Switching & VLAN Fabric
This document describes the Layer 2 switching fabric supporting the lab, including physical topology, VLAN propagation, and design boundaries.
Switching is intentionally kept simple. All policy, routing, and enforcement occur at the network edge.
Design principles: see Lab Philosophy.
Design Goals
The switching fabric is designed to:
- Provide predictable, low-latency forwarding
- Preserve clear Layer 2 / Layer 3 boundaries
- Avoid distributed policy or routing logic
- Scale incrementally without redesign
Switches are treated as transport infrastructure, not decision-makers.
Physical Topology
The switching layout follows a hierarchical model:
Core Switching
- CRS317-1G-16S+
- Dedicated 10G-only switching
- Rack-resident
- Serves as the aggregation point for all downstream switches and the edge router
The core switch does not perform routing or policy enforcement.
Access Switching
Rack Access
- CRS326-24G-2S+
- 1G access ports
- 10G uplink to the core
- Primary access layer for rack-mounted systems
Rack PoE
- CRS112-8P-4S
- PoE for infrastructure devices
- 1G uplink to the rack access switch
- No direct uplink to the core
Remote Access Switching
Office
- CRS309-1G-8S+
- 10G uplink to the core
- Feeds the office access point
Living Room
- CRS310-8G+2S+
- 10G uplink to the core
- Feeds the living room access point
VLAN Propagation Model
All VLANs are defined and terminated on the edge router.
Switches operate strictly at Layer 2 and are responsible only for:
- VLAN tagging and forwarding
- Port access/trunk enforcement
- Hardware-offloaded switching
No switch performs inter-VLAN routing.
VLAN Overview
| VLAN | Name | Purpose | Network Policy Summary |
|---|---|---|---|
| 99 | Mgmt | Infrastructure management | Restricted, no WAN access |
| 110 | Trusted | Users and servers | WAN allowed, inter-VLAN controlled |
| 120 | IoT | Embedded and consumer gear | WAN allowed, no lateral access |
| 130 | Camera | Video sources | No WAN, ZoneMinder-only access |
Trunking Strategy
- Inter-switch links carry tagged VLAN traffic only
- Access ports are untagged and mapped to a single VLAN
- Trunk definitions are explicit and minimal
The fabric avoids:
- VLAN translation
- QinQ
- Per-switch VLAN interpretation
Consistency across switches is prioritized over flexibility.
Layer 3 Boundary
The Layer 3 boundary is intentionally centralized:
- All routing occurs on the edge router
- All firewall rules are enforced at the edge
- All QoS classification and shaping occurs at the edge
This ensures that traffic behavior is:
- Observable
- Deterministic
- Easy to reason about during failure scenarios
Failure Characteristics
The switching fabric is designed so that:
- Loss of an access switch impacts only its local segment
- Loss of a remote switch does not affect other areas
- Loss of the core switch results in full network outage (by design)
Failure domains are clear and intentional.
Design Notes
- Switches are transport, not policy devices
- Centralized routing reduces complexity and drift
- VLANs encode trust boundaries, not convenience
- Hardware offload is preferred wherever possible
This document applies to all current and future switching infrastructure unless explicitly stated otherwise.