Various bits of kit migrated to home office. The Harry Potter room now has ONT, switch and WiFi AP and that's all.
The 4 RU cabinet has been moved to the home office where ventilation is better.
All is ready for dual-WAN now as far as the switches go. The switch ports are isolated so that no LAN device sees WAN traffic and, likewise, no WAN port sees anything other than WAN traffic.
Under stairs switch:
0 GE-1 - ONT - 1 GbE
1 SFP-1 - Empty - Future ONT 2
2 SFP-2 - 10Gbase-BX to Office
3 SFP-3 - Empty
4 SFP-4 - 5Gbase-T to WiFi AP
Office switch:
0 GE-1 - Empty - Future WAN 2
1 SFP-1 - UDM Pro WAN - 10G DAC
2 SFP-2 - Server - 10G DAC
3 SFP-3 - 10Gbase-BX to Stairs
4 SFP-4 - UDM Pro LAN - 10G DAC
Security - unless specified connectivity denied:
Stairs:
0 <> 2
1 <> 2
2 <> All
3 <> 2, 4
4 <> 2, 3
Office:
0 <> 3
1 <> 3
2 <> 3, 4
3 <> All
4 <> 2, 3
The UDM Pro has 8 x GbE ports of its own all on a LAN switch. 2 of these are a tagless LAG to the GigE switch in the office, another is connected to the Raspberry Pi on PiHole duties.
Highly not recommended to be done regularly. Hasn't been cheap.