Context
Core networking project: isolate the different traffic types (management, servers, IoT, workstations, guests) with dedicated VLANs, enable L3 inter-VLAN routing directly on the Cisco 3560-CX, and control traffic flows with named ACLs. Keeping routing on the switch (rather than pfSense) removes the single choke-point and offloads internal traffic from the firewall.
VLAN architecture
| VLAN | Name | Network | L3 gateway (SVI) |
|---|---|---|---|
| 10 | MGMT | 172.16.10.0/24 |
172.16.10.2 |
| 20 | SERVERS | 172.16.20.0/24 |
172.16.20.1 |
| 30 | IOT | 172.16.30.0/24 |
172.16.30.1 |
| 40 | TRUSTED | 172.16.40.0/24 |
172.16.40.1 |
| 99 | GUEST | 172.16.99.0/24 |
172.16.99.1 |
What I did
Cisco 3560-CX — L3 inter-VLAN routing
- Created VLANs and configured SVIs (L3 virtual interfaces per VLAN)
- Enabled inter-VLAN routing with
ip routing(Cisco IOS 15.2(7)Ex) - Configured 802.1Q trunk ports to pfSense, PVE-01/02 and UniFi controller
- Configured access ports per VLAN for end devices
Named ACLs — traffic filtering policy
Three extended named ACLs applied inbound on the relevant VLAN SVIs:
ACL-IOT-IN (VLAN 30 → other VLANs)
permit udp 172.16.30.0/24 any eq 53 ← DNS allowed
permit tcp 172.16.30.0/24 any eq 80 ← HTTP to Internet
permit tcp 172.16.30.0/24 any eq 443 ← HTTPS to Internet
deny ip 172.16.30.0/24 172.16.0.0/16 ← block internal infra
permit ip any any ← rest OK (Internet)
ACL-GUEST-IN (VLAN 99 → other VLANs)
permit udp 172.16.99.0/24 any eq 53
permit tcp 172.16.99.0/24 any eq 80
permit tcp 172.16.99.0/24 any eq 443
deny ip 172.16.99.0/24 172.16.0.0/16 ← full homelab isolation
ACL-TRUSTED-IN (VLAN 40 — trusted workstations)
permit ip any any ← full access granted
D-Link DGS-1210-08P
- Enabled 802.1Q VLANs on secondary PoE access switch
- Port assignment per VLAN (access / tagged)
UniFi — VLAN-tagged SSIDs
- 3 separate SSIDs: TRUSTED (VLAN 40), IOT (VLAN 30), GUEST (VLAN 99)
- 802.1Q trunk between UniFi controller and all 3 APs
pfSense — reduced perimeter
- After enabling L3 routing on the switch: pfSense limited to WAN/NAT and Internet ingress/egress filtering
- Inter-VLAN rules fully delegated to Cisco 3560-CX ACLs
- Cleaner separation of responsibilities, less firewall load
Result
Segmented infrastructure with:
- Full isolation of IoT and guest devices (no access to SERVERS/MGMT VLANs)
- Centralised management from VLAN MGMT (
172.16.10.0/24) - Hardware-accelerated inter-VLAN routing (Cisco ASICs), bypassing pfSense for internal traffic
- Security policy documented and verified by testing (blocked inter-VLAN pings match ACL policy)
Skills covered
This project directly covers network infrastructure design (B2.1), installation and configuration (B2.2), infrastructure evolution through ACL tuning (B2.3), and cybersecurity of network infrastructure (B3.5).