I categorizing the LAN traffic to create a VLAN list. To do this I simplified the drawing to only network devices. There are two pihole DNS devices missing from the drawing. I’m thinking they would be included in VLAN130. After a number of iterations I arrived at a seven VLAN assignments.
user traffic is VLAN110. It originates at the office switch. Operational support systems (OSS) traffic VLAN120 is the seedplant systems. mgmt traffic VLAN130 would be connections to all the devices, including the two piholes not shown. Behind the DMZ router is http VLAN140 and modbus VLAN150 traffic. The http is remote reading of the indicator and modbus is an interface that sends data to the cloud over a VPN. Residence VLAN160 traffic is access to the internet for the residence. The vendor VLAN170 traffic was a late addition. The farmstart router hides PLCs and monitoring systems for a vendor responsible for the plant. I thought getting that on its own VLAN would keep them isolated. VLAN170 over on the residence switch covers the IP camera.
VLANs keep traffic from the seedplant out of the residence side. The same with the residence traffic is not over at the seedplant. The DMZ traffic is isolated also. I have a VLAN trunk on the seedplant side and another trunk on the residence side. VLAN Access links are at the switches and routers.
Before asking follow-up questions I wanted to get a sense I am on the correct path?