====== Concept for the VLANs of Rafisa Informatik GmbH ======
^ Version  ^ Status        ^ date      ^ Author        ^ URL  ^
| 0.1     | First draft       | 08.08.2019  | Egil Rüefli         |      |
| 0.2     | Additions           | 08.09.2019  | Richi Stammherr, Tim de Vries, Silvan Dux, Egil Rüefli  |      |
| 1.0     | Review and release      | 08.09.2020  | Richi Stammherr, Egil Rüefli         |      |
| 2.0     | New version         | 08.09.2019  | Egil Rüefli         |      |
| 2.1     | Additions           | 08.09.2019  | Egil Rüefli         |      |
| 2.2     | Additions           | 29.05.2020  | Egil Rüefli         |      |
| 2.3     | Additions           | 02.06.2020  | Egil Rüefli         |      |
| 2.4     | Additions           | 15.06.2020  | Silvan Dux, Egil Rüefli         |      |
| 2.5     | Additions           | 02.07.2020  | Silvan Dux     |      |
| 2.6     | Additions           | 11.11.2020  | Saba Nadeswaran, Egil Rüefli         |      |
| 3.0     | New version         | 17.11.2020  | Egil Rüefli         |      |
| 3.1     | Additions           | 18.11.2020  | Egil Rüefli         |      |
| 3.1     | Additions           | 30.11.2020  | Silvan Dux     |      |
| 3.2     | Additions           | 06.12.2020  | Egil Rüefli         |      |
| 3.3     | Additions           | 21.04.2021  | Egil Rüefli         |      |
| 3.4     | Additions           | 29.03.2022  | Egil Rüefli         |      |
| 4.0     | Additions           | 04.05.2023  | Fabio Pagotto         |      |
| 4.1     | VLAN61_DEPL added  | 13.05.2024  | Egil Rüefli         |      |

===== Subnet concept ====
All locations receive a /24 network from the larger private network 172.16/12, i.e. 172.16.0.0/16 to 172.31.0.0/16. The VLANs are then subdivided into the respective /24 subnets, e.g. 172.16.1.0/24, 172.16.2.0/24, etc.

^ Network address range ^ CIDR notation ^ Shortened CIDR notation ^ Number of addresses^ Number of networks according to network class (historical) ^
| 172.16.0.0 to 172.31.255.255| 172.16.0.0/12| 172.16/12 |220 = 1,048,576| Class B: 16 private networks with 65,536 addresses each; 172.16.0.0/16 to 172.31.0.0/16 |

List of subnets of the Rafisa locations

^ Location    ^ Network address    ^
| Dietikon    | 172.16.0.0/16  |
| Berne       | 172.17.0.0/16  |
| Fribourg    | 172.18.0.0/16  |
| Zug     | 172.19.0.0/16  |
| Winterthur  | 172.20.0.0/16  |
| Vevey       | 172.21.0.0/16  |
| Basel       | 172.22.0.0/16  |
| Hetzner     | 172.30.0.0/16  |


===== Standard VLAN list =====
^ VLAN name      ^ Abbreviation    ^ VLAN Function          ^ VID    ^ IP address         ^ FW interface name  ^ DHCP server  ^ Colour      ^
|                                                                                                                                   |||||||            |
^ VLAN management  ^           ^                               ^ 01    ^                             ^                    ^              | @#FF5F1F:  |
| VLAN01        | MGMT      | management            | 01    | 172.[16/17/18/...].1.0/24   | VLAN01_MGMT        | ✔️        |            |
| VLAN02        | VIRTMGMT  | Virtualisation Management    | 02    | 172.[16/17/18/...].2.0/24   | VLAN02_VIRTMGMT    | ❌     |            |
^ VLAN Server      ^           ^                               ^ 10-19  ^                             ^                    ^              | @#DC122D:  |
| VLAN10        | SRVAUTH   | Server authentication      | 10    | 172.[16/17/18/...].10.0/24  | VLAN10_SRVAUTH     | ❌     |            |
| VLAN11        | SRVGLOB   | Server Global all locations  | 11    | 172.[16/17/18/...].11.0/24  | VLAN11_SRVGLOB     | ❌     |            |
| VLAN13        | SRVPUB    | Server Public        | 13    | 172.[16/17/18/...].13.0/24  | VLAN13_SRVPUB      | ❌     |            |
| VLAN14        | SRVAUSB   | Server instructor            | 14    | 172.[16/17/18/...].14.0/24  | VLAN14_SRVAUSB     | ❌     |            |
| VLAN15        | SRVLERN   | Server learners          | 15    | 172.[16/17/18/...].15.0/24  | VLAN15_SRVLERN     | ❌     |            |
^ VLAN clients     ^           ^                               ^ 20-29  ^                             ^                    ^              | @#5CAD3F:  |
| VLAN21        | CLAUSB    | Clients Instructor            | 21    | 172.[16/17/18/...].21.0/24  | VLAN21_CLAUSB      | ✔️        |            |
| VLAN22        | CLLERN    | Clients Learners          | 22    | 172.[16/17/18/...].22.0/24  | VLAN22_CLLERN      | ✔️        |            |
| VLAN23        | CLGUEST   | Clients Guest (WLAN)        | 23    | 172.[16/17/18/...].23.0/24  | VLAN23_CLGUEST     | ✔️        |            |
^ VLAN VoIP      ^           ^                               ^ 30    ^                             ^                    ^              | @#F2D11D:  |
| VLAN30        | VOIP      | Telephony           | 30    | 172.[16/17/18/...].30.0/24  | VLAN30_VOIP        | ✔️        |            |
^ VLAN Printer     ^           ^                               ^ 40    ^                             ^                    ^              | @#014EB0:  |
| VLAN40        | LP    | Printer         | 40    | 172.[16/17/18/...].40.0/24  | VLAN40_LP          | ❌     |            |
^ VLAN Lab     ^           ^                               ^ 50-59  ^                             ^                    ^              | @#B366BF:  |
| VLAN50        | LAB00     | Laboratory 00    | 50    | 172.[16/17/18/...].50.0/24  | VLAN50_LAB00       | ✔️        |            |
| VLAN51        | LAB01     | Lab 01    | 51    | 172.[16/17/18/...].51.0/24  | VLAN51_LAB01       | ✔️        |            |
| VLAN52        | LAB02     | Laboratory 02    | 52    | 172.[16/17/18/...].52.0/24  | VLAN52_LAB02       | ✔️        |            |
| VLAN53        | LAB03     | Laboratory 03    | 53    | 172.[16/17/18/...].53.0/24  | VLAN53_LAB03       | ✔️        |            |
| VLAN54        | LAB04     | Lab 04    | 54    | 172.[16/17/18/...].54.0/24  | VLAN54_LAB04       | ✔️        |            |
^ VLAN Special     ^           ^                               ^ 60-69  ^                             ^                    ^              ^            ^
| VLAN60        | IOT     | Internet of Things devices     | 60    | 172.[16/17/18/...].60.0/24  | VLAN60_IOT         | ✔️        |            |
| VLAN61        | DEPL      | Deployment            | 61    | 172.[16/17/18/...].61.0/24  | VLAN61_DEPL        | ❌     |            |
| VLAN62        | SIGN      | Digital Signage         | 62    | 172.[16/17/18/...].62.0/24  | VLAN62_SIGN        | ❌     |            |
^ VLAN DMZ     ^           ^                               ^ 70-79  ^                             ^                    ^              | @#A6A4A3:  |
| VLAN70        | MGMTDMZ   | Management            | 70    | 172.[16/17/18/...].70.0/24  | VLAN70_MGMTDMZ     | ❌     |            |
| VLAN71        | SRVDMZ    | VMs     | 71    | 172.[16/17/18/...].71.0/24  | VLAN71_SRVDMZ      | ❌     |            |


===== Basic authorisation matrix =====
The matrix is read row by column (access allowed/not allowed from row to column)

^ VLAN      ^ 01  ^ 02  ^ 10  ^ 11  ^ 13  ^ 14  ^ 15  ^ 21  ^ 22  ^ 23  ^ 30  ^ 40  ^ 5x  ^ 60  ^ 61  ^ 62  ^ 70  ^ 71  ^ WAN  ^
| 01_MGMT      | ✔️  | ✔️  | ✔️  | ✔️  | ✔️  | ✔️  | ✔️  | ✔️  | ✔️  | ✔️  | ✔️  | ✔️  | ✔️  | ✔️  | ✔️  | ✔️  | ✔️  | ✔️  | ✔️   |
| 02_VIRTMGMT  | ❌   | ✔️  | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ✔️   |
| 10_SRVAUTH   | ❌   | ❌   | ✔️  | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ✔️   |
| 11_SRVGLOB   | ❌   | ❌   | ❌   | ✔️  | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ✔️   |
| 13_SRVPUB    | ❌   | ❌   | ✔️  | ❌   | ✔️  | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ✔️  | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ✔️   |
| 14_SRVAUSB   | ❌   | ❌   | ❌   | ❌   | ❌   | ✔️  | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ✔️   |
| 15_SRVLERN   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ✔️  | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ✔️   |
| 21_CLAUSB    | ❌   | ✔️  | ✔️  | ✔️  | ✔️  | ✔️  | ✔️  | ✔️  | ✔️  | ✔️  | ✔️  | ✔️  | ✔️  | ✔️  | ✔️  | ✔️  | ✔️  | ✔️  | ✔️   |
| 22_CLLERN    | ❌   | ❌   | ✔️  | ❌   | ✔️  | ❌   | ❌   | ❌   | ✔️  | ❌   | ❌   | ✔️  | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ✔️   |
| 23_CLGUEST   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ✔️  | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ✔️   |
| 30_VOIP      | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ✔️  | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ✔️   |
| 40_LP       | ❌   | ❌   | ❌   | ❌   | ✔️  | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ✔️  | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ✔️   |
| 5x_LAB0x     | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ✔️  | ❌   | ❌   | ❌   | ❌   | ❌   | ✔️   |
| 60_IoT       | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ✔️  | ❌   | ❌   | ❌   | ❌   | ✔️   |
| 61_DEPL      | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ✔️  | ❌   | ❌   | ❌   | ✔️   |
| 62_SIGN      | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ✔️  | ❌   | ❌   | ✔️   |
| 70_MGMTDMZ   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ✔️  | ❌   | ✔️   |
| 71_SRVDMZ    | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ✔️  | ✔️   |
| WAN     | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ❌   | ✔️   |
|              |     |     |     |     |     |     |     |     |     |     |     |     |     |     |     |     |     |     |      |