Skip to main content

VLAN & IP Allocation

Source: Marc Mercer (SRE Lead) β€” sre-iac repository, Rev 1.0, 2026-02-24

VLAN IDs and IP ranges are identical across both the interim (Juniper) and target (Omada) architectures β€” only the underlying physical hardware changes.

Design Principles​

  • VLAN ID = second octet β€” VLAN 200 β†’ 10.20.0.0/16, VLAN 300 β†’ 10.30.0.0/16, etc.
  • Each functional network owns a /16 β€” Day-1 deployment uses a /24 within each /16. Expansion never requires renumbering.
  • Spaced VLAN numbering β€” IDs at 100-unit intervals leave room for sub-VLANs within each functional range.
  • Three physical switch planes β€” Network, Storage, and OOB β€” each carries only the VLANs relevant to its function.
  • Storage is never routed β€” VLANs 300 and 400 have no path to any router or the internet. Ever.
  • Management is never routed β€” VLAN 100 has no path to any router or the internet. Ever.

VLAN Allocation Table​

VLANPurposeAllocated RangeDay-1 SubnetSwitch PlaneRouted via Edge?
100Management / OOB192.168.168.0/23See belowOOBNo β€” completely isolated
200OpenStack Control Plane10.20.0.0/1610.20.0.0/24NetworkInternal only (TRUST zone)
300Ceph Public10.30.0.0/1610.30.0.0/24StorageNo β€” isolated storage fabric
400Ceph Cluster10.40.0.0/1610.40.0.0/24StorageNo β€” isolated storage fabric
500Provider Network10.50.0.0/1610.50.0.0/24NetworkYes β€” VM external connectivity
600DMZ10.60.0.0/1610.60.0.0/24NetworkYes β€” controlled (DMZ zone)
610DMZ HA Sync10.61.0.0/1610.61.0.0/29NetworkNo β€” point-to-point only
1000–1099Tenant Networks10.100.0.0/16/20 blocksNetworkVia Neutron virtual router
β€”Homestead (Lee)192.168.125.0/24192.168.125.0/24Dedicated portInternet only (HOMESTEAD zone)

VLAN Details​

VLAN 100 β€” Management / Out-of-Band​

Network: 192.168.168.0/23

SubnetPurposeDevices
192.168.168.0/24Compute InfrastructureiLO/IPMI (servers), UPS/APC management
192.168.169.0/24Network InfrastructureSwitch management interfaces, router console

Isolation: Complete. No routing to any other VLAN. No internet access. Reachable only from the physical workstation (via tagged VLAN interface) or physical console. Switch plane: OOB management switch only.

VLAN 200 β€” OpenStack Control Plane​

Network: 10.20.0.0/16 (day-1: 10.20.0.0/24)

Carries:

  • OpenStack API endpoints (Nova, Neutron, Keystone, Glance, Cinder, Heat, Octavia, Designate, Trove, Manila)
  • RabbitMQ message bus (inter-service async communication)
  • MariaDB/Galera cluster replication (OpenStack state database)
  • HAProxy/keepalived (API VIPs and health checks)
  • Kolla-Ansible internal endpoints

Switch plane: Network switch (eno1+eno2 bond). Routing: Internal only β€” edge firewall has an interface here (TRUST zone) for routing to VLAN 500/600, but does NOT route VLAN 200 to the internet.

VLAN 300 β€” Ceph Public​

Network: 10.30.0.0/16 (day-1: 10.30.0.0/24)

Carries:

  • Client β†’ OSD I/O (VM disk reads/writes via librbd on compute hosts)
  • OpenStack service β†’ Ceph communication (Glance, Cinder)
  • Ceph MON and MGR traffic
  • RadosGW / S3 API traffic
  • Manila / CephFS client mounts

Switch plane: Storage switch (eno3+eno4 bond). Routing: None. Completely isolated β€” no uplink to any router.

VLAN 400 β€” Ceph Cluster​

Network: 10.40.0.0/16 (day-1: 10.40.0.0/24)

Carries:

  • OSD β†’ OSD replication (RF=2, every write replicates to a second OSD)
  • Recovery traffic (re-replication after OSD/drive/server failure)
  • Rebalancing traffic (data redistribution when OSDs are added/removed)
  • Scrubbing (periodic data integrity verification between replicas)
  • OSD heartbeats (liveness detection between all OSD pairs)

Switch plane: Storage switch (same physical switch as VLAN 300, separate VLAN). Routing: None.

Why separate from VLAN 300?

Recovery and rebalancing generate extreme bandwidth. If shared with client I/O, VM disk performance would collapse during maintenance events. Separate VLANs allow client traffic and replication to use the storage bond bandwidth in parallel via LACP hashing.

VLAN 500 β€” Provider Network​

Network: 10.50.0.0/16 (day-1: 10.50.0.0/24)

Carries:

  • Neutron external gateway (virtual router external leg)
  • Floating IP traffic (public-reachable VM addresses)
  • SNAT for private subnet VMs (outbound internet access)
  • Octavia load balancer VIPs
  • VM metadata service routing (169.254.169.254)

Switch plane: Network switch (eno1+eno2 bond). Routing: Yes β€” bridge between virtual and physical. Edge firewall routes between VLAN 500 and WAN. Inbound public traffic arrives at DMZ first (VLAN 600), gets proxied by OPNsense, then enters VLAN 500 to reach backend VMs.

VLAN 600 β€” DMZ​

Network: 10.60.0.0/16 (day-1: 10.60.0.0/24)

Carries:

  • Inbound traffic from edge firewall after IDS/IDP inspection
  • OPNsense HA pair (reverse proxy / load balancer)
  • CARP/VRRP virtual IP for OPNsense failover
  • SSL termination, WAF rules, rate limiting
  • Proxied traffic outbound to VLAN 500 backends

Interim: OPNsense as VMs on OpenStack. Target: 2× Beelink SER7 bare-metal OPNsense, 2.5G uplink to ER7412-M2. Routing: Controlled — edge routes UNTRUST→DMZ (TCP 80/443 only) and DMZ→TRUST (proxied traffic). DMZ cannot reach storage, management, or tenant networks.

VLAN 610 β€” DMZ HA Sync​

Network: 10.61.0.0/29 (day-1)

Point-to-point between the two OPNsense nodes for CARP/pfsync state synchronization and heartbeat. No other devices. No routing.

VLANs 1000–1099 β€” Tenant Networks​

Network: 10.100.0.0/16

Neutron allocates VLANs dynamically from this range. ML2 plugin: network_vlan_ranges = physnet1:1000:1099.

Subnet layout (matches AWS VPC /20 patterns):

Subnet TypeCIDR BlocksAWS Equivalent
Public10.100.0.0/20, 10.100.16.0/20, 10.100.32.0/20Public subnets
Private10.100.48.0/20, 10.100.64.0/20, 10.100.80.0/20Private subnets
Database10.100.96.0/20, 10.100.112.0/20, 10.100.128.0/20Database subnets
ElastiCache10.100.144.0/20, 10.100.160.0/20, 10.100.176.0/20Cache subnets
Intra10.100.192.0/20, 10.100.208.0/20, 10.100.224.0/20Intra subnets
Reserved10.100.240.0/20Future use

Each /20 provides ~4,094 usable IPs. Three blocks per type for multi-AZ parity with AWS (single physical AZ, but addressing pattern is identical).

Homestead β€” Lee Network​

Network: 192.168.125.0/24

Bryan's home network. Completely separate from Anshin infrastructure. Dedicated physical port on edge firewall. Internet access only. Access to Anshin services via WireGuard tunnel only β€” management VLAN (100) is NOT exposed over WireGuard.

Edge Firewall Security Zones​

ZoneVLANsPolicy
UNTRUSTWAN /32Inbound: only to DMZ (TCP 80/443). Outbound: SNAT for all zones.
DMZ600Inbound from UNTRUST (HTTP/S only). Outbound to TRUST (proxied to VLAN 500). No access to storage, mgmt, or tenant.
TRUST200, 500, 1000–1099Outbound to internet via SNAT. Inbound from DMZ (proxied). Inter-VLAN routing between 200/500/1000+ as needed.
HOMESTEAD192.168.125.0/24Internet only. No routing to TRUST, DMZ, or any other zone.
MGMT100Management traffic only β€” no routing to TRUST, DMZ, HOMESTEAD, or internet.
STORAGE300, 400Not on the edge firewall at all. Completely isolated on storage switch.

Physical Switch Plane Summary​

Network Switch​

Interim: EX2200-24T (ex2200t-01) / Target: SX3008-01 (10G) + SG3428-01 (1G)

Carries VLANs: 200, 500, 600, 610, 1000–1099

Connected: All 4 servers (eno1+eno2 LACP), edge firewall uplink, workstation (LACP), QNAP NAS, OPNsense VMs (interim) or SER7 via router (target).

Storage Switch​

Interim: EX2200-24T (ex2200t-02) / Target: SX3008-02 (10G) + SG3428-02 (1G)

Carries VLANs: 300, 400 β€” and nothing else. No uplink. No router. Isolated.

Connected: All 4 servers (eno3+eno4 LACP). Nothing else.

OOB Management Switch​

Interim: EX2200-24P (ex2200p-01) / Target: EX2200 (ex2200-01, repurposed)

Carries VLANs: 100 only.

Connected: Server iLO ports (Γ—4), UPS management ports (Γ—4), switch management interfaces, workstation (tagged VLAN 100 via inter-switch trunk), Omada controller (target, PoE powered).

Document Control​

RevDateAuthorDescription
1.02026-02-24Marc MercerInitial release