This year I finally brought a Dell R730XD into service with TrueNAS and a RAID6 storage pool. At that point, a gigabit home LAN stopped making sense: the server could provide much more local throughput than the network could carry.

So the first requirement was practical: move the internal backbone to 10G. Once the core was being rebuilt, it also made sense to stop treating the home network as one flat LAN. Servers, cameras, APs, management interfaces, and IoT devices should not all live in the same broadcast domain.

The final architecture is built around a routed 10G core, segmented VLANs, PoE access, centrally managed Wi-Fi, and ACLs at the network boundaries. The goal is to keep the network fast where it matters, isolated where it should be, and simple enough to debug when something breaks.

The core policy is straightforward: VLAN100 is my trusted work/admin network, VLAN99 is infrastructure management, and VLAN30 is surveillance. VLAN100 can administer VLAN99 and VLAN30. VLAN99 and VLAN30 cannot initiate access to other VLANs, and other VLANs cannot reach VLAN100.

The networking ideas behind the rack

Here are the network concepts that show up repeatedly in this design.

← →

Concept 1

Switching

Switches build the physical fabric

A switch connects devices inside a Layer 2 network and forwards Ethernet frames by MAC address.

• Connects router uplinks, server ports, APs, cameras, NVR, and management interfaces.
• Keeps local Ethernet traffic inside the switching fabric.
• Carries multiple logical networks when VLANs are used.

Concept 2

Routing

Routers connect IP networks

Routing decides how packets move between subnets and how traffic exits toward the Internet.

• The edge router handles PPPoE and Internet access.
• The core switch routes between internal VLAN gateways.
• Default routes define where unknown destinations go next.

Concept 3

VLANs

VLANs define trust boundaries

A VLAN splits one physical switching fabric into separate logical Layer 2 networks.

• Management, cameras, IoT, APs, and trusted work devices do not share one flat LAN.
• Each VLAN gets a clear subnet, gateway, and policy boundary.
• ACLs can then control which VLANs may talk to each other.

Concept 4

Ports

Access and trunk ports place VLANs on cables

Port type decides whether one endpoint receives one VLAN or a link carries many VLANs.

• Access ports fit cameras, NVR, and iDRAC because each endpoint belongs to one VLAN.
• Trunk ports fit switch uplinks and APs because they carry several VLANs.
• PVID/native VLAN decides where untagged traffic lands on a trunk.

Concept 5

Addressing

DHCP and routes make the network usable

DHCP gives hosts addresses; routes tell devices where to send traffic outside the local subnet.

• Client VLANs receive DHCP service from the core switch.
• AP management DHCP is relayed to the AC so it can provide Option 43.
• The core sends Internet-bound traffic to the router over the routed /30 link.

Concept 6

Operations

LACP and PoE make deployment practical

Some network features are less about theory and more about keeping the physical deployment clean.

• LACP bundles multiple links for aggregate capacity and redundancy.
• PoE powers APs and cameras through the same cable that carries data.
• These choices reduce cabling friction and make the network easier to maintain.

With that vocabulary in place, we can move from concepts to the actual homelab topology.

Interactive Topology

Homelab Network Map

PhysicalVLANsWirelessSurveillanceServer/Routing

All VLANsVLAN99 · ManagementVLAN10 · AP ManagementVLAN11 · AC ControlVLAN20 · LifeVLAN30 · SecurityVLAN100 · WorkVLAN200 · IoT

No path highlightInternet egressAP discoverySSID-Work trafficCamera to NVRServer gateway

Svelte Flow

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.

Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

10 devices · 9 links

Topology summary

The network is built around a routed core.

flowchart LR
    Internet["Public Internet"] -->|"PPPoE"| Router["Huawei AR5710S-S8T2X"]
    Router -->|"10G routed link 192.168.255.0/30"| Core["48-port 10G core switch"]
    Core -->|"10G trunk VLAN99,11"| AC["Huawei AirEngine 9700S-S"]
    Core -->|"4 x 1G LACP trunk"| PoESwitch["Huawei PoE access switch"]
    Core -->|"2 x 10G LACP"| Server["Dell R730XD services"]
    PoESwitch --> APs["Huawei Wi-Fi 6 APs"]
    PoESwitch --> Cameras["Hikvision cameras"]
    PoESwitch --> NVR["Hikvision NVR"]
    PoESwitch --> iDRAC["Dell iDRAC"]

Role	Device	Purpose
Edge router	Huawei AR5710S-S8T2X	PPPoE WAN and routed handoff to the core
Core switch	48-port 10G SFP+ switch, Centec chipset	VLAN gateways, DHCP, DHCP relay, default route, aggregation
Access switch	Huawei S1730S-S24P4S-A2	PoE access for APs and cameras, NVR, iDRAC, trunk to core
Wireless controller	Huawei AirEngine 9700S-S	AP discovery, AP management, SSID policy
Wireless APs	Huawei Wi-Fi 6 APs	Client access, SSID-to-VLAN mapping
Server	Dell R730XD with 0C63DV NIC	Services on VLAN100, dual-10G LACP to core
Surveillance	Hikvision cameras and NVR	Static security devices on VLAN30

Physical links

The WAN enters the router on MultiGE 0/0/0 and uses PPPoE over a 1G public uplink.

The router connects to the core through a routed point-to-point link:

Link	Type	VLANs / IPs
Router MultiGE 0/0/0 to ISP	WAN	1G PPPoE
Router 10GE 0/0/1 to core eth-0-44	Routed	Router 192.168.255.1/30, core 192.168.255.2/30
Core eth-0-41 to AC XGE0/0/1	Trunk	VLAN99, VLAN11
Core eth-0-45-48 to access switch GE0/0/25-28	LACP trunk	VLAN99,10,20,30,100,200
Core eth-0-25-26 to Dell R730XD	LACP	VLAN100
Access switch to APs	PoE trunk	Native VLAN10, allowed VLAN10,20,30,100,200
Access switch to cameras and NVR	Access	VLAN30
Access switch to iDRAC	Access	VLAN99

VLANs, gateways, and DHCP

The core switch owns the routed VLAN interfaces for the main internal networks:

VLAN	Role	Gateway	DHCP
99	Management	192.168.99.100/24	Static
10	AP management	192.168.10.1/24	Relay to AC 192.168.11.1
11	AC control	192.168.11.2/24	Static
20	Life / daily devices	192.168.20.1/24	Core switch
30	Security / cameras / NVR	192.168.30.1/24	Core switch, with cameras/NVR static
100	Work and server services	192.168.100.1/24	Core switch
200	Smart home / IoT	192.168.200.1/24	Core switch

VLAN99 is the management plane. The core switch uses 192.168.99.100/24, the AC uses 192.168.99.8/24, the access switch uses 192.168.99.5/24, and iDRAC uses 192.168.99.56/24.

VLAN10 is only for AP management. APs receive addresses by DHCP and use 192.168.10.1 as their gateway.

VLAN11 is the AC control network. The AC uses 192.168.11.1/24; the core uses 192.168.11.2/24.

The core switch directly serves DHCP for VLAN20, VLAN30, VLAN100, and VLAN200. VLAN10 is relayed to the AC:

VLAN10 DHCP relay -> 192.168.11.1

The AC DHCP pool for APs is:

• Subnet: 192.168.10.0/24
• Gateway: 192.168.10.1
• Option 43: 192.168.11.1

Routing model

The core switch is the default gateway for the internal VLANs. The router is the Internet edge.

Core default route: 0.0.0.0/0 -> 192.168.255.1

flowchart LR
    VlanGateway["VLAN gateway on core"] --> CoreRoute["Core default route"]
    CoreRoute -->|"0.0.0.0/0 via 192.168.255.1"| Router["Huawei router"]
    Router -->|"PPPoE"| Internet["Public Internet"]

This keeps internal routing close to the switching fabric. Traffic between VLANs reaches the core directly. Internet-bound traffic leaves through the router.

Wireless

The AP-facing switch ports are trunks:

• Native / PVID VLAN: 10
• Allowed VLANs: 10, 20, 30, 100, 200

SSID	VLAN	Purpose
SSID-Work	100	Trusted work/admin devices
SSID-Life	20	Daily household devices
SSID-Security	30	Security clients and camera-related access
SSID-IoT	200	Smart home devices

The AC trunk only carries VLAN99 and VLAN11. Client VLANs are mapped at the AP edge and carried through the AP-to-access-switch trunk, then through the access-to-core trunk.

The AC has two important routes:

192.168.10.0/24 -> 192.168.11.2
0.0.0.0/0      -> 192.168.99.100

The first route is the return path to AP management addresses. The second route sends other AC traffic to the core management gateway.

Server and surveillance placement

The Dell R730XD has two network roles:

Role	VLAN	Address	Gateway	Link
Services	100	192.168.100.45/24	192.168.100.1	Dual 10G LACP to core
iDRAC	99	192.168.99.56/24	192.168.99.100	Access switch port

The iDRAC path is separate from the service path. I can change the server data network without losing out-of-band management.

The cameras and NVR are placed in VLAN30 with static addresses. Camera-to-NVR traffic stays inside the security VLAN.

The resulting surveillance path is short:

flowchart LR
    Cameras["Hikvision cameras"] -->|"VLAN30 video streams"| PoESwitch["PoE access switch"]
    PoESwitch -->|"VLAN30 access"| NVR["Hikvision NVR"]
    PoESwitch -->|"Trunk VLAN30"| CoreSwitch["Core switch gateway 192.168.30.1"]

ACL policy

The VLAN policy is intentionally strict. VLAN100 is my trusted network and is effectively single-user. It is the only VLAN allowed to initiate access into the management and security networks.

Source	Destination	Action	Reason
VLAN100	VLAN99	Allow	Admin access to switches, AC, and iDRAC
VLAN100	VLAN30	Allow	Admin access to cameras and NVR
VLAN99	Any non-management VLAN	Deny	Management devices should not initiate access to clients or services
VLAN30	Any other VLAN	Deny	Cameras and NVR should not initiate access outside the security network
VLAN10, VLAN11, VLAN20, VLAN30, VLAN99, VLAN200	VLAN100	Deny	VLAN100 should not be reachable from other VLANs
VLAN10, VLAN11, VLAN20, VLAN200	VLAN99	Deny	Only VLAN100 can manage infrastructure
VLAN10, VLAN11, VLAN20, VLAN200	VLAN30	Deny	Only VLAN100 can reach the security network

In short:

• VLAN99 and VLAN30 are protected destinations.
• Only VLAN100 can initiate traffic to VLAN99 and VLAN30.
• VLAN30 and VLAN99 cannot initiate traffic to other VLANs.
• VLAN100 is not reachable from other VLANs.

The policy direction is easier to see as a graph:

flowchart LR
    Vlan100["VLAN100 Work/Admin"] -->|"allow admin"| Vlan99["VLAN99 Management"]
    Vlan100 -->|"allow admin"| Vlan30["VLAN30 Security"]
    Vlan20["VLAN20 Life"] -. "deny" .-> Vlan99
    Vlan20 -. "deny" .-> Vlan30
    Vlan200["VLAN200 IoT"] -. "deny" .-> Vlan99
    Vlan200 -. "deny" .-> Vlan30
    Vlan10["VLAN10 AP Management"] -. "deny" .-> Vlan100
    Vlan30 -. "deny initiate" .-> Vlan100
    Vlan99 -. "deny initiate" .-> Vlan100

This is the point where the network becomes operationally useful. The physical design gives every device a clear place. The VLAN design gives every group a clear subnet. The ACL policy defines which boundaries are real.