retail chains, parking facilities, and light industrial sites where 20–28 cameras need centralized, managed distribution and you want vendor transparency—not proprietary SDN or controller lock-in. It's not a replacement for modular chassis in hyperscale deployments, but it's a faster, cheaper, and lower-risk alternative to daisy-chaining smaller switches. See our TP-Link catalog for complementary managed and unmanaged models.
