We divide our network into 2 vLANs:
- Managed (1) - Hosts where only the admins have root access
- Unmanaged (2) - Hosts where any other user have root access.
In our managed vLAN, we have a few other subnets for things like k8s, but our main one is
For convenience when writing firewall rules, we further divide this into 3 prefixes:
- 192.168.0.0-63 - Core services, on hosts only admins can log into
- 192.168.0.64-127 - Auxiliary services, on hosts only admins can log into
- 192.168.0.128-255 - User-accessible machines
Note that no matter the prefix, the subnet is still the same (/24).
We put these on a seperate vLAN to prevent IP/ARP spoofing attacks, and some other LAN attacks that are possible with root.