====== Concept for the VLANs of Rafisa Informatik GmbH ====== ^ Version ^ Status ^ date ^ Author ^ URL ^ | 0.1 | First draft | 08.08.2019 | Egil Rüefli | | | 0.2 | Additions | 08.09.2019 | Richi Stammherr, Tim de Vries, Silvan Dux, Egil Rüefli | | | 1.0 | Review and release | 08.09.2020 | Richi Stammherr, Egil Rüefli | | | 2.0 | New version | 08.09.2019 | Egil Rüefli | | | 2.1 | Additions | 08.09.2019 | Egil Rüefli | | | 2.2 | Additions | 29.05.2020 | Egil Rüefli | | | 2.3 | Additions | 02.06.2020 | Egil Rüefli | | | 2.4 | Additions | 15.06.2020 | Silvan Dux, Egil Rüefli | | | 2.5 | Additions | 02.07.2020 | Silvan Dux | | | 2.6 | Additions | 11.11.2020 | Saba Nadeswaran, Egil Rüefli | | | 3.0 | New version | 17.11.2020 | Egil Rüefli | | | 3.1 | Additions | 18.11.2020 | Egil Rüefli | | | 3.1 | Additions | 30.11.2020 | Silvan Dux | | | 3.2 | Additions | 06.12.2020 | Egil Rüefli | | | 3.3 | Additions | 21.04.2021 | Egil Rüefli | | | 3.4 | Additions | 29.03.2022 | Egil Rüefli | | | 4.0 | Additions | 04.05.2023 | Fabio Pagotto | | | 4.1 | VLAN61_DEPL added | 13.05.2024 | Egil Rüefli | | ===== Subnet concept ==== All locations receive a /24 network from the larger private network 172.16/12, i.e. 172.16.0.0/16 to 172.31.0.0/16. The VLANs are then subdivided into the respective /24 subnets, e.g. 172.16.1.0/24, 172.16.2.0/24, etc. ^ Network address range ^ CIDR notation ^ Shortened CIDR notation ^ Number of addresses^ Number of networks according to network class (historical) ^ | 172.16.0.0 to 172.31.255.255| 172.16.0.0/12| 172.16/12 |220 = 1,048,576| Class B: 16 private networks with 65,536 addresses each; 172.16.0.0/16 to 172.31.0.0/16 | List of subnets of the Rafisa locations ^ Location ^ Network address ^ | Dietikon | 172.16.0.0/16 | | Berne | 172.17.0.0/16 | | Fribourg | 172.18.0.0/16 | | Zug | 172.19.0.0/16 | | Winterthur | 172.20.0.0/16 | | Vevey | 172.21.0.0/16 | | Basel | 172.22.0.0/16 | | Hetzner | 172.30.0.0/16 | ===== Standard VLAN list ===== ^ VLAN name ^ Abbreviation ^ VLAN Function ^ VID ^ IP address ^ FW interface name ^ DHCP server ^ Colour ^ | ||||||| | ^ VLAN management ^ ^ ^ 01 ^ ^ ^ | @#FF5F1F: | | VLAN01 | MGMT | management | 01 | 172.[16/17/18/...].1.0/24 | VLAN01_MGMT | ✔️ | | | VLAN02 | VIRTMGMT | Virtualisation Management | 02 | 172.[16/17/18/...].2.0/24 | VLAN02_VIRTMGMT | ❌ | | ^ VLAN Server ^ ^ ^ 10-19 ^ ^ ^ | @#DC122D: | | VLAN10 | SRVAUTH | Server authentication | 10 | 172.[16/17/18/...].10.0/24 | VLAN10_SRVAUTH | ❌ | | | VLAN11 | SRVGLOB | Server Global all locations | 11 | 172.[16/17/18/...].11.0/24 | VLAN11_SRVGLOB | ❌ | | | VLAN13 | SRVPUB | Server Public | 13 | 172.[16/17/18/...].13.0/24 | VLAN13_SRVPUB | ❌ | | | VLAN14 | SRVAUSB | Server instructor | 14 | 172.[16/17/18/...].14.0/24 | VLAN14_SRVAUSB | ❌ | | | VLAN15 | SRVLERN | Server learners | 15 | 172.[16/17/18/...].15.0/24 | VLAN15_SRVLERN | ❌ | | ^ VLAN clients ^ ^ ^ 20-29 ^ ^ ^ | @#5CAD3F: | | VLAN21 | CLAUSB | Clients Instructor | 21 | 172.[16/17/18/...].21.0/24 | VLAN21_CLAUSB | ✔️ | | | VLAN22 | CLLERN | Clients Learners | 22 | 172.[16/17/18/...].22.0/24 | VLAN22_CLLERN | ✔️ | | | VLAN23 | CLGUEST | Clients Guest (WLAN) | 23 | 172.[16/17/18/...].23.0/24 | VLAN23_CLGUEST | ✔️ | | ^ VLAN VoIP ^ ^ ^ 30 ^ ^ ^ | @#F2D11D: | | VLAN30 | VOIP | Telephony | 30 | 172.[16/17/18/...].30.0/24 | VLAN30_VOIP | ✔️ | | ^ VLAN Printer ^ ^ ^ 40 ^ ^ ^ | @#014EB0: | | VLAN40 | LP | Printer | 40 | 172.[16/17/18/...].40.0/24 | VLAN40_LP | ❌ | | ^ VLAN Lab ^ ^ ^ 50-59 ^ ^ ^ | @#B366BF: | | VLAN50 | LAB00 | Laboratory 00 | 50 | 172.[16/17/18/...].50.0/24 | VLAN50_LAB00 | ✔️ | | | VLAN51 | LAB01 | Lab 01 | 51 | 172.[16/17/18/...].51.0/24 | VLAN51_LAB01 | ✔️ | | | VLAN52 | LAB02 | Laboratory 02 | 52 | 172.[16/17/18/...].52.0/24 | VLAN52_LAB02 | ✔️ | | | VLAN53 | LAB03 | Laboratory 03 | 53 | 172.[16/17/18/...].53.0/24 | VLAN53_LAB03 | ✔️ | | | VLAN54 | LAB04 | Lab 04 | 54 | 172.[16/17/18/...].54.0/24 | VLAN54_LAB04 | ✔️ | | ^ VLAN Special ^ ^ ^ 60-69 ^ ^ ^ ^ ^ | VLAN60 | IOT | Internet of Things devices | 60 | 172.[16/17/18/...].60.0/24 | VLAN60_IOT | ✔️ | | | VLAN61 | DEPL | Deployment | 61 | 172.[16/17/18/...].61.0/24 | VLAN61_DEPL | ❌ | | | VLAN62 | SIGN | Digital Signage | 62 | 172.[16/17/18/...].62.0/24 | VLAN62_SIGN | ❌ | | ^ VLAN DMZ ^ ^ ^ 70-79 ^ ^ ^ | @#A6A4A3: | | VLAN70 | MGMTDMZ | Management | 70 | 172.[16/17/18/...].70.0/24 | VLAN70_MGMTDMZ | ❌ | | | VLAN71 | SRVDMZ | VMs | 71 | 172.[16/17/18/...].71.0/24 | VLAN71_SRVDMZ | ❌ | | ===== Basic authorisation matrix ===== The matrix is read row by column (access allowed/not allowed from row to column) ^ VLAN ^ 01 ^ 02 ^ 10 ^ 11 ^ 13 ^ 14 ^ 15 ^ 21 ^ 22 ^ 23 ^ 30 ^ 40 ^ 5x ^ 60 ^ 61 ^ 62 ^ 70 ^ 71 ^ WAN ^ | 01_MGMT | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | | 02_VIRTMGMT | ❌ | ✔️ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✔️ | | 10_SRVAUTH | ❌ | ❌ | ✔️ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✔️ | | 11_SRVGLOB | ❌ | ❌ | ❌ | ✔️ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✔️ | | 13_SRVPUB | ❌ | ❌ | ✔️ | ❌ | ✔️ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✔️ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✔️ | | 14_SRVAUSB | ❌ | ❌ | ❌ | ❌ | ❌ | ✔️ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✔️ | | 15_SRVLERN | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✔️ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✔️ | | 21_CLAUSB | ❌ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | | 22_CLLERN | ❌ | ❌ | ✔️ | ❌ | ✔️ | ❌ | ❌ | ❌ | ✔️ | ❌ | ❌ | ✔️ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✔️ | | 23_CLGUEST | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✔️ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✔️ | | 30_VOIP | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✔️ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✔️ | | 40_LP | ❌ | ❌ | ❌ | ❌ | ✔️ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✔️ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✔️ | | 5x_LAB0x | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✔️ | ❌ | ❌ | ❌ | ❌ | ❌ | ✔️ | | 60_IoT | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✔️ | ❌ | ❌ | ❌ | ❌ | ✔️ | | 61_DEPL | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✔️ | ❌ | ❌ | ❌ | ✔️ | | 62_SIGN | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✔️ | ❌ | ❌ | ✔️ | | 70_MGMTDMZ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✔️ | ❌ | ✔️ | | 71_SRVDMZ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✔️ | ✔️ | | WAN | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✔️ | | | | | | | | | | | | | | | | | | | | | |