At the end of last year, I got my hands on a few VLAN-capable Cisco APs. It was then that I decided to start going down the rabbit hole of VLANifying my HomeLab and home network, with everything finally coming together almost 5 months later. In this post, I'm going to explain some of where I'm coming from, the complications I had to overcome, and the final plan before the eventual roll out of this plan sometime in the first part of May 2019.

Background

VLANs bring a few nice features to the table... Network performance improvements, organization, and security are just some of these aforementioned features. That doesn't mean they fit everywhere, and a home network is one of the last places you'd expect to find such a config. All that said, considering I own several managed L2 and L3 switches, the idea of implementing VLANs has always been a thought in the back of my mind. It was the purchase of my new Cisco APs that really tipped the scales and is why I'm making this post in the first place.

Alright, so what is my current config?

Pretty basic really:

Very general overview of my current network config

In one corner of the basement, is our electrical panel and the DMARC for our cable ISP. From here, it goes into an Arris Surfboard modem and finally plugs into an Ubiquiti EdgeRouter-X. All of the ethernet drops in the house are terminated in a wall mounted patch-panel here as well, so we purchased a cheap 8-port gigabit unmanaged switch in order to handle the majority of the house's networking needs. Another port of the ER-X is run across the basement to my office/HomeLab where it terminates in my Dell 5524, the current backbone switch for my HomeLab.

That's basically it. No fancy configs, no VLANs, not even any QoS setup. The 2 router-turned-APs supplying the house with wavy air are connected to the unmanaged switch, so there's obviously no "proper" guest network access.

Planning

Now that I have the hardware to do a full rollout, the planning stage must begin. Normally I'd just dive right in, however since I'm 2.5 hours away at college, I'm going to have to be content with MS Visio, Packet Tracer, and GNS3. So let's start at the beginning... my original plan.

It's simple really, just setup all the VLANs on my ER-X and my switches, trunk the ports, use the router for DHCP and BAM! VLANs!  

~ Me at some point

An implementation like that would certainly work, but isn't practical considering all the Inter-VLAN routing would be performed on the poor ER-X, already almost overloaded with routing our Internet traffic. Really, if I was just talking "Private" and "Guest" VLANs, it would probably be fine, but since future proofing is in order and my HomeLab itself will have a handful, routing everything on the ER-X isn't going to cut it.

So, here comes the Layer 3 functionality of my switches. Although not advertised, my Dell 5524 is capable of inter-vlan routing, and that would help to solve some of the bandwidth problems. So, after a bit of research, I finally wrapped my mind around how exactly routing on switches work and I started forming my VLAN schema:

ID Name Use Network
1 default Out-of-Band management (Can only be accessed by physically plugging into the specified port) 192.168.1.0
5 Management In-Band management 192.168.5.0
10 SeeseNet Family LAN 192.168.10.0
20 GuestNet Guest LAN 192.168.20.0
50 IoTNet Chin- I mean Internet of Things LAN 192.168.50.0
60 SecNet IP Cameras 192.168.60.0
70 VoIPNet VoIP Phones 192.168.70.0
100 LabNet HomeLab Stuff 192.168.100.0
150 VMNet Virtual Machines 192.168.150.0
I mean, it's true

It definitely looks more complex than it is, and there are definitely things that will change (I definitely don't know everything I need to know about this... or whether any of it will work). It should also be mentioned that security isn't my highest priority, although it is a consideration.

So what about routing? How does that play in? It's surprisingly simple (after 5 or 6 run throughs in Packet Tracer), and plays out something like this:

ID Name Default Gateway
5 Management SeeseNet-Router (ER-X)
10 SeeseNet SeeseNet-Router
20 GuestNet SeeseNet-Router
50 IoTNet SeeseNet-Router
60 SecNet LabNet-SW-01 (Dell 5524)
70 VoIPNet LabNet-SW-01
100 LabNet LabNet-SW-01
150 VMNet LabNet-SW-01

The first 4 VLANs will have some sort of specific access control to the other 4 VLANs, hence their default gateway being the ER-X. In addition, SeeseNet, GuestNet, and IoTNet would mostly be accessing the Internet and wouldn't really need to contact and of the LabNet services with the exception of RADIUS auth, DNS, and a few other small services. The last 4 VLANs will all effectively be openly routed between each other, so all the routing could reside on the switch for performance reasons.

As for DHCP, the first 4 VLANs will be handled by the ER-X's DHCP server and the last 4 by a Lab DHCP server (likely running on Windows Server). This helps keep things organized and allows some provisioning (such as for VoIP) to be handled by a slightly more powerful DHCP server.

So, now that all of that is sorted, what's the general overview look like?

Still a work in progress (for personal reference, not trying to win any graphic design awards here)

And that's pretty much it, just a bunch of trunking and a small description of the wireless network setup I have going on.

...A picture is all well and good though... does this even work?

Virtual Testing

Alright, now that it's planned, time to test it out. With my Google Doc of notes on one screen and my Visio diagram on the other, it's time to fire up Packet Tracer!

Don't be scared, it looks crazy, but it's not

I wanted to test as much as possible, and match my virtual setup as close to my physical setup as possible, so here's what I came up with. All of the end devices (the PCs and laptops) are labeled with which network they're connected to (to test pinging other devices and to make sure they were receiving IP addresses). The LAG between the two switches is pretty much pointless, just a way to test my Cisco CLI knowledge.

Cross-VLAN Pinging!

And after some tinkering, I can ping across VLANs! There is no access control implemented, since I don't really have time to mess with the Cisco ACL stuff when I'm just going to turn around and have to figure everything out again with Ubiquiti EdgeMax.

Where to now?

At this point, it's just a matter of improving my documentation and getting ready for a full roll-out whenever I get back home from school. Hopefully I'll have an update post about that process sometime afterwards.