Make-in-India OEM  •  Enterprise WiFi 6 · Switching · Security · AIOps Cloud
SupportClient PortalCareers+91 91367 90819
Immunity Networks
Contact SalesRequest a Demo
Home / Blog / Switching
Switching

How to choose an enterprise switch: ports, PoE budget and uplinks

A practical framework for choosing enterprise switches in India — port count, PoE budget, uplinks, L2 vs L3, stacking and cloud management, without overspending.

By Immunity Networks · 13 June 2026 · 10 min read
WHERE EACH SWITCH SITSAccess layer — managed L2, PoE+APs, PCs, camerasAggregation / core — L3, 10G uplinksInter-VLAN routingGateway — security & internet edgeFirewall & WAN
The access–aggregation–core model most enterprises follow.
In this articleStart with the network, not the switchCount ports honestly — then add headroomGet the PoE budget rightPlan uplinks and oversubscriptionChoose where routing livesManagement: the feature you use every dayStacking, redundancy and resilienceA worked example: a three-floor officeTotal cost of ownership, not sticker priceSecurity at the access layerReplacing switches without downtimeDon’t forget the management networkA short buying checklistCertifications and supply that hold up in India

Start with the network, not the switch

It is tempting to choose a switch by reading down a spec sheet, but the right way round is to start from the network you are building and let the requirements pick the hardware. Almost every enterprise network follows the same three-tier shape: an access layer where devices plug in, an aggregation/core layer that routes between them, and a gateway at the edge. Decide what belongs where, and switch selection becomes a series of small, answerable questions.

If the access-versus-core distinction is new to you, our explainer on L2 vs L3 switching is the right primer. This guide assumes that model and focuses on sizing each layer correctly.

Count ports honestly — then add headroom

Begin with a real device inventory: every PC, access point, camera, printer, VoIP phone, door controller and kiosk that needs a wired port. Group them by location so you know how many ports each wiring closet must serve. Then add 20–30% headroom for growth, moves and spare ports — stranding a closet with zero free ports is a false economy that triggers an early upgrade.

Switches come in standard 8, 24 and 48-port densities. A floor with 38 devices is usually better served by a single 48-port switch than two 24-port units, because it simplifies cabling, management and uplinks. Immunity’s NetForce L2 range spans 8-, 24- and 48-port models so you can match density to each closet without overbuying.

Get the PoE budget right

Power over Ethernet is where switch sizing most often goes wrong. There are two numbers that matter: the per-port standard (PoE at ~15 W, PoE+ at ~30 W, PoE++ higher) and the switch’s total PoE power budget. A switch can advertise PoE+ on all 48 ports yet be unable to deliver full power to every port at once, because the total budget is shared.

Add up the draw of your powered devices — Wi-Fi 6 access points, cameras, phones — and compare it to the total budget with margin to spare. Our detailed walkthrough in PoE, PoE+ and PoE++ explained shows how to do this calculation and avoid the classic trap of a fully-populated switch browning out under load.

  • PoE (802.3af) — ~15 W per port, for basic APs and phones
  • PoE+ (802.3at) — ~30 W per port, for Wi-Fi 6 APs and PTZ cameras
  • PoE++ (802.3bt) — higher still, for pan-tilt cameras and displays
  • Check the switch’s total PoE budget, not just the per-port rating
PoE POWER CLASSES~15 WPoE (802.3af)~30 WPoE+ (802.3at)~60–90 WPoE++ (802.3bt)
Per-port budget — check the switch total budget too.

Every access switch needs uplinks to carry its traffic up to the core. Under-provision them and the switch becomes a bottleneck no matter how fast its access ports are. For most access switches, dual 10G SFP+ uplinks provide both capacity and a redundant path. The transceivers that light those uplinks deserve their own attention — see our SFP/SFP+ buyer’s guide for choosing the right optics and fibre.

Think about oversubscription: a 48-port gigabit switch can in theory source 48 Gbps, but dual 10G uplinks give 20 Gbps upstream. For typical office traffic that ratio is comfortable; for floors full of heavy file transfer or video it may not be. Match uplink capacity to the real traffic pattern, not the theoretical maximum.

Talk to our network engineers

SIZING THE ACCESS LAYER1Count devices+20–30% headroom2Pick density8 / 24 / 48-port3Size PoEtotal budget4Plan uplinksdual 10G SFP+
From a device count to a correctly sized access switch.

Choose where routing lives

Routing between VLANs — staff, guest, CCTV, IoT, servers — should happen in hardware at the aggregation or core layer. That is the job of a Layer 3 switch, which routes between subnets at wire speed far faster than pushing the traffic out to a router and back. Access switches stay Layer 2; the L3 core ties everything together and hands off to the gateway for security and internet.

For a single-VLAN small site you can skip the L3 core entirely. For a multi-building campus, hospital or hotel with many VLANs and heavy east-west traffic, an L3 core is the difference between a responsive network and a congested one.

Stacked switches in a wiring closet — the access and aggregation layers of a real network.
Stacked switches in a wiring closet — the access and aggregation layers of a real network.

Management: the feature you use every day

Hardware specs get the attention, but management is what you live with daily. Cloud-managed switching lets you provision a new switch with zero-touch, push VLAN and QoS changes across every site from one console, and see port-level telemetry without driving to a wiring closet. Immunity’s switches are managed natively from Net Cloud, so the access, aggregation and core layers share one pane of glass.

That single console is also where security and visibility come together: 802.1X port authentication, VLAN assignment, traffic analytics and alerting all live in the same place. If you are running multiple sites, this is the feature that most reduces day-to-day operational cost.

Stacking, redundancy and resilience

A single switch is a single point of failure. For closets and cores that matter, plan for resilience from the start. Stacking lets several physical switches act as one logical unit with shared configuration and a single management address, simplifying operations and allowing a link to span members for redundancy. At the core, dual aggregation switches with redundant uplinks mean no one device failure takes the floor offline.

Power resilience matters too: critical switches should sit on UPS-backed circuits, and PoE-heavy access switches need power protection sized for their full load. Designing redundancy in at purchase time costs far less than retrofitting it after the first outage. Our companion guide on network redundancy and high availability covers STP, link aggregation and failover in depth.

A worked example: a three-floor office

Consider a typical three-floor office with about 40 wired devices per floor, including a dozen Wi-Fi 6 access points and a handful of cameras. Each floor gets a single 48-port PoE+ access switch — enough ports for every device plus headroom, with PoE budget sized for the APs and cameras. Each access switch uplinks via dual 10G SFP+ to a pair of L3 aggregation switches in the comms room, which route between VLANs and hand off to the gateway.

That design gives clean per-floor segmentation, redundant uplinks, a routed core and room to grow — and it maps directly onto Immunity’s NetForce L2 access and NetForce L3 aggregation ranges. Scale the same pattern up for a campus or down for a single floor; the logic does not change.

Total cost of ownership, not sticker price

The cheapest switch on a quote is rarely the cheapest switch to own. Factor in the PoE capability you will need within a year, the management time saved by cloud provisioning, the cost of an outage if there is no redundancy, and the support experience when something fails. A switch that is slightly more expensive but cloud-managed, properly PoE-budgeted and locally supported usually wins over three years.

This is where a Make-in-India OEM changes the maths: local stock shortens lead times, in-country RMA shortens downtime, and engineers in your timezone shorten every support call. Those operational savings dwarf small differences in upfront price.

Security at the access layer

The access switch is the network’s front door, and it should behave like one. 802.1X port authentication ensures only known devices and users get onto the network, dynamically placing them on the correct VLAN. Layer on DHCP snooping to block rogue DHCP servers, dynamic ARP inspection to defeat spoofing, and storm control to contain broadcast floods, and the access layer stops being a soft underbelly.

These are software features, so they cost nothing extra on a capable managed switch — but only if you choose a switch that supports them and a management plane that makes them easy to apply consistently. When the same policy can be pushed to every access port across every site from one console, access-layer security becomes a setting rather than a project.

Replacing switches without downtime

Most switch purchases are refreshes, not greenfield builds, so plan the cutover as carefully as the hardware. Stage and pre-configure new switches before touching the live network — cloud management makes this easy, since a switch can pull its full configuration the moment it is plugged in. Schedule the swap for a maintenance window, move uplinks first to keep the path to the core alive, then migrate access ports closet by closet.

Where uptime is critical, redundant uplinks and stacked cores let you replace one member at a time with no outage at all. The goal is a migration users never notice. A local OEM helps here too: pre-staged units, in-country spares and engineers who can join the cutover call shorten every maintenance window.

Don’t forget the management network

One detail that catches people out is how they will reach a switch when something goes wrong. A dedicated out-of-band management path — or at minimum a well-planned management VLAN — means you can still administer a device even when the production network is misbehaving. Cloud-managed switches ease this, since they check in to the controller independently, but it is worth designing the management reachability deliberately rather than discovering its absence during an incident.

Equally, plan how firmware updates and configuration changes will be applied across the fleet. Doing this from a central console, with staged rollouts and an audit trail, is far safer than touching boxes one by one — and it is one of the strongest reasons to favour a switch family that is managed from a single platform like Net Cloud.

A short buying checklist

Before signing off a switching purchase, confirm the essentials: enough ports with 20–30% headroom; a PoE budget that covers every powered device at once; uplinks sized to the real traffic with a redundant path; L3 at the core if you route between VLANs; the security features your access layer needs; management you will genuinely use; and the certifications and local support a deployment in India requires.

Run that list and the choice is methodical rather than guesswork. If you would like a second opinion, send us your floor plans and device counts and we will size the access, aggregation and core layers and quote a matching Make-in-India stack — so you buy the right switch once.

  • Enough ports with 20–30% headroom for growth
  • A PoE budget covering every powered device at once
  • Uplinks sized to real traffic, with a redundant path
  • L3 at the core if you route between VLANs
  • The security features your access layer needs
  • Management you will actually use, plus India certifications

Certifications and supply that hold up in India

For deployments in India, confirm the switches carry the relevant approvals — MTCTE, plus CE, FCC and RoHS — and think about the supply chain behind the warranty. A Make-in-India OEM can offer local stock, faster RMA and engineers who answer the phone, which matters far more during an outage than a marginal spec advantage.

Put it together and the decision is methodical: map the three layers, count ports with headroom, size the PoE budget, provision uplinks, place routing at the core, and insist on management you will actually enjoy using. Do that and you buy the right switch once, rather than the cheapest switch twice.

FAQ

Frequently asked questions

How many switch ports do I actually need?

Count every wired device — PCs, access points, cameras, printers, phones, door controllers — then add 20–30% headroom for growth and spare ports. Round up to standard 8, 24 or 48-port models, and remember each access point and camera consumes a PoE port.

How do I calculate a PoE budget?

Add the wattage each powered device draws (a Wi-Fi 6 AP might need 15–30 W, a PTZ camera more) and compare the total against the switch’s PoE power budget, not just its per-port rating. A switch can have PoE+ on every port yet run out of total budget if every port is loaded.

Do I need a managed switch?

For any business network, yes. Managed switches give you VLANs, QoS, security controls and monitoring. Unmanaged switches are fine only for the smallest, flat networks with no segmentation or visibility requirements.

Should access switches be L2 or L3?

Access switches are normally Layer 2; routing between VLANs happens on an L3 aggregation or core switch. Small single-VLAN sites can run L2 only. See our L2 vs L3 guide for the design rule.

Go deeper

Related from Immunity

Product

NetForce L2

Managed Gigabit access

Explore →Product

NetForce L3

Layer 3 core & routing

Explore →Guide

L2 vs L3

When you need each

Explore →

Sizing a switching refresh?

Share your floor plans, device counts and PoE needs — we’ll size the access, aggregation and core layers and quote a Make-in-India stack.

Request a DemoSee switching & routing
📞 Request a Demo