When designing a network for physical security, here are a few things to think about:
1) Determine the amount of end equipment to be deployed. This will determine a variety of factors, such as the IP range and the subnet, and the type of network equipment to use. It is not advisable, though possible, to squeeze in hundreds or thousands of devices in an unmanaged network and expect them to work properly. Likewise creating multiple subnets for each class of equipment (cameras, PA system, Card Access System, etc.) when the total count of equipment can be counted with 2 hands can be impractical in terms of network management.
2) Once the end equipment quantity is known, plan out the end equipment placements. This will determine the types of networking equipment to use for the end equipment. e.g.: 24 port POE switches for small office environment or 4 port POE+ industrial grade switch for outdoor fences. This will also determine the wiring infrastructure of the deployment, e.g.: ring/ star/ daisy-chain.
** Do remember to reserve some spare ports on the network switches for future expansion/ amendments. Normally a 10%-20% spare would do for most environments. **
3) Depending on the count of the end equipment and the system requirements, one can get away with a pure unmanaged switch for very small deployments or a web smart switch and a basic L3 switch for small/ medium scale, or when mixing equipment class is not recommended by the manufacturer (e.g.: mixing PA system with CCTV system and card access system).
4) For medium size deployments, VLAN segmentation is recommended to optimize network traffic, and in a case when one faulty equipment fails, it does not bring down the whole network with it.
5) Do check with the equipment manufacturer if there are any specific requirements for networks, e.g.: multicast requirements for CCTV, QOS and EEE requirements for PA system. These will determine the type of network switches to be deployed in the environment (e.g.: switches with multicast routing, switches with finer level of QOS classifications).
6) For POE deployment, do be careful of the maximum power the switch can supply, and whether it can support POE+ ports across all ports, if needed. There is a reason some POE switches are cheaper than others.
7) For Daisy chain/ ring deployment, do be careful of the uplink bandwidth. Often one can get too carried away with daisy chaining/ ringing a bunch of switches, only to find out that there are traffic issues due to the chain bandwidth/ maximum multicast groups/ mac addresses.
8) When planning for IP range and subnet, it is good practice to plan it in such a way that it can be super-netted, e.g.: 192.168.0.0/24 subnet and 192.168.1.0/24 subnet can be super-netted to 192.168.0.0/23 subnet. This is especially useful in the later stage of hardening/ routing where the rules can be streamlined from 2 lines to 1 line. Remember that even though the switch/ router/ firewall can perform these rules in real-time, it is still an additional line to match/ compare before the intended rule. This will help in the responsiveness of the network.