37 Responses

  1. Renato
    Renato at |

    Congrats on taking a decent enterprise approach to home lab. as a fellow technolgy peers and also synology user: 1813+ with 3 esxi hp proliant hosts in my home lab i can empathize with the need for a properly structured home network on my case with a cisco SG300-28 L3 switch. Kudos and great work

    Reply
  2. Rui
    Rui at |

    Nice work.

    Could you please provide more details about your switch configurations?

    Reply
  3. Jeff Wilson
    Jeff Wilson at |

    I dig it. Similar in concept to my home lab net. Nice trick on dhcp relay

    Wish my 2960s could do pvlans as I want to isolate some wireless devices and vms.

    Reply
  4. ToddH
    ToddH at |

    Yes, very nice work and an inspiration to change my flat network. I’m currently using Ubiquiti Edgemax and Unifi AP’s with an HP Switch.

    Reply
  5. ToddH
    ToddH at |

    Also, what HP switch model are you running? Smart managed, layer 3 lite?

    Reply
  6. MC
    MC at |

    One challenge I have been facing in my home lab is support on my home router/firewall for giving internet access to devices on multiple networks. I have gone through a couple of makes/models now. Any traffic leaving my router/firewall on a different subnet to what is defined as the general LAN network on the device is silently dropped. Billion 7800n had this issue. Airport Extreme too. Have you had to factor this into your purchases before?

    Reply
    1. ToddH
      ToddH at |

      MC that sounds like a NAT issue to me.

      Reply
      1. MC
        MC at |

        Correct. Have I just had bad luck with makes/models, or do many home devices not support traffic other than from whatever the LAN subnet is configured on the device? In my home lab, I have a Cisco SG300-10 with a handful of VLANs that I would like to provide internet access to without setting up another device to sit in the middle.

    2. Chris
      Chris at |

      I’ve had some issues with getting traffic out from Untangle 9 – which I wrote about – however, Untangle 10 supports VLANs. I did have to create static routes for each network because Untangle and my V1910-24G do not support dynamic routing protocols.

      Reply
  7. Patrik
    Patrik at |

    Hi Chris!

    Long time follower, first time poster. I have recently also re-designed my home lab from a flat network design to one that is similar to yours. I opted for re-building it from the ground, as my home lab wasn’t that large and had some issues from the start. So no migration has been done.

    My network infrastructure consists of ISP modem in bridged mode that is directly connected to my pfSense box. My core switch is a Cisco SG300-28 in L3 mode. All my internal routing is done on that switch including DHCP server with pools for my different subnets. I found it easier to have that service placed there and not having to bother with DHCP relays or IP-helpers. I also have a consumer router from ASUS acting as an AP for my wireless network. No routing is performed on that one. Some routing is performed on my pfSense box to enable internet access to my server and client network subnet/VLAN.

    I am however still struggling with two things:
    1. Moving off of VLAN1. You mention that as one of your goals with the new network, but you do not really explain how that is accomplished. As soon as I exclude VLAN1, I loose internet connectivity and/or connection to my core switch. It would be great if you could explain in more detail how that was accomplished in your new network.
    2. How do you isolate traffic between your L3 switch and router / firewall? I assume that lies on its own separate subnet and VLAN?

    Reply
    1. ToddH
      ToddH at |

      I believe you need to change the ports native VLAN which is only relevant in trunk mode…I think. I believe the command is switchport trunk native vlan . You may want to try:

      # interface ethernet 0/10
      # switchport
      # switchport mode trunk
      # switchport trunk native vlan 50
      # switchport trunk allowed vlan 50
      # spanning-tree portfast trunk

      Only VLAN 50 traffic will be forwarded on the port, and it would be forwarded untagged. If you need access to additional VLAN’s

      # interface ethernet 0/10
      # switchport trunk add vlan 100

      Reply
  8. MG
    MG at |

    Hello Chris!

    Like the last poster, I am a longtime fan and first time poster to your site. I have a SOLID network background that lends itself to me going overboard with the network setup, but I enjoy it so…

    My home lab network topology is setup very similar to what you have migrated to. As a network guy turn vmware, vlan 1 was gone before is started. I have 7 vlans for various type of traffic such as servers, vmotion, vpn and so on. I have a Cisco router connected to my ISP that provides all the routing for my subnets along with remote vpn access (I like to tinker when I’m on the road), firewall and just about any other thing (DMVPN anyone/VyperVPN L2TP) i can throw at it. I also have to Cisco SG-300 (awesome for home labs) for connecting 3 hosts; one for management (longtime fan…mentioned it earlier) and two Synology boxes.

    I noticed you mentioned you don’t use iSCSI. I read your post (a while back I know) about performance differences between NFS and iSCSI and I find myself at a crossroads as to switch over my Synology DS412+ to NFS or keep the current iSCSI multi-pathing (separate subnets) setup I have now. The Synology box is split between 2 spinning disk and 2 ssd’s. Just waiting on Samsung EVO ssd’s to arrive so I can move the spindles over to my new DS214+ (media/file sharing).

    One thing I would note for those out there with similar setups. You can’t substitute “knowing how it’s all setup” for accurately documenting your home network topology. It pays dividends when are you trying to troubleshoot, or introduce something new into the environment.

    Lastly, you mentioned you were looking into getting a “Meraki MX60W” for your firewall device. I assume your Untangle box is reaching the limits of what you are throwing at it, or like me, you like “new things” and want to “enhance” your current setup. I’m looking at putting a Spohos UTM Home Edition firewall in front of my Cisco router to take the filtering load off my router and to play around with hosting my own blog site. I just picked up a license for BIG IP virtual edition, so I want to have a secure way to access my VDI environment from anywhere with an enterprise type of fell. Who am I kidding, I just like “new stuff”. I look forward to meeting you at VMWorld in Barcelona.

    MG

    Reply
  9. Applying New IP Addresses to vCenter, ESXi Hosts, and Plugins - Wahl Network

    […] an earlier post, I discussed my focus on a new network design for the lab. This post continues along that journey with a focus on vCenter, plugins, ESXi hosts, […]

  10. My lab network design | vcloudnine.de

    […] by Chris Wahls blog post “Building a New Network Design for the Lab“, I want to describe how my lab network designs looks […]

  11. Kuntal
    Kuntal at |

    Hey MG, When using your Sophos UTM – how many nodes do you have in your home?

    Last time I checked, I am hitting 60+ IP addresses when I look at all the VMs, hosts, phones, tablets etc. Since Sophos only supports 50 IP addresses, I am currently using pfSense. I am thinking of switching or trying out something like Untangle. Too bad I can’t use Sophos due its 50 IP limit.

    Chris,
    Brilliant article. I tried splitting up my VLANs when I got my HP switch but I had trouble getting it all to work. So I gave up till I had more time to spend. It seems I have a new project during Thanksgiving holidays.

    Reply
  12. MG
    MG at |

    Kuntal,

    I’m only pushing 15-20 ips through it, though I have many more systems. I use a clearOS internal web proxy and wsus server to avoid all servers from going out to the web for updates. I also use acls in my router to limit what IP have access to the web.

    I can provide greater detail if you need.

    Reply
  13. HomeLab Part 4: Summary and Final decision | vBrain.info

    […] of ports and a Layer 3 switch would be a cool new device to play with! Thanks to Chris Wahl and his awesome post about “New network design for the lab”, I’m also in the middle of a network […]

  14. jantjo
    jantjo at |

    Hey Chris, so how did you handle your plex server? looks like you are splitting server, workstations, wireless into different broadcast domains so this would limit the coverage. or did you just multi-home your plex vm?

    Reply
    1. Patrik
      Patrik at |

      I believe routing is the answer to your question.

      Reply
    2. lukeedgley
      lukeedgley at |

      I have built something similar to this. I am running Plex on a Win7 VM in my user segment, which is the same subnet as my media devices – TV etc. The actual storage is via SMB to a NAS in my server/infrastructure segment.

      Reply
  15. jantjo
    jantjo at |

    the plex sever would broadcast it’s services to it’s local network (broadcast domain/vlan/network). I don’t believe you can route broadcast.

    Reply
    1. Patrik
      Patrik at |

      Now when you mention… You are absolutely correct. I have a very similar setup at my home as Chris and I run a Plex server too. My server network is on 10.0.20.0/24 and my clients are on 10.0.30.0/24. Each network is also in their own VLAN with inter-VLAN routing enabled on my L3 switch. I have no problems connecting to my Plex server. Since I am no true network admin I cannot explain it any better than it just works out of the box. Had no issues what so ever. Maybe Chris can shed some light on this?

      Reply
  16. ortuno2k
    ortuno2k at |

    Hey Chris,

    I just found your website while searching for home servers and virtualization. My hats off to you for taking the time to documenting it all and making it available to us! I find it that this is one of my most difficult things to do – documenting the network and updating the documentation!

    I’ll be adding your website to my bookmarks and keep checking on it to learn a thing or two and get some more ideas. Thanks for sharing!

    Reply
  17. Mark
    Mark at |

    hey Chris, I’m using this design in my network (just different IPs and VLAN numbers). I love it but I’m having one issue: only nodes in the Servers VLAN (VLAN 20 in your case) can resolve DNS names, but can resolve IPs no problem. I’m using the same setup except I have a Cisco SG300-20 at the core (in L3 mode) and not an HP switch. Any ideas off the top of your head? Thanks!

    Reply
  18. Nnyan
    Nnyan at |

    Hello,
    Quick question why migrate from 10.0.x.0/24 to 172?

    Reply
  19. Ellwood
    Ellwood at |

    I realize this article is a little old; are you using the same setup? Do you have WAF with the home side VLAN? This effectively creates a double NAT situation, right? I mainly worry about things like certain gaming systems complaining about double NAT. Do you add them routed through manually, or not even have them to worry about?

    For my current setup, what I’m sure is a wonderfully over-engineered system with redundancy that I probably never need in a home lab environment. I have a pair of SG200 switches (half the ESXi nics to one, half to the other) both LACP’d to a SG300-10, I planned on VLAN tagging the cable modem to a pfsense VM for outbound, but otherwise, everything is on VLAN 0 outside of vSphere (there, I have at least setup VLANs for iSCSI, VFT, vMotion, and other testing VLANs)

    In order to do the SVI, I’d have to do that on the SG300, and I can only do one SVI per interface? Which I think would mean I’d run out of physical interfaces if I segregate my home network like I want.

    Reply

Share your point of view!