Home Enterprise Overview

Infrastructure Components

Network Services

Hostname IP Address Role

vyos (VIP)

10.50.1.1

VyOS HA Firewall/Router (VRRP), DHCP, Inter-VLAN Routing

3560cx-01

10.50.1.10

Wired Access Switch (C3PL IBNS2.0, 802.1X Authenticator)

9800-wlc-01

10.50.1.40

Wireless Controller (C9800-CL, FlexConnect, CWA)

Identity Services

Hostname IP Address Role

ise-01

10.50.1.20

ISE Primary (Admin, MnT, PSN, pxGrid, ERS/OpenAPI)

ise-02

10.50.1.20

ISE Secondary (Admin, MnT, PSN) - Testing/Backup

ipsk-mgr-01

10.50.1.30

iPSK Manager Primary (MySQL, Web UI, ERS API)

Supporting Services

Hostname IP Address Role

dc-01 (home-dc01)

10.50.1.50

Domain Controller, AD CS (HOME-ROOT-CA)

keycloak-01

10.50.1.80

Identity Provider (SAML SSO)

Compute Infrastructure

Hostname IP Address Role

kvm-01

10.50.1.99

KVM Hypervisor (Supermicro E300-9D, hosts ISE VMs)

modestus-p50

10.50.40.100

Linux Test Workstation (ThinkPad P50 (Lenovo), Arch Linux, enp0s31f6)

Network VLANs

VLAN Name Subnet Purpose

Infrastructure VLANs (servers/services)

100

INFRA

10.50.1.0/24

Network hardware, hypervisors, k3s nodes

110

SECURITY

10.50.110.0/24

Crown jewels: Vault, ISE, secrets

120

SERVICES

10.50.120.0/24

General VMs: Keycloak, Gitea, FreeIPA, BIND

Client VLANs (endpoints only)

10

DATA

10.50.10.0/24

Corporate wired/wireless devices

20

VOICE

10.50.20.0/24

VoIP phones (QoS)

30

GUEST

10.50.30.0/24

Guest portal (internet only)

40

IOT

10.50.40.0/24

IoT devices, limited access

999

CRITICAL_AUTH

 — 

802.1X failure quarantine (no gateway)

Linux 802.1X testing: Linux workstations authenticating via 802.1X EAP-TLS are assigned to VLAN 40 (RESEARCH_VLAN) using the Linux_EAPTLS_Permit authorization profile.

DNS Records

DNS Authority: All DNS is managed by BIND servers (bind-01 at 10.50.1.90, bind-02 at 10.50.1.91), NOT by the Windows Domain Controller.

Required DNS A records in inside.domusdigitalis.dev zone:

Hostname IP Address Purpose

vyos (VIP)

10.50.1.1

VyOS HA Firewall/Router

3560cx-01

10.50.1.10

Access Switch

ise-01

10.50.1.20

ISE Primary

ise-02

10.50.1.20

ISE Secondary/Testing

ipsk-mgr-01

10.50.1.30

iPSK Manager

9800-wlc-01

10.50.1.40

Wireless Controller

dc-01 / home-dc01

10.50.1.50

Domain Controller / AD CS

keycloak-01

10.50.1.80

SAML IdP

kvm-01

10.50.1.99

KVM Hypervisor

modestus-p50

10.50.40.100

Linux Workstation (RESEARCH_VLAN)

Managing DNS (BIND)

DNS records are managed via BIND zone files on bind-01 (10.50.1.90):

Zone File Location: /var/named/inside.domusdigitalis.dev.zone

CLI Method:

# SSH to BIND primary and edit zone
ssh ansible@bind-01.inside.domusdigitalis.dev

# Edit zone file (increment serial!)
sudo vim /var/named/inside.domusdigitalis.dev.zone

# Reload zone
sudo rndc reload inside.domusdigitalis.dev

See BIND Operations Quick Reference for detailed zone management.

Verify DNS Resolution

# Test resolution from Linux workstation
dig +short ise-01.inside.domusdigitalis.dev
dig +short ise-01.inside.domusdigitalis.dev
dig +short dc-01.inside.domusdigitalis.dev
dig +short 3560cx-01.inside.domusdigitalis.dev

# Expected output:
# 10.50.1.20
# 10.50.1.20
# 10.50.1.50
# 10.50.1.10
Query BIND directly: dig @10.50.1.90 inside.domusdigitalis.dev AXFR (zone transfer) or use netapi bind zone list if available.