Network and Tailscale spec

Phase I adds 2 Amcrest cameras + 1 Jetson behind a single managed PoE+ switch hanging off the existing LBZF plant network. The CV deployment cannot disrupt the plant’s POS / ERP / Wi-Fi / GPON uplink — we add minimal new infrastructure (one switch) and route only the necessary traffic. Tailscale is the only remote-ops surface; the dashboard is never directly internet-exposed (ADR-005).

Topology

Internet (ISP — fiber)
  │
  ▼
[Huawei EchoLife HG8145V5 GPON ONT/router]  192.168.1.1/24
  │
  │ (one Cat6 uplink: ONT/router LAN port → TL-SG2210MP uplink port)
  ▼
[TP-Link TL-SG2210MP smart-managed PoE+]    computer room
  │  ├── Jetson Orin Nano Super (eth0)      192.168.1.10
  │  ├── Amcrest cam 01                      192.168.1.21 (camera VLAN)
  │  ├── Amcrest cam 02                      192.168.1.22 (camera VLAN)
  │  └── (spare ports for Phase I/II growth)

Single switch, single subnet, two VLAN groups on the switch:

Plant VLAN (untagged on uplink + Jetson port): 192.168.1.0/24 shared with the existing LBZF LAN.
Camera VLAN (untagged on the camera ports, tagged trunk back to the Jetson): isolated broadcast domain so the Amcrests can’t ARP or multicast to the plant LAN.

The TL-SG2210MP is the only managed device on this fabric; per ADR-002 it was chosen specifically for the VLAN/ACL features needed to air-gap the Amcrest cameras. Phase III’s ~24-camera scale outgrows it (likely successor: TL-SG3428MP or per-module fan-out).

IP plan

Flat 192.168.1.0/24 to keep on-site debugging simple. Statics live above the Huawei GPON’s DHCP pool; verify the DHCP range with Ronald during install and stay above it.

Device	Static IP	Hostname	Notes
Huawei GPON	`192.168.1.1`	(existing)	Plant LAN gateway; do not touch
TL-SG2210MP mgmt	`192.168.1.2`	`lbzf-sw-main`	Web UI password rotated from default; mgmt only reachable from `192.168.1.10` (Jetson)
Jetson	`192.168.1.10`	`lbzf-jetson-01`	Trunk port — sees both plant and camera VLAN
Amcrest cam 01	`192.168.1.21`	`cam-01`	RTSP user `lbzf`; password from 1Password “LBZF cameras”
Amcrest cam 02	`192.168.1.22`	`cam-02`	Same RTSP creds; Ronald picks which workstation

Amcrest RTSP URL pattern

Amcrest RTSP URL pattern (per ADR-001):

Main stream:
rtsp://<user>:<pwd>@<cam-ip>:554/cam/realmonitor?channel=1&subtype=0

Sub-stream (what Phase I uses):
rtsp://<user>:<pwd>@<cam-ip>:554/cam/realmonitor?channel=1&subtype=1

For cam 01: rtsp://lbzf:<pwd>@192.168.1.21:554/cam/realmonitor?channel=1&subtype=1.

Sub-stream presets are 704×480 / 352×240 / CIF / QCIF. 640×480 is not a preset — pick the closest preset (704×480) and let the Jetson downscale (ADR-004).

Camera bring-up procedure

For each Amcrest camera, before mounting:

Plug into a PoE+ port on the TL-SG2210MP; wait ~45s to boot.
From a laptop on the same subnet, browse to the factory IP (Amcrest defaults vary; check the printed sticker) — immediately set a strong admin password. Do not skip, do not reuse defaults.
Configure:
- Admin password: 1Password “LBZF cameras” entry (one password shared across both cams; ITBA uses a different one if they source bench cameras).
- Time zone: America/Bogota; NTP server 192.168.1.10 (Jetson) fallback pool.ntp.org.
- Static IP: per the table above.
- Sub-stream: H.264, 704×480 (closest preset to 640×480), 5 fps, VBR ~512 kbps.
- Audio: disabled (privacy + bandwidth).
- Video overlay: disabled (timestamps come from the Jetson).
- IR illumination: auto; default to IR-only to avoid distracting white-light flicker.
- Motion / tamper detection: Amcrest on-camera AI (human/vehicle) stays enabled as a fallback signal per ADR-001; YOLOv8 on the Jetson is the primary signal.
Disable Amcrest Cloud / P2P in the UI. Also disable DDNS, UPnP, multicast.
Verify cloud is actually off: the TL-SG2210MP ACL blocks outbound TCP 37777 and TCP 80 from the camera VLAN (Amcrest P2P / cloud check-in ports — see CVE-2025-31700 and CVE-2020-5735). After bring-up, tcpdump on the trunk port for 10 minutes and confirm no outbound connection attempts to Amcrest cloud endpoints.

TL-SG2210MP configuration

Beyond the VLAN setup, the switch enforces the camera-isolation rules:

VLAN 10 (camera): untagged on the two camera ports, tagged on the Jetson port. No route to plant VLAN.
VLAN 1 (plant): untagged on uplink + Jetson port.
ACL outbound from VLAN 10:
- Deny TCP/UDP 37777 (Amcrest P2P).
- Deny TCP 80 outbound (cloud check-in).
- Allow everything else (RTSP, NTP to Jetson, ICMP).
Mgmt UI: restricted to 192.168.1.10 source; rotate the admin password from default on first boot; HTTPS if firmware supports it.

Tailscale install + ACLs

Both Jetsons are pre-flashed in CA per ADR-006 with Tailscale installed; LBZF is authenticated before flight, ITBA brings up auth in BA on first boot.

LBZF Jetson:

sudo tailscale up --ssh --hostname=lbzf-jetson-01 --advertise-tags=tag:lbzf-jetson

ITBA twin (first boot in BA):

sudo tailscale up --ssh --hostname=itba-jetson-01 --advertise-tags=tag:itba-dev

Tags per ADR-005: tag:lbzf-jetson for the Pereira unit, tag:itba-dev for the ITBA twin. Kept separate so ITBA access can be torn down independently.

Tailscale ACL (paste in the admin console, https://login.tailscale.com/admin/acls):

{
  "groups": {
    "group:lbzf-admins": ["sophia@evasglobal.com", "andrew@<andrew-email>"],
    "group:lbzf-ops":    ["armando@evasglobal.com", "ronald@<ronald-email>"],
    "group:lbzf-itba":   ["raul@itba.edu.ar", "carlos@itba.edu.ar", "..."]
  },
  "tagOwners": {
    "tag:lbzf-jetson": ["group:lbzf-admins"],
    "tag:itba-dev":    ["group:lbzf-admins", "group:lbzf-itba"]
  },
  "acls": [
    { "action": "accept", "src": ["group:lbzf-admins"], "dst": ["tag:lbzf-jetson:*", "tag:itba-dev:*"] },
    { "action": "accept", "src": ["group:lbzf-ops"],    "dst": ["tag:lbzf-jetson:22,5000"] },
    { "action": "accept", "src": ["group:lbzf-itba"],   "dst": ["tag:itba-dev:*"] }
  ],
  "ssh": [
    { "action": "accept", "src": ["group:lbzf-admins"], "dst": ["tag:lbzf-jetson", "tag:itba-dev"], "users": ["lbzf", "itba"] },
    { "action": "accept", "src": ["group:lbzf-ops"],    "dst": ["tag:lbzf-jetson"], "users": ["lbzf"] },
    { "action": "accept", "src": ["group:lbzf-itba"],   "dst": ["tag:itba-dev"],    "users": ["itba"] }
  ]
}

Mark both devices “Key expiry: never” in the admin console — Tailscale’s default 180-day expiry would silently disconnect the LBZF Jetson and the only recovery would be a flight.

Subscription tier

Per ADR-005, Phase I runs on Tailscale Starter tier (~$6/user/mo × ~9 users ≈ $45/mo): Sophia, Andrew, Armando, Ronald, Mariana, plus 4 ITBA team members. The free tier caps at 3 users, which doesn’t fit. Sophia upgrades the tailnet before the 2026-05-15 flight (G1 gate).

ISP-drop behavior

When the Huawei GPON loses upstream connectivity:

LAN-side traffic on 192.168.1.0/24 keeps working. The Jetson decodes RTSP, runs YOLOv8n, writes SQLite, serves the dashboard to anyone on the plant LAN.
Tailscale’s tailscaled stays running; reconnects within seconds of ISP recovery.
NTP clock drift over a multi-hour outage is negligible; Amcrest cameras NTP to the Jetson which has a local clock.
Remote dashboard viewing and Excel-export download pause until ISP returns. Local plant-LAN dashboard access is unaffected.

Bandwidth estimate

H.264 sub-stream at 704×480 / 5 fps / VBR ~512 kbps:

Source	Per camera	× 2	Notes
Sub-stream RTSP (camera → Jetson)	~0.5 Mbps	~1 Mbps	continuous
Total LAN load	—	~1 Mbps	well within gigabit; switch is bottleneck-free
Dashboard remote viewing (Jetson → Tailscale)	~0.5 Mbps per viewer	~1–2 Mbps for typical use	bursty
Optional video pull (Sophia downloads a clip remotely)	~10 Mbps for 30s	one-off	rare

The TL-SG2210MP’s 150W PoE+ budget is wildly over-provisioned: 2× Amcrest IP8M-2779EW-AI at ~5W each = 10W, leaving 140W for Phase II/III growth (the switch can carry ~14 more cameras at this draw).

Cross-bucket dependencies

Jetson edge-compute (jetson-edge-compute.md): the Jetson’s eth0 config, hostname, firewall rules, NTP, Tailscale install. This network doc is the contract; the Jetson spec is the implementation.
Install runbook (install-runbook.md): physical cabling order references this IP plan.
Business bucket: confidentiality of camera feeds enforced by the Tailscale ACL. If business tightens the definition (e.g., Ronald only sees aggregated KPIs, not raw video), group:lbzf-ops permissions narrow.
Backend bucket: dashboard binds 0.0.0.0:5000; ufw restricts to Tailscale + plant LAN.

Rollout

Tracked at the G1 gate. Summary:

CA bench (pre-flight) — bring up 1× Amcrest on the TL-SG2210MP; validate RTSP URL; change admin password; set static IP; disable P2P; tcpdump-verify no Amcrest cloud calls.
Pre-flight — Tailscale auth on the LBZF Jetson; ACL pushed; verified from cellular. ITBA Jetson has Tailscale installed but not yet authed.
2026-05-15 — fly with both Jetsons; ITBA Jetson authenticates in BA on first boot.
Pereira install (July 2026) — bring up the TL-SG2210MP, then plug in one Amcrest at a time so IP conflicts (if any) are easy to isolate. Do not leave the plant until Tailscale SSH from cellular succeeds.