Network Architecture
Comprehensive network design for the homelab infrastructure using Ubiquiti networking equipment with VLAN segmentation and NSX-T integration.
Table of Contents
- Overview
- Design Principles
- Physical Network Topology
- VLAN Architecture
- NSX-T Integration
- Routing Configuration
- DNS Configuration
- Security Considerations
Overview
The network architecture provides a secure, segmented, and scalable foundation for the homelab infrastructure. It combines traditional VLANs for infrastructure segmentation with NSX-T overlay networks for application workloads.
Design Goals
- Security: Network micro-segmentation and traffic isolation
- Performance: Dedicated VLANs for high-bandwidth traffic (storage, vMotion)
- Scalability: Overlay networks for dynamic workload scaling
- Management: Centralized configuration and monitoring
Design Principles
VLAN Fundamentals
VLAN-enabled ports are categorized as:
- Tagged/Trunk Ports: Pass traffic for multiple VLANs (inter-switch links)
- Untagged/Access Ports: Accept traffic for a single VLAN (end devices)
Key Concepts:
- Native VLAN: VLAN associated with untagged traffic
- Trunk Profile “All”: Passes all VLAN traffic through the port
- Access Profile: Single VLAN assignment for end devices
Why VLANs?
- Traffic Isolation: Separate network domains for different functions
- Security: Granular firewall rules between network segments
- Performance: Dedicated bandwidth for specific traffic types
- Compliance: Network segmentation for regulatory requirements
Physical Network Topology
Internet (Fiber)
│
▼
┌─────────────────┐
│ Arris S34 │ Cable Modem
│ Modem │ (Bridge Mode)
└─────────────────┘
│ Ethernet
▼
┌─────────────────┐
│ UXG-Lite │ Security Gateway
│ Gateway │ (Firewall/Router/DHCP)
│ 192.168.1.1 │
└─────────────────┘
│ 1G Trunk (All VLANs)
▼
┌─────────────────┐ ┌─────────────────┐
│ US-8 PoE │◄────►│ USW-Aggregation │
│ (Garage) │ 1G │ (Office) │ 10G Core Switch
│ Patch Panel │ Link │ 8x SFP+ Ports │
│ Uplink │ │ │
└─────────────────┘ └─────────────────┘
│ │
│ 1G Links │ 10G DAC Links
▼ ▼
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ NUC 1 │ │ NUC 2 │ │ NUC 3 │
│ ESXi Host │ │ ESXi Host │ │ ESXi Host │
│ VLAN 10,20 │ │ VLAN 10,20 │ │ VLAN 10,20 │
│ VLAN 30 │ │ VLAN 30 │ │ VLAN 30 │
└─────────────┘ └─────────────┘ └─────────────┘
Why This Topology?
- Core/Edge Design: USW-Aggregation provides high-bandwidth backbone
- Redundancy: Multiple paths between garage and office
- Future Growth: 10G infrastructure ready for expansion
- Cost Effective: Single 10G core switch versus full 10G access
VLAN Architecture
Infrastructure VLANs
Configure these networks in UniFi Controller: Settings → Networks
Network Configuration:
- Purpose: Corporate
- Network Group: LAN
- Domain Name: homelab.internal
| VLAN | Network Name | CIDR | Gateway | DHCP | Purpose | Tagged |
|---|---|---|---|---|---|---|
| 10 | Management | 192.168.10.0/24 | 192.168.10.1 | No | vCenter, NSX-T, BOSH | No |
| 12 | Virtual Machines | 192.168.12.0/24 | 192.168.12.1 | No | General VM traffic | Yes |
| 20 | Transport | 192.168.20.0/24 | 192.168.20.1 | No | vMotion, NSX-T TEP | Yes |
| 23 | NSX Uplink | 192.168.23.0/24 | 192.168.23.1 | No | NSX-T Edge uplinks | Yes |
Why This VLAN Design?
- VLAN 10 (Management):
- Untagged for easy device access
- Contains all infrastructure management interfaces
- First network for simple troubleshooting
- VLAN 20 (Transport):
- High-bandwidth traffic (vMotion, storage)
- NSX-T Tunnel Endpoint (TEP) network
- Isolated from general traffic
- VLAN 23 (NSX Uplink):
- Edge router external interfaces
- North-South traffic routing
- Load balancer external IPs
NSX-T Logical Networks
Additional subnets managed by NSX-T for Kubernetes workloads:
| Network | CIDR | Purpose | Routing |
|---|---|---|---|
| TKG Management | 192.168.20.0/24 | Kubernetes cluster nodes | Non-routable overlay |
| TKG VIP/LB Network | 192.168.15.0/24 | Load balancer virtual IPs | Static route required |
| TKG Pods IP Block | 172.16.0.0/16 | Pod-to-pod communication | Overlay network |
| TKG Nodes IP Block | 192.168.192.0/20 | Kubernetes worker nodes | Overlay network |
Why Separate NSX-T Networks?
- Overlay Flexibility: Dynamic network provisioning without VLAN limits
- Micro-segmentation: Granular security policies per workload
- Multi-tenancy: Isolated networks per application or team
- Load Balancing: Integrated L4/L7 load balancing services
VLAN Traffic Flow
┌────────────────────────────────────────────────────────────┐
│ VLAN Traffic Matrix │
├────────────────────────────────────────────────────────────┤
│ │ VLAN 10 │ VLAN 20 │ VLAN 23 │ NSX-T │
│ │ Mgmt │Transport│ Uplink │Overlay │
├─────────────────────┼─────────┼─────────┼─────────┼────────┤
│ VLAN 10 Management │ ✓ │ ✓ │ ✓ │ ✓ │
│ VLAN 20 Transport │ ✓ │ ✓ │ ✗ │ ✓ │
│ VLAN 23 NSX Uplink │ ✓ │ ✗ │ ✓ │ ✓ │
│ NSX-T Overlay │ ✓ │ ✓ │ ✓ │ ✓ │
│ Internet │ ✗ │ ✗ │ ✓ │ ✓ │
└────────────────────────────────────────────────────────────┘
Static Route
On the Unifi Network, go to Settings -> Routing & Firewall -> Static Routes.
Create a new route:
- Name: tkg-vip-lb-network
- Network: 192.168.15.0/24
- Next Hop: 192.168.23.2 (NSX-T Tier-0 router)
Custom DNS
You can use the Ubiquiti USG’s config.gateway.json file to create custom DNS entries for your environment.
See the link for a more detailed guide on using this file, but in a nutshell:
ssh admin@192.168.1.1
CSuKl142
vi /srv/unifi/data/sites/default/config.gateway.json
ssh administrator@192.168.1.30
R@d10headCSuKl142
vi /srv/unifi/data/sites/default/config.gateway.json
Paste in the validated JSON, :wq
In the UniFi UI: UniFi Controller Devices > USG > Config > Manage Device > Force provision
Jumbo Frames
NSX-T requires MTU 1600 for the VTEP Transport network, so we need to enable jumbo frames on the switch.
In the UniFi UI: UniFi Controller Devices > Unifi Switch > Config > Services > Enable jumbo frame
Configure Network Ports
Create a Port Profile For the first LAN cable into the Supermicro, we want to trunk several VLANs. To do this, we need to first create a port profile.
In the UniFi UI: Settings > Profiles > Switch Ports > Add New Port Profile
- Native Network: VLAN 10
- Tagged Networks: VLANs 12, 20, and 23 (i did: 12, 22, 192) Save.
Note that the Ubiquiti by default has created port profiles for each VLAN standalone.
Assign Port Profiles
In the UniFi UI: UniFi Controller Devices > Unifi Switch > Ports For each port, assign the appropriate profile:
- Management: Port profile for VLAN 10 only
- Transport: Port profile for VLAN 20 only
- VLANs 10 (native), 12, 20, 23: Port profile with VLAN trunks (Management native, VMs, Transport, and NSX Uplink)
| Port | Profile | Device | IP Address or Subnet |
|---|---|---|---|
| 1 | All | Gateway | 192.168.1.1 |
| 2 | Transport | NUC (vmnic1) | 192.168.20.1/24 |
| 3 | VLAN 10 (native), 12, 20, 23 | NUC (vmnic0) | 192.168.10.8 (192.168.{12,20,23}.1/24) |
| 4 | VLAN 10 (native), 12, 20, 23 | Mac (vmnic0) | 192.168.10.7 (192.168.{12,20,23}.1/24) |
| 5 | All (but should be VLAN 10 - Management only)* | Mgmt switch | 192.168.1.29 (but should be on VLAN 10 only)* |
| 6 | Transport | Mac (vmnic1) | 192.168.20.1/24 |
| 7 | All | Cloud Key Controller | 192.168.1.30 |
| 8 | All | Home Access Point | 192.168.1.88 |
- Transport network is used for NSX-T Transport Nodes such as hypervisor hosts or NSX Edges and provide communication between them without passing through a physical switch. (east-to-west traffic) (VLAN 20 - i did 22)
- NSX Uplink is to allow traffic to route from the virtual NSX Edge nodes to the physical switch. (north-to-south traffic) (VLAN 23 - i did 192)