Given the heat of the summer in the Central Valley where we exceed 100F for days at a time I am on a kick to optimize things. Nodes in my cluster have been shutdown, windows have been covered, and all the other easy fruit has been harvested. Now it is time to begin looking at what further improvements can be made!

My hypothesis is my organically grown network can be optimized thus reducing load on the network devices themselves as well as possibly improving security. As of current I have a hardwired network which looks some like this:

  • Router (Edge Device)
    • ISP Media Bridge
    • Overpowered workstation
    • Backbone Switch
      • Other k8s nodes
      • NAS
      • Printer
      • Scanner
      • Access Point
      • Leaf Switches
        • Game Consoles
        • Hard linked Computers
        • TVs & IoT

On the wireless segment we have the following types of devices

  • Personal Laptops
  • Security Cameras
  • Work Laptops
  • Phones & Tablets
  • TVs and IoT devices

The Overpowered Workstation actually runs as the k8s control plane. Love to move beyond a single node here but have a single node allows me to scale down due to heat. All node components, including kubelet, coordinate through the control plane. Meaning each node is sending tons of traffic to the backbone switch which can handle it into the router. Being a firewall also the router faithfully enforces those rules then copies th packet to the target interfaces.

Edge Device (Router)

I keep going back and forth on what to call this device. It is a router, a firewall, core network services (DHCP, DNS, NTP, etc.), among a few others. I am settling on Edge Device from here on out.

Anyway, the edge device has six independent network interfaces. Currently, the ISP Bridge support LCAP LAGG with two of the four ports on the device with supposedly they offer 1.25Gbps which exceeds the 1Gbps speed in each direction, so I would like to keep two lagged. This leaves four remaining. Since the backbone switch also supports LCAP LAGG I was thinking of using that. If any traffic needs to be sent to the edge device to cross network subnets then it would give the device 4Gbps in each direction to do so. If the ISP exceeds 2Gbps, allowing additional LAGG ports I will need to reconfigure in the future. More data will be had at that time regarding usage though.

Subnets

The following subnets are currently a configuration I am considering. Sizing has been intentionally left out at this stage until I settle on some key decisions. Unify Switches I use are unable to allow cross subnet communication. As a result all inter-subnet traffic must traverse the Edge Device, as a blessing and curse.

  • Network Infrastructure All switches and access points will be placed on this network. Since I use VLAN tagging to make all these subnets happen they will be on the default VLAN for the entire site.
  • HomeLab (named Workshop ) - This would be a statically allocated pool since that makes accessing nodes and routing into k8s super easy.
    • Overpowered Workstation
    • Kubernetes nodes
    • NAS There is some risk with this device. Our NAS is not just used with our personal computers. This device is also used with Kubernetes to host Persistent Volumes and a Minio target. Main bandwidth consumers are k8s and personal devices backing up.
  • Personal Computers, Laptops, Phones, Tablets, etc
  • Scanners and (Paper) Printers - These devices rarely if ever need access to the internet however they do need access to devices like the NAS for storage.
  • Security System - Ideally I would love to have these devices be able to directly access my Unify Cloud Key for storage. However, that device definitely belongs in the Network Infrastructure group instead.
  • Game Consoles & TVs - Game Consoles and some TVs should only be able to access the internet and nothing more. However, there are some stranger applications, such as the Synology Vido Station which should be allowed access.
  • Work Devices - These devices have no reason to be able to access household systems. As such they are locked out like the Game Consoles & TVs.

Well the NAS connectivity is really the big risk area. Definitely need to think that one through a bit more before proceeding.