For me, everything is all about the journey. If I’m not learning then I need to change directions.
While I’m not a network engineer, I work very closely and support network engineers where I work. My skills are with application and network monitoring, and network configuration mgmt.
My journey with network segmentation started as a home lab project back in 2019 when I began studying for the Security+ certification. Like many others, I have IoT devices in my network and these are typically devices that rely on the vendor to provide for security updates. However, most vendors produce a device and support it for a limited time until they decide to produce a new device. Many times at that point, support for the older device stops. So, the importance of segmenting these devices becomes important as you don’t want a vulnerability in a device like a wifi capable camera to be used to attack other devices on your network.
So, I began looking at all of the devices on my home network and started to document what each device really needed access to. This allowed me to quickly group devices that only need access to the internet and nothing else. A Chromecast or Roku video streaming devices fall into this category. Once you group all of your devices and then consider their use case for network access, you have the blueprints, so to speak, of how many VLANs you need and which devices need to be a member of each VLAN.
Since I work with network engineers (and since I now work from home permanently), I thought it would be good to upgrade my home network from consumer level gear to commercial level gear. I started down the Unifi path, but didn’t really care for the network controller requirement and I wanted gear that was more like enterprise level gear. My requirements were this:
- Layer-3 switch with ssh access.
- A router that could do deep packet inspection and still route at gigabit speeds.
What I was looking for was devices that I could use to segment my network (security learning and practice), ssh access for automation (config mgmt - backup/restore), customization, etc.
Remeber, everything here was to promote an environment where I could learn and grown while building skills I can use at work.
A couple of use cases:
- Use Ansible for network automation.
- Use Python for network automation tasks (pull metric data, make a configuration change, etc).
- Secure my network (segmentation, client isolation, etc).
- Monitor network trends (sFlow).
In the end, I opted to stay with Ubiquiti but I chose to use their EdgeMax gear. However, I did stick with a Unifi AP for wifi. I ended with the following gear:
- EdgeRouter-4
- EdgeSwitch 24-lite
- Unifi FlexHD
I have no functional need for the EdgeRouter in my home network as my firewall can handle all my routing needs and can manage VLANs (as can the EdgeSwitch), but I added it for learning purposes. Both Edge devices behave somewhat like a Cisco device. Both have console ports that work with roll-over cables, both have SFP ports for uplinks, etc. Both also have a usable webUI, but both can also be completely configured and managed via ssh.
Everything I’ve listed has been about network management. I also run KVM with a host of VM’s so simulate a server environment. All of my security patching is done via Ansible and I also am starting to do some provision/configuration mgmt with Ansible. I also run docker as I think learning docker is an easy way to learn about containers.
Other technologies in my home lab:
- OPNsense.
- Grafana/Influx monitoring with Telegraf.
- Hubitat - home automation. I chose this device because it allows local mgmt. I want to move to Home Assistant at some point, though, because open-source reasons…
- OpenVAS (similar to Nessus - security vulnerability scanning tool).
- PiHole - local DNS
- Syncthing - this is a project that I am just starting. I’ve got too many computers (if that is such a thing) and I want my home directory to follow me around.
- Unifi controller (locally hosted and managed - no cloudkey here).
I also have a kubernetes cluster running on 4 RPI-4’s, but it is a work in progress and is not yet hosting any containers/pod’s. This is another learning project. All of the RPI-4’s are using PoE hats and are connected to an L3 PoE switch. This provides for fewer cables to manage.
Ok, time to end this wall of text.