came for the poetry, left with an engineering lesson
2. How does PoE compare to Powerline Networking?
2. Powerline networking is considerably slower and less reliable than CAT5/6. Additionally, building code for running power lines is much more strict than low voltage CAT5/6
So any 10GbE (and 2.5GbE) PoE/PoE+ devices out there are technically not to spec (lots of these on Ali Express) but I believe the the Ubiquiti 10GbE stuff is all at least PoE++. [1]
(They do have their own non spec labeled PoE+++ products though, which are really just “802.3bt Type 4” but they added another plus because that probably sounded better.) [2]
[1] https://store.ui.com/us/en/products/us-xg-6poe, https://store.ui.com/us/en/category/accessories-poe-power/co...
[2] https://store.ui.com/us/en/category/accessories-poe-power/co... , https://help.ui.com/hc/en-us/articles/115000263008-PoE-Avail...
As a result, it tends to be relegated to the "high end switch which has every feature those one-off customers demand but costs an arm and a leg as a result" model/family. E.g. the only ones I ever sold were to a hospital that wanted to have select switches have 10G for radiology workstations but also wanted to still be able to plug 1G APs in without having to think about the port types. Radiology was covering the cost, so they didn't care it was a waste of money.
Do you buy Ethernet cables of different colors and say "Yellow is reserved for PoE, all yellow cables should be assumed to have power on them"? Or do you slap a "48V" label on both ends of the cables you're going to use for PoE and the label is what warns you that this cable should only go into the PoE receiver, and not into an unpowered device? Or do you just not label your PoE cables any differently, and trust that the injector will never malfunction at the same time that you plug the PoE cable into the wrong device?
Whenever possible, I opt for PoE. It’s a damn shame it’s limited to a niche userbase given its myriad advantages.
Reolink cameras are pretty good for what they are. Just dont buy into their NVR solution...
Frigate also has some interesting applications to go along with it, see: https://github.com/mmcc-xx/WhosAtMyFeeder
I also have YOLO on my to do list for the home cameras.
PoE (Power over Ethernet) sends both DC power and data through the same twisted-pair Ethernet cable, allowing devices like IP cameras, wireless access points, and VoIP phones to run without separate power lines. The power is delivered by Power Sourcing Equipment (PSE) — either an endspan (built-in PoE switch) or a midspan (PoE injector placed between a non-PoE switch and the device). The powered device (PD) negotiates power via detection and classification before voltage is applied, preventing damage to non-PoE gear. IEEE 802.3af (Type 1) provides up to 15.4 W at the source, 802.3at/PoE+ (Type 2) up to 25.5 W delivered, and 802.3bt (Type 3/4) extends that to roughly 60–90 W using all four wire pairs. Engineers need to understand not just wiring, but also cable category limits, pair usage, power losses over distance, and heat dissipation — especially at higher power levels. Modern PoE designs must consider standards compliance, thermal management, and efficiency, as power density rises with new generations of PoE technology.
The new 14” MacBook Pro comes with a 70 watt charger. An M4 Air only gets a 35 watt adapter.
Basically seems like enough power is available to run something pretty powerful.
Mikrotik website has a good selection of them and if you look at the other hardware types it'll be interesting in getting an idea of weird things you don't see in normal offices.
https://mikrotik.com/products/group/switches
Apart from obviously larger bandwidth options like 28qfsp 100gb (I'm unaware if mikrotik does them but 400gb is normal in some circles) there's things like reverse POE switches, media converter switches, and all sfp+ switches.
Poe++ exists and you can use switches with it to power poe+ switches that will power poe switches. Or they can be used to power laptops or NUCS directly.
- PoE endpoints should have isolation barriers, factor this into cost and size estimates
- Don't skimp on TVS
- ideal diode full bridge rectifiers are really cool and you should use them (in more power entries than just PoE)
Can you expand on "often, but not always, power"? Here's my guess:
* It's more efficient for the small stuff: little wall warts aren't very efficient I think in part because there's some no-load consumption for each. The switch pays that no-load cost once for many devices and has like an 80-plus gold or better PSU, hopefully. And then I think even cheap buck converters are like 95% efficient; they have some no-load consumption too but I think less than the wall warts? And even though this goes over 2 (or 4) tiny wires, at 48V–56V, the current is low enough that power loss is not bad because those wires are just for one small device, and P=I^2R.
* It's less efficient for the big stuff: that P=I^2R starts to suck for the PoE case, and in the non-PoE case they're more likely to have efficient AC->DC conversion on their own. 90% efficient beats 90% * 95% efficient.
For those thinking about adding one they've grabbed off amazon and installing themselves, please do a bit of hunting and reading rather than just buying the first word soup brand cheapest ones. Also remember installing uncertified electronics in your walls is a good way to void your insurance if they're the cause of disaster and turn it into a legal battle even if they're not.
Where ever you're putting the TV you have to put in regular power anyways, so it's fairly tidy to just put the device's power cable parallel with the TV's power cable. WiFi will handle communication. On the other hand, NEC and CEC requires minimum of 2 inches gap for communication wiring to electrical so you're now you've got that minor complication.
POE makes sense mostly when it makes sense to combine communication and power cabling. Corded phones, wifi access points, security cameras, small touch screen modules, etc. Not saying what you're doing can't work, but the added expense of installing parallel CAT6 everywhere doesn't seem worth it.
- Was having a conversation today about isolation and grounding for POE (product has a metal case). Do you have a reference? Or standard?
- TVS ahead of the bridge right?
- Do you have a part recommendation or reference design for ideal diode POE?
I have not yet tested WiFi 7 APs, but they are supposed to be even faster. The use-case for me is video editing over WiFi (I do have a 10GBe Thunderbolt adapter but hey, I like wireless).
The data travels as the differential voltage in each of the twisted pairs, and is transmitted magnetically by the transformer to the secondary winding. The power is applied between different pairs, and in each pair appears as a common mode voltage. This is all stopped by the transformer, and in devices designed to support PoE, the PoE circuits tap the mid-point of the primary windings to access the supplied voltage.
So at a first glance, it seems that if 48 volts is applied between the twisted pairs to a non-PoE device, this voltage would simply be blocked by the transformer. But since there is a widespread concern about this, there must be more to the story -- maybe somebody who actually worked with these circuits can explain why this is more complicated than it seems at first?
Edit: Found an answer. It seems that at least some of the designs of non-PoE Ethernet jacks terminate the common mode signals to a common ground though 75 Ohm resistors. In this case, if the voltage were applied between the twisted pairs, the resistors would dissipate far too much power and would burn out. So there is definitely a concern with the dumb PoE injectors and at least some non-PoE devices. https://electronics.stackexchange.com/questions/459169/how-c...
What does enterprise grade mean to you?
I put them on separate vlan where they get no outbound network connectivity.
For cases where you want things like facial detection or license plate detection (automatic doors/gates) get a Unifi AI though and those things cost, but for normal perimeter/room monitoring the cheap ones are very good
I ended up buying a PoE extractor and barrel plug adapter for my Roku, and another extractor for my HDHomeRun.
It annoyed the heck out of me that they had PoE running to them and still had to be plugged into a separate transformer.
I have a Ring home security system. I would like to get an offline home CCTV that only records when the alarm is set (either in Home or Away).
A quick internet search does not show an API. I'm not sure Ring has a device that I could wire a relay (if that's the right thing) to.
In their consumer "UniFi" product line. Pull up their store and switch over to the "UISP" product line. Most of the smaller wireless devices and consumer-tier CPE are 24v passive, most of the larger wireless devices, 60GHz bridges, etc. are 48v passive, a few devices in the middle support both, and standard "active" PoE is almost nowhere to be found. Even on product lines that weren't even dreamed up when modern standard PoE was ubiquitous.
They say it's because the WISP crowd loves passive PoE as it can easily be wired to batteries on towers, and I get that, but that's no excuse for not also supporting standard-based PoE on the device end. There's no good reason for a product designed in the 2020s to force the installation of passive PoE where there was none prior.
They demonstrated they can do both with most of the transition-era UniFi products. Support and encourage the use of standards, allow the use of non-standard but common alternatives where they make sense.
If they had just stuck with 12VDC and buildings had 12VDC wall sockets everywhere, everything would have been fantastic.
I also had a PoE HAT for a RPi that smoked it. Never doing PoE again. 48V and 3.3V electronics probably don't belong within 10cm of each other.
This is a bit analogous to USB-C PD power supplies, which can supply 12V/24V, but only do this when devices ask for it. I don't worry that my laptop's USB-C power supply will go rogue and send 24V to my earbuds.
A correctly-designed Ethernet interface is galvanically isolated at both ends to avoid ground loops, differing grounds, and other nasties over long distances.
Blue-line domes, the $240 ones. Four of them. I'd get more but do not know how to make outside routing look neat. i have one bullet and i don't like it and don't use it, i prefer the wide-angle domes with ir.
In theory at peak throughput the access point might use close to 10 gigabit. But definitely more than 1G/2.5G.
(However, UL will list them for the full 15A -> 1800W, and I'm sure plenty carry that. And for that matter, I suppose you can get twice that in Europe on 240v...)
It fit the price-performance curve for our needs several years ago when we eventually outgrew the previous Netgear POE switch...that was also apparently fanless, and that I installed in 2007.
IIRC, it is a GS724TP. It's running a dozen cameras and some access points, and almost all of the rest of the ports are filled up with computers and printers and other Ethernet stuff. No issues at all to to report so far.
(A used enterprise switch with serious fans may be cheaper and/or more featureful and/or more reliable, but do we need that kind of noise at home? We sure don't need it at that small office.
I've also installed some fanless Cisco POE switches with big heatsinks (and dual power supplies, each fed from different sources) on some high-dollar projects where ultimate reliability was kind of a big deal, but... sheesh.
If one of these installed Netgear switches dies in one of these low-risk environments, I'll just patch things up for now and get a replacement coming under warranty.)
ONVIF is the (now quite old, but still very relevant) standard for interfacing IP cameras locally on a network.
A cheap-but-performant ONVIF camera on an isolated VLAN (or a physically-isolated network; I won't tell anyone) can be a thing of beauty that is also completely unable to call home to some mothership in the clown.
I'm frankly very surprised that I don't see it mentioned here more often when discussions of cameras arise.
Have a look at this thread [1] I have bookmarked. I found it quite informative. I already got some cheap cameras and set them up, but I wish I would have found it earlier. The ones I got are 4MP with 1/3" sensor and perform absolutely terribly in night setting.
[1] https://ipcamtalk.com/threads/getting-cameras-with-the-right...
It's normal in household wiring (at least here in the uk) for circuits to be somewhat undersized based on the concept of "diversity" (i.e. it's highly unlikely every socket on the circuit will be drawing 13A simultaneously)
It's done through the center tap on the Ethernet transformers. Midspans have another set of those transformers and inject the power on the PoE PD facing side. Whole pair(s) carry common-mode DC current, so basically your green pair could be ±48V and the orange pair 0V. If any, the upstream switch's injected power would just end at the other coil of the Ethernet transformer in the midspan. However, the midspan also doesn't pass through PoE negotiation, so the switch won't turn on power to begin with.
Huh? We used to have low-voltage AC and DC powered cameras in the world (and we still do, too).
Those are awful in implementation because buildings, whether or old or new, don't have 12VDC sockets everywhere -- or at all, really.
Nor should they have 12VDC sockets for cameras; they're unnecessary.
I've run my share of siamese coax for low-voltage-fed analog cameras, and also separate power for low-voltage Ethernet-connected cameras, and I'm completely over those concepts.
With proper-fucking IEEE POE, we have standards and it only takes one cable to make it work properly instead of more than one.
If a switch isn't up to the power demands of a particular camera, then: No big deal. I can upgrade or supplement that switch without rewiring even more of the building than was already necessary to get Ethernet going.
(Structured cabling for the win.
Passive POE: Not even once.)
No, there aren't, not in the way you imply. There is the IEEE 802 PoE standards, which are all compatible (save for not enough power), and designed to carefully negotiate and especially never break non-PoE devices. And there is bullshit (sorry) like "Passive PoE" that is ironically an active violation of the IEEE specs, can break pretty much anything, and you shouldn't buy so the likes of Ubiquiti and Mikrotik finally get the wallet vote and stop f*cking doing. Unfortunately, the proper PoE PD logic is a few dollars of extra expense.
Yes, there is a slightly higher risk of killing devices due to faults in the PoE supply logic. I have the official PoE HAT for a RPi 4. I have to say it is somewhat poorly designed due to space constraints; the isolation between 48V and 3.3V should be better. I'm not even sure the RPi PoE HAT is spec compliant.
But I don't think you can/should blame this on PoE.
For the less electronically inclined, an "ideal diode" surprisingly does not contain plain diodes, it refers to actively controlling MOSFETs to function as diodes.
They're more efficient and quite amazing in PoE applications in particular!
Huh. I'm not the GP poster but interesting question. AFAIK there is no proper ground reference on the LAN cable. I'm not sure I've ever seen a metal case… wait, I do, outdoor wifi APs have metal cases sometimes.
If you find out, report back ;D
> - Do you have a part recommendation or reference design for ideal diode POE?
I've done a PoE device (802.3at, 25W) and just went with TI's reference design; the higher power ones use ideal diodes, sometimes there's multiple circuit variants.
(It's not worth mucking with the PoE design for small-scale builds; the reference design might be a bit more expensive but you get that money back on way less trouble to deal with.)
My standard campus switches are 722s with 48 ports and 25/10 SFPs, but there are use cases when smaller switches make sense.
I'm not surprised they can f* up a basic PoE injector. The reason for doing passive PoE is saving a few bucks, on the back of safety and compatibility. Of course they would try to pinch hard on the PoE injector too.
Oh and I'd say they (together with Mikrotik) are responsible for 90% of the bad rep PoE gets. The IEEE 802 stuff really just works. And I say that having been part of rolling out 15000 people conference deployments with several hundred wifi APs in the span of a few days. The only real problem is broken cables, but the Ethernet link commonly fails before PoE is impacted.
It feels magical to have the PoE injector tucked in a cupboard with the optical network terminal, and outside Narnia, the router has only one cable going to it. Also, the Ubiquiti PoE injectors are particularly satisfying. Powered by standard AC cables, and a nice simple design. Now that I've experienced this magic, I'm not going back!
However, as much as I love the hAP ac², it only accepts passive PoE. I don't love passive PoE - it scares me! Unfortunately, it seems like most (all?) Mikrotik routers only accept passive PoE.
Does anyone know of a good alternative when it comes time to replace my router? I would have liked it to be Ubiquiti, but I don't usually read positive things about them around here.
If you have one small PoE device connected to a large PoE switch then it would be less efficient compared to a non-PoE switch and a small separate power supply for the device.
https://www.brainboxes.com/faq/power-isolation-in-poe-ethern...
Yeah, TVS before any other silicon junction. It's nice to throw a single-use medium or slow blow SM fuse before the TVS to open circuit in device faults.
This is going to be individual preference. I like the density and low design risk of fully integrated solutions like Microchip's PD70224. As long as you spec your FETs appropriately you can't go wrong with TI or AD options (VDS of at least 100 V, ID of at least as much current as you want to cram through with healthy headroom, RDSon that makes you happy, VGS that's compatible with the datasheet charge pump, size and cost that doesn't make you weep). When in doubt, stay very close to the datasheet's design.
I just saw that the PD70224 is not recommended for new designs. What an awful day to have eyes.
Oh, it's been superseded by the PD70288. Much lower RDSon, but a huge 8x8 package. The charge pump is mysteriously gone and there is now a UVLO of 24V. This is more PoE-specific, which is less generally interesting to me.
If only someone would sell me an ideal diode full bridge rectifier IC with integrated FETs, OCP circuit breaking, UVLO, OVLO, a fault flag, control input, and current monitor, I'd never buy a different power entry IC.
Once I accidentally plugged the cable into a laptop and the port didn’t work until I powered the laptop off and on again, but no lasting ill effects on laptop at all.
Netgear are hard to beat in terms of reliability/price. They also have a 5 and 16 ports fanless version.
I also got an old Juniper EX2200 24ports and replaced the fans with quiet noctua. It run quite hot, better go with Netgear.
Life is a balance between inefficiency and inconvenience. Throwing that statement in without actual numbers is just derailing the conversation.
ONVIF can be used to discover a camera on a network, query it for its RTSP URL, and facilitate a connection between a client service and the RTSP stream. But you can't stream video via "ONVIF".
* https://www.a1securitycameras.com/blog/non-chinese-security-...
Some names: Axis, Avigilon, Bosch, Vivotek, Hanwha Techwin (SK), Acti (TW), Motorola, Mobotix.
That being said, a quick Google search for "poe usbc" yields some devices that are much more expensive than the power brick I bought, but in theory would let you run a Chromecast from a poe ethernet port with wired ethernet.
For example, my Chromecast gets power and wired ethernet through its USB C port. (I have an official Chromecast power brick that I plug an ethernet port into.)
> Oh, so you hate waffles?
And profiles. There are many different feature sets in onvif and just because a camera has onvif logo or compatibility doesn’t mean it will play nice with your gear.
I mean, yes and no. My laptop case is at 78VAC to ground right now. It gives the tingles. I don't use my laptop much while plugged in. They all skimp on making proper 3-pronged chargers these days. My desktop has a grounded case and doesn't have this issue.
My phone, when plugged into wall AC, the touch screen stops working because the whole phone is at an elevated potential and it messes up the capacitive sensing.
Here is one such review: https://www.youtube.com/watch?v=HYUY61ZFZAs
Still being sold with 24V passive "PoE"
(It's 802.3af btw)
If the security association isn't completed on a "must-secure" configured port then no traffic is transmitted. One would need access to the pre-shared keys to successfully use the link.
Now, could one perform a side-channel attack of the memory on the camera and get access to them? Maybe.
In fact it did, in the transitional models that were sold both with and without 802.3af support there was a sticker added to the box on the ones that had it.
The switch was early in the life of the UAP-AC series of access points. IIRC the "Pro" and in-wall models always supported 802.3af but the "Lite" and "LR" models initially were 24v passive only. I vaguely recall there also being transitional models of their cameras but we were not deploying those at the time.
> Consumer tier means people will plug whatever fits.
And this is why I hate passive PoE with a passion. Standards-based PoE ports are safe, you can plug devices not supporting PoE (or requiring passive PoE) in to them with no risk of damage. Passive PoE ports are dangerous, they can and will destroy things that are not expecting to receive power on those ports.
They're even dangerous to devices designed for it in some cases, Ubiquiti actually famously had problems with UAPs on the end of long cables being damaged when fed by passive PoE from the source and eventually recommended that those installs add their "Instant 802.3af" adapters which took standard 802.3af over the wire and converted it to passive right at the device end. I had one site that lost three UAP-LRs before that was revealed.
Then there’s double/sometimes triple conversion (120:48 and then 48:dc; 120:48 and then 48:12, and then 12:dc).
Furthermore magnetics are a must on both side of the PoE which also isn’t great.
At lower power there’s more circuitry to run and multiple conversions aren’t great compared to a simple cheap flyback.
For more technical feel free to check here, although it isn’t quite end to end: https://e2e.ti.com/cfs-file/__key/communityserver-discussion...
I realize that for whatever unknown reason there are a subset of people who think everything should be wireless, but those people are wrong and should not be listened to.
Ubiquiti did this for a while, the product line was called UniFi LED and IIRC it didn't get much further than a few panel lights intended for drop ceilings and a wall mount dimmer switch.
IIRC the justification was that because it was low voltage it could be installed by anyone instead of potentially requiring an electrician and you then also got the ability to dynamically adjust grouping, switch behaviors, etc. if for example your floorplan changed.
I did have issues with some of their other products - eg an old CloudKey gen1 that I had remotely in my parents place that I think ran out of space to the point it can’t update itself and can’t compact some old mongodb.
Sure the switch will only accept encrypted L2 traffic...but that encrypted link is set up via MKA, which is a part of the 802.1X standard. If you don't have 802.1X authenticating the endpoint, you don't have MKA setting up the encrypted link between that endpoint and the switch and you don't have MACsec.
So if you're trying to prevent a bad guy from getting on your LAN, you need 802.1X, whereas MACsec is an optional extra (a very useful extra if you're worried about MITM attacks). But 802.1X is still doing the heavy lifting w.r.t access control.
Cameras are on their own VLAN. Port isolation is enabled so they can't connect to each other. Only connectivity allowed to/from that VLAN is from the cameras to the router for NTP, and from the NVR to the cameras.
So if you plug in you can... check the current time on my router. Maybe see how many other cameras are on that segment? Likely not going to get very far given you're already caught on camera, an alert's been fired, and pretty soon I'm going to be making a call to the police.
Last time I remember feeling like that was the day I unplugged a RB5009 and it... just kept running. Was standing there holding the power cable in my hand, clearly unplugged, and the router was sitting there still happily blinking away. Like, this clearly can't be possible but I'm staring right at it and it's happening.
Took me a minute, but eventually realized the Starlink box that provides power to the dish _also_ provides power on the local side for their provided router as well, and apparently it was happily powering mine now.
The only issue arises if somebody wires a patch cable completely wrong (neither A nor B), and manages to put one leg of passive PoE's +24v pair matched to one leg of the 0v pair. Which, will promptly smoke the signal transformer... assuming short circuit protection doesn't cut power first. This is why we killed passive PoE.
In the last 2 years they've released very few new UISP products and you're right that they continue to be passive PoE. I suspect this is for continued compatibility with their older product line. Upgrading from passive PoE to active 802.3 PoE requires replacing the injector and maintaining passive PoE makes it easier to upgrade. And the UISP product line is really meant for wireless ISP operators, not consumers, where the risks of passive PoE are smaller.
Anyway, I agree with the sentiment, but I don't hold it against Ubiquiti too much for continuing to use passive PoE for their UISP line, since I think it makes sense for their customers. As so-so work around you can get a 802.3 -> passive 24V converter: https://store.ui.com/us/en/products/ins-3af-i-g
> The above figure shows a PoE injector with auto negotiation, a safety and compatibility feature that ensures power is delivered only when the connected device can accept it. Before supplying power, the injector initiates a handshake with the PD to detect its PoE capability and determine the appropriate power level.
If PoE requires negotiation, and the device requires PoE for power.. how does it perform the handshake without being powered/booted first?
There are three: IEEE 802.11af, at, and bt.
af can deliver up to 12W at the powered device (PD), at delivers up to 25 W, and bt either 51W (Type 3) or 71W (Type 4):
* https://en.wikipedia.org/wiki/Power_over_Ethernet#Standard_i...
Any device you purchase should list the IEEE standard it supports and how much power it may draw.
What's your cabling like? Contact Ubiquiti? Looking at the datasheet, I do not see any IEEE standards listed, so they could be doing their own thing:
* https://dl.ubnt.com/datasheets/poe/PoE_Adapters_DS.pdf
You don't mention a specific Aruba AP, but their AP22 stuff lists the needed IEEE standard and wattage:
* https://instant-on.hpe.com/products/access-points/access-poi...
I designed and built my first POE system in 2004, at my own house as a dogfooding POC, and that system stills works to this day. Since that time I have built and installed many more without issue that continue to move along doing what they were intended to do, protect life and property via recording activity privately. My own home footage has been called upon several times by law enforcement and was critical in convicting at least one home break in crew.
The benefit of install is simple to comprehend for those with significant experience in the electrical field, run one small wire for data and power and ensure the POE supply is on a battery - done. Additionally I add those using WiFi for security are laughed at daily as losses pile up, web search MLB player home break-ins, as running a hardline cannot be jammed but many foolishly put all their assets solely behind WiFi security. Also these surveillance systems require no external cloud by design so no one is watching remotely, unlike the Fed and State viewing your Ring cameras for years and now which recently partnered with Flocker. No one cares more about you than you so if someone is selling you security ask yourself what it is you are actually paying for.
In closing, as we move into a new era of technological efficiency forced by rising energy prices and costly electrician labor hours, one is going to witness an uptake of POE adoption in more and more nontraditional places. It is already happening and its moment will come as more recognize the cost benefit to this greatly simplified power delivery method with integrated battery backup.
What you cannot see matters most!
This was what I found from skimming around: https://www.robotevents.com/V5RC/2018-2019/QA/35
I doubt it is Ethernet at all, so it wouldn't be Power-over-Ethernet. Just some useful connectors and wires making for an appropriate cable. Also seems like you can make your own perfectly fine. Or they might melt. I suppose try it.
It's not quite as tidy, for example, with the router sitting visibly on a desk, but it's close. And you're right that it could work for anything.
I have it to run a couple of MikroTik devices in awkward places and not having to run wall warts and flimsy DC cables around the place is very handy.
My next switch upgrade will be a proper PoE+ one, but it’s not justified yet.
I'm afraid that's not how it works out in actual practice, it's the other way around:
WISP devices are installed in random people's windows, roofs and chimneys. The injector might end up behind their TV set. If their TV doesn't work, they unplug and replug random things. Which will fry whatever has the unlucky pleasure of ending up on the output side of the injector. I'm unfortunately speaking from experience.
Meanwhile, people buying and putting up a wifi AP beyond their CPE wifi router tend to have a bit of understanding. If you told them to never plug anything other than the given device into the output side of an injector, it'd probably go reasonably well.
It's not veering, it's a full on car crash ;)
You run MACsec either with 802.1X, or with your switch vendor's favorite color of proprietary switch-to-switch 802.1X replacement. MACsec without 802.1X [or equivalent] is a bit like TLS without certificates. It exists in a few places because some people have really weird custom requirements (TLS with pre-shared keys… TLS with NULL encryption…) but those things shouldn't drive a discussion outside their special usage areas.
In that sense: MACsec implies and requires 802.1X. Exceptions confirm the rule.
The absolute low-tech solution would be to dedicate a switch for it.
If you have decent infrastructure with a managed switch, you can easily create a VLAN.
Besides the fact that the female RJ45 is usually inside the dwelling. You'd have to unmount the camera, pull out the cables and connect to it, all at typical heights of 6' and above. That's maybe a concern in commercial setups, although then we're circling back to VLAN.