VLANs and subnets
Jump to navigation
Jump to search
Rationale
There is a large quantity of network devices to be found here in fnordland. It might be nice to segregate them by function and restrict who may talk to whom. We can do this with VLANs (broadcast domains), network address spaces, and some firewall.
Goals
- Management devices need not be accessible to stuff like the BluRay player
- Network and server management needs no access to the Internet at large
- Shared infrastructure services (DNS, email, ...) get their own space that client systems can get to
- I'm sure there are more...
tabular representations of the network segments
| VLAN ID | IPv4 address space | IPv6 address space | notes |
|---|---|---|---|
| 0 | there is no such thing as VLAN 0 | ||
| 1 | 172.16.0.0/24 | 2001:470:ba93:10::1/64, 2001:470:1f0f:5be::1/64 | Legacy 172.16.0.0/24 RFC1918 network and Hurricane Electric provided IPv6 space. We need to move devices away from this space. |
| 10 | n/a | n/a | Comcast/Xfinity WAN access. Instead of a direct connect cable between server and cable modem, this traffic will be carried on VLAN 10. Which will let us put a port mirror monitor on it. And maybe a few other nifty things. |
| 99 | 10.10.0.0/24 | tbd | Server, network mgmt network. For server IPMIs, UPS interfaces, network attached PDUs, tape libraries, other sorts of switches, ... |
| 100 | 172.20.0.0/24 | tbd | SNOWMAN server network |
| 1000 | 172.16.1.0/24 (There's a lot of room here in this 172.16.0.0/12 space, isn't there?) | tbd | Server network |
| 1990 | 192.168.90.0/24 | tbd | guest network |