ishNet — Network Deployment Plan

Phased rollout for 3-story row home · UCG Max · Fiber 1 Gbps+ · 8 VLANs (7 existing + 1 new) · Color-coded cabling

VLAN Architecture

NetworkVLAN IDSubnetRouterStatus
LAN1192.168.1.0/24Cloud Gateway MaxExisting
Personal1010.0.10.0/24Cloud Gateway MaxExisting
HomeLab2010.0.30.0/24Cloud Gateway MaxExisting
IoT3010.0.20.0/24Cloud Gateway MaxExisting
Guest4010.0.40.0/24Cloud Gateway MaxExisting
Work9010.0.80.0/24Cloud Gateway MaxExisting
Tor99192.168.10.0/24USW Pro Max 16Existing
Inter-VLAN404010.255.253.0/24Cloud Gateway MaxExisting
Security50 ★10.0.50.0/24Cloud Gateway MaxNEW — Create in Phase 1

★ VLAN 50 is the only new VLAN to create. Subnet 10.0.50.0/24 follows your existing 10.0.x.0 scheme.

Ethernet Cable Color Code — CablesAndKits Cat6A Slim Booted

Blue Personal (10)
Purple HomeLab (20)
Yellow IoT (30)
Green Guest (40)
Orange Security (50)
Red Work (90)
White Trunk / Uplink
Gray Management (1)
Black Spare

Source: CablesAndKits Cat6A Slim Booted · Your 300ft CableMatters spool → trunk runs (white labels). Buy colored patch cables per VLAN.

Equipment Inventory

Installed
UCG Max (Gateway)
Installed
ProMax 16 (2F)
Installed
2× Switch 2.5G (2F)
Installed
Flex 1G (1F)
Installed
U6 IW (1F AP)
Installed
U6 Pro (2F AP)
New
NVR Instant
New
Doorbell Lite
New
WiFi Chime
New
2× G5 Ultra Turret
New
2× Flex 2.5G PoE 8
New
2× Switch 2.5G
New
U7 Lite (Basement)
New
Arm Mount (2F)
New
300ft Cat6 Spool

Phase 1 — Security System First

Deploy cameras, doorbell, NVR, and chime on a dedicated Security VLAN (50). Use one new Flex 2.5G PoE 8 on the first floor to power all PoE security devices. NVR sits in the 2nd floor rack connected to the ProMax 16.

⚡ Prerequisites: Create VLAN 50 (Security) — this is the only new VLAN needed. All other VLANs (10, 20, 30, 40, 90, 99) already exist. Create a "Security" port profile for VLAN 50.

2nd Floor — Office / Rack

ISP Entry + Core
ISP Fiber 1 Gbps+ UCG Max Gateway All VLANs routed ProMax 16 Core Switch · 2F Rack Trunked: All VLANs P1: NVR on port (VLAN 50) TRUNK NVR Instant VLAN 50 · Security ORANGE cable TRUNK to 1F WHITE cable U6 Pro (2F AP) Phase 2 ★ PHASE 1 ACTIVE

1st Floor — Living Space

Security PoE Hub
FROM 2F ProMax Flex 2.5G PoE 8 NEW · 1st Floor Security PoE Hub Ports: VLAN 50 access + Trunk uplink Doorbell Lite PoE · VLAN 50 Front Door ORANGE G5 Ultra #1 PoE · VLAN 50 Front Exterior ORANGE G5 Ultra #2 PoE · VLAN 50 Back Patio ORANGE WiFi Chime WiFi · VLAN 50 Pairs w/ Doorbell Flex 1G (existing) → Phase 2: personal devices All camera PoE powered by Flex 2.5G PoE 8 (60W budget)

Basement — Creative Space

Phase 2
No Phase 1 work on this floor

Phase 1 — Step-by-Step Checklist

1 NEW VLAN: Create VLAN 50 "Security" in UniFi → Settings → Networks → Create New Subnet: 10.0.50.0/24 · DHCP on · Router: Cloud Gateway Max · No inter-VLAN routing · Follows your existing 10.0.x.0 scheme
2 NEW PROFILE: Create a Port Profile called "Security" → VLAN 50 (native/untagged) Settings → Profiles → Port Profiles → Add
3 Adopt the new Flex 2.5G PoE 8 in UniFi → assign it a name like "1F-Security-Switch"
4 Run a Cat6 trunk cable (WHITE) from ProMax 16 (2F) down to the Flex PoE 8 (1F) Use your 300ft spool. Label both ends: "TRUNK 2F↔1F"
5 Configure Flex PoE 8 ports: Port 1: Trunk-All (uplink to ProMax) · Ports 2-4: Security profile (VLAN 50) for cameras/doorbell · Remaining ports: leave default for now
6 Connect NVR Instant to ProMax 16 (2F rack) with a CYAN patch cable → set port to Security profile (VLAN 50)
7 Run ORANGE Cat6 from Flex PoE 8 to: Doorbell Lite (front door), G5 Ultra #1 (front), G5 Ultra #2 (back patio) PoE from the Flex will power all three. No separate power needed.
8 Plug in WiFi Chime near the front door — it pairs with Doorbell Lite over WiFi Connect chime to your ish-IoT WiFi (VLAN 30) or create a Security SSID on VLAN 50
9 Adopt all devices in UniFi Protect (NVR, Doorbell, G5s). Verify live feeds.
10 Add firewall rules for VLAN 50: ALLOW: Security → Internet (firmware updates) · ALLOW: Security → Security (NVR ↔ cameras) · BLOCK: Security → All other VLANs · BLOCK: All other VLANs → Security (except management from LAN 1 if needed)

Phase 1 — Port Assignments

SwitchPortDeviceProfileCable
ProMax 16 (2F)P1UCG Max (WAN uplink)Trunk White
ProMax 16 (2F)P2NVR InstantSecurity 50 Orange
ProMax 16 (2F)P3Trunk → 1F Flex PoE 8Trunk-All White
Flex PoE 8 (1F)P1Trunk ← 2F ProMaxTrunk-All White
Flex PoE 8 (1F)P2Doorbell Lite (PoE)Security 50 Orange
Flex PoE 8 (1F)P3G5 Ultra #1 — Front (PoE)Security 50 Orange
Flex PoE 8 (1F)P4G5 Ultra #2 — Back (PoE)Security 50 Orange

Phase 2 — Core Network + All Floors Wired

Wire all three floors with trunk uplinks. Deploy APs, connect personal devices (Apple TV, Mini PC, Studio PC, Dev PC, Work PC). Assign proper VLANs to every port. Your existing Flex 1G handles personal devices on 1F. Second new Flex 2.5G PoE 8 goes to the basement for the studio + AP.

⚡ Prerequisites: Phase 1 complete. Your existing VLANs (Personal 10, HomeLab 20, IoT 30, Work 90) are already configured. Ensure you have port profiles created for each — if not, create access profiles for each VLAN under Settings → Profiles.

2nd Floor — Office / Rack (Expanded)

Core + HomeLab Prep
ISP Fiber 1 Gbps+ UCG Max Gateway Routes all VLANs ProMax 16 Core Switch · 16 Ports P1: UCG (trunk) P2: NVR (VLAN 50) P3: Trunk→1F P4: Trunk→Basement NVR Instant VLAN 50 ORANGE Switch 2.5G #1 Existing · HomeLab Dev PC (VLAN 20) WHITE trunk Switch 2.5G #2 Existing · Work Work PC (VLAN 90) WHITE trunk Dev PC VLAN 20 PURPLE Work PC VLAN 90 RED U6 Pro (Hallway) All SSIDs · Arm Mount WHITE · PoE from ProMax WHITE → 1F WHITE → Basement

1st Floor — Living Space (Full Wiring)

Security + Personal + IoT
FROM 2F Flex PoE 8 (P1) Security Cameras Doorbell + 2x G5 Flex 1G (existing) Personal Devices Apple TV + Mini PC U6 IW (1F AP) All SSIDs broadcast Apple TV VLAN 10 BLUE Mini PC VLAN 10 BLUE IoT Devices (WiFi) Ecobee · Hue · Lutron · Govee → ish-IoT SSID (VLAN 30) ROUTING: Flex PoE 8 trunked for security. Flex 1G trunked for personal + AP uplink. Both uplink back to ProMax 16 (2F) via WHITE trunk cables.

Basement — Creative Space (New)

Studio + Wireless
FROM 2F ProMax WHITE trunk Flex 2.5G PoE 8 #2 NEW · Basement Switch P1: Trunk · P2: Studio PC · P3: U7 Lite AP Studio PC VLAN 10 · Personal BLUE U7 Lite All SSIDs · Basement AP PoE powered Music Room 275 sq ft Studio PC + U7 Lite cover this floor

Phase 2 — Step-by-Step Checklist

1 Verify port profiles exist for your existing VLANs: Personal-10, HomeLab-20, IoT-30, Work-90 Settings → Profiles → Port Profiles. If any are missing, create them as native/untagged access profiles for each VLAN.
2 Run a WHITE trunk cable from ProMax 16 (2F) to basement — adopt Flex 2.5G PoE 8 #2 as "Basement-Switch" Use your 300ft spool. This is the longest run — measure first (~30-40ft through interior wall chase)
3 Configure Flex PoE 8 #2 (Basement): Port 1 = Trunk, Port 2 = Personal (VLAN 10), Port 3 = Trunk (for U7 Lite AP)
4 Connect Studio PC with BLUE patch cable → Port 2 on Basement Flex
5 Mount and adopt U7 Lite in basement — PoE powered from Flex PoE 8 #2 Assign all 4 WiFi SSIDs to this AP (ishNet, ish-IoT, ish-Work, ish-Benefactor)
6 Configure existing Flex 1G (1F): Assign Personal profile to ports for Apple TV + Mini PC BLUE patch cables to Apple TV and Mini PC
7 Mount U6 Pro with arm mount in 2nd floor hallway — connect to ProMax 16 via trunk port
8 Assign existing Switch 2.5G #1 → HomeLab use: Dev PC on PURPLE cable (VLAN 20)
9 Assign existing Switch 2.5G #2 → Work PC on RED cable (VLAN 90)
10 Verify all IoT devices connect to ish-IoT SSID (VLAN 30) — Ecobee, Hue, Lutron, Govee
11 Add firewall rules for new VLANs: IoT (30): Internet only, block inter-VLAN · Work (90): Internet only, block all local · Personal (10): Allow to IoT (for Hue/Ecobee control), block to HomeLab · Guest (40): Internet only, strict isolation

Phase 3 — HomeLab Buildout + Optimization

Deploy the 12U rack with Proxmox cluster, Mac Mini, gaming/AI workstation, and IoT hub shelf. ProMax 16 handles all rack switching — no extra switches needed in the rack.

⚡ Prerequisites: Phase 1 + 2 complete. 12U rack, iStarUSA chassis, Sonnet RackMac, Rosewill case, patch panel acquired.

2nd Floor — 12U Rack (Final Layout)

Production HomeLab
12U RACK U1 iStarUSA #1 — ThinkCentre m720q ×2 Proxmox 1-2 · PURPLE · HomeLab VLAN 20 U2 iStarUSA #2 — ThinkCentre m720q ×2 Proxmox 3-4 · PURPLE · HomeLab VLAN 20 U3 Sonnet RackMac — Mac Mini PURPLE · HomeLab VLAN 20 U4 USW ProMax 16 — Core Switch All servers + trunks + NVR + APs · Only switch in rack U5 Vented Shelf — IoT Hubs Aqara · Hue · Lutron · Zigbee · BT · YELLOW · IoT VLAN 30 U6 Rosewill RSV-L4500U (4U) Gaming PC / AI Workstation RTX 3070 · Ryzen 7 5800X · 32GB RAM BLUE cable · Personal VLAN 10 U7 U8 U9 U10 Patch Panel — 24-port Keystone U11 Cable Management (horizontal) U12 1U Blank + 2× ARCTIC P12 fans (exhaust) REAR Tripp Lite PDU (vertical mount) NVR Instant Security · VLAN 50 ORANGE U6 Pro (Hallway) All SSIDs · Arm Mount WHITE · PoE Dev PC (desk) HomeLab · VLAN 20 PURPLE Work PC (desk) Work · VLAN 90 RED TRUNK CONNECTIONS (all WHITE) ProMax → Patch Panel → 1F Flex PoE 8 (Security) ProMax → Patch Panel → 1F Flex 1G (Personal) ProMax → Patch Panel → Basement Flex PoE 8 NVR → ORANGE → ProMax PROMAX 16 PORT PLAN P1-P4: Proxmox 1-4 (PURPLE) P5: Mac Mini (PURPLE) P6: IoT Hubs (YELLOW) P7: Gaming PC (BLUE) P8: NVR (ORANGE) P9: Trunk → 1F Security P10: Trunk → 1F Personal P11: Trunk → Basement P12: U6 Pro AP (PoE) P13: Dev PC (PURPLE) P14: Work PC (RED) P15-16: Spare

Phase 3 — Step-by-Step Checklist

1Mount rack gear: iStarUSA #1 (U1) → #2 (U2) → RackMac (U3) → ProMax 16 (U4) → IoT shelf (U5) → Rosewill 4U (U6-9) → Patch panel (U10) → Cable mgmt (U11) → Fan panel (U12)Rear: Tripp Lite PDU vertical. Run all server cables through patch panel.
2Wire Proxmox 1-4 to ProMax P1-P4 with PURPLE 1ft patch cables (HomeLab VLAN 20)
3Wire Mac Mini to ProMax P5 with PURPLE 1ft patch cable (HomeLab VLAN 20)
4Wire IoT hubs to ProMax P6 with YELLOW patch cable(s) (IoT VLAN 30)
5Wire Gaming PC to ProMax P7 with BLUE 1ft patch cable (Personal VLAN 10)
6Dev PC + Work PC at desk → run PURPLE (P13) and RED (P14) from ProMax through patch panel to desk
7Decide on 4 extra Switch 2.5Gs (2 existing + 2 new):Option A: Redeploy to floors (replace Flex 1G on 1F, etc). Option B: Sell/gift. Option C: Keep 1 as cold spare. ProMax 16 + Flex switches already cover everything.
8DNS filtering:Guest → Cloudflare Family (1.1.1.3) · IoT → Pi-hole on Proxmox · Security → NTP + Ubiquiti cloud only
9Final firewall lockdown:IoT → block all RFC1918 except gateway · Personal → IoT allowed (Hue/Ecobee) · Security → Internet + NVR only · Guest → strict isolation
10Enable mDNS reflector: Personal ↔ IoT for AirPlay/Hue control
11WiFi tuning: Medium power · Channels 1/6/11 on 2.4GHz · Band steering to 5/6GHz
12Label every cable at both ends with label maker + color coding

Final Switch Allocation

SwitchLocationRoleStatus
ProMax 162F Rack (U4)Core — all servers, trunks, APs, NVR. Only switch in rack.Installed
Flex 2.5G PoE 8 #11st FloorSecurity PoE — cameras + doorbell · ORANGEPhase 1
Flex 1G (existing)1st FloorPersonal — Apple TV, Mini PC · BLUEPhase 2
Flex 2.5G PoE 8 #2BasementStudio PC + U7 Lite AP · BLUEPhase 2
Switch 2.5G ×4TBDSpare / sell / redeploy to replace Flex 1GPhase 3

Full Wiring Map — Complete Network

Every cable, every device, every VLAN — color-coded. This is your reference sheet when everything is deployed.

Complete ishNet Topology — All Floors

Master Wiring Diagram
2ND FLOOR — 12U Rack + Office 12U RACK U1-U2: Proxmox 1-4 (4× m720q) U3: Mac Mini (Sonnet RackMac) U4: ★ ProMax 16 — Core Switch U5: IoT Hubs (Aqara·Hue·Lutron·BT) U6-9: Gaming/AI PC (4U Rosewill) RTX 3070 · R7 5800X · 32GB U10-12: Patch Panel · Cable Mgmt · Fans REAR: Tripp Lite PDU (vertical) PURPLE ×4 → P1-P4 PURPLE → P5 YELLOW → P6 BLUE → P7 NVR Instant Security · VLAN 50 ORANGE → P8 U6 Pro Hallway · All SSIDs WHITE+PoE → P12 Dev PC Desk · HomeLab V20 PURPLE → P13 Work PC Desk · Work V90 RED → P14 UCG Max Gateway · ISP Fiber to ProMax WHITE P9→1F Sec WHITE P10→1F Pers WHITE P11→Basement 1ST FLOOR — Living Space Flex PoE 8 #1 Security Switch · 1F ORANGE cables out Doorbell PoE · Front ORANGE G5 Front PoE · Exterior ORANGE G5 Back PoE · Patio ORANGE Chime (WiFi) Flex 1G Personal Switch · 1F BLUE cables out Apple TV Personal V10 BLUE Mini PC Personal V10 BLUE U6 IW (AP) All SSIDs · PoE WHITE IoT (WiFi) Ecobee·Hue Lutron·Govee Both switches uplink to ProMax 16 (2F) via WHITE trunk cables through walls BASEMENT — Creative Space Flex PoE 8 #2 NEW · Basement Switch P1: WHITE trunk · P2: BLUE · P3: WHITE+PoE Studio PC Personal · VLAN 10 BLUE U7 Lite All SSIDs · PoE WHITE+PoE Music Room · 275 sq ft Studio PC + U7 Lite cover this floor CABLE COLOR KEY Orange = Security (50) Blue = Personal (10) Purple = HomeLab (20) Red = Work (90) Yellow = IoT (30) White = Trunk / Uplink Gray = Management (1) Green = Guest (40) Black = Spare

Complete Cable Schedule — Every Run

FromToCable ColorVLAN / TypeLength Est.
2ND FLOOR — 12U RACK (all via Patch Panel U10)
ProMax 16 P1-P4Proxmox 1-4 (iStarUSA)Purple ×4HomeLab (20)1ft patch
ProMax 16 P5Mac Mini (RackMac)PurpleHomeLab (20)1ft patch
ProMax 16 P6IoT Hubs (shelf U5)YellowIoT (30)1ft patch
ProMax 16 P7Gaming PC (Rosewill 4U)BluePersonal (10)1ft patch
ProMax 16 P8NVR InstantOrangeSecurity (50)1ft patch
ProMax 16 P12U6 Pro (Hallway)WhiteTrunk + PoE10-15ft
ProMax 16 P13Dev PC (desk)PurpleHomeLab (20)6-10ft
ProMax 16 P14Work PC (desk)RedWork (90)6-10ft
FLOOR-TO-FLOOR TRUNK RUNS (use 300ft spool)
ProMax 16 P31F Flex PoE 8 #1WhiteTrunk~15-20ft
ProMax 16 P41F Flex 1GWhiteTrunk~15-20ft
ProMax 16 P5Basement Flex PoE 8 #2WhiteTrunk~30-40ft
1ST FLOOR — SECURITY
Flex PoE 8 #1 P2Doorbell LiteOrangeSecurity (50) PoE10-20ft
Flex PoE 8 #1 P3G5 Ultra #1 (Front)OrangeSecurity (50) PoE15-25ft
Flex PoE 8 #1 P4G5 Ultra #2 (Back)OrangeSecurity (50) PoE20-30ft
1ST FLOOR — PERSONAL
Flex 1G P2Apple TVBluePersonal (10)3-6ft patch
Flex 1G P3Mini PCBluePersonal (10)3-6ft patch
Flex 1G P4U6 IW (AP)WhiteTrunk + PoE3-6ft patch
BASEMENT
Flex PoE 8 #2 P2Studio PCBluePersonal (10)3-10ft
Flex PoE 8 #2 P3U7 Lite (AP)WhiteTrunk + PoE3-6ft patch

Patch Cable Shopping List — CablesAndKits Cat6A Slim Booted

×5Orange — NVR 1ft, Doorbell 15ft, G5 Front 20ft, G5 Back 25ft, spare1ft for rack patch, longer runs for camera installs (measure your actual distances)
×8Purple — Proxmox 1-4 × 1ft, Mac Mini 1ft, Dev PC 6ft, 2× spare1ft for in-rack patching, 6ft for desk run through patch panel
×5Blue — Gaming PC 1ft, Apple TV 6ft, Mini PC 6ft, Studio PC 6ft, spare1ft for rack, 6ft for room-level connections
×2Yellow — IoT hub shelf 1ft, spare 3ftMost IoT hubs only need 1 ethernet. Some like Hue Bridge need their own.
×1Red — Work PC 6ftFrom ProMax P14 through patch panel to desk
×10White — UCG→ProMax 1ft, U6 Pro 10ft, U6 IW 3ft, U7 Lite 3ft, AP trunks + floor runs1ft for rack patches, 3ft for local, + your 300ft spool for floor-to-floor trunk runs