We divide our network into 2 vLANs:

• Managed (1) - Hosts where only the admins have root access
• Unmanaged (2) - Hosts where any other user have root access.

In our managed vLAN, we have a few other subnets for things like k8s, but our main one is 192.168.0.0/24.

For convenience when writing firewall rules, we further divide this into 3 prefixes:

• 192.168.0.0-63 - Core services, on hosts only admins can log into
• 192.168.0.64-127 - Auxiliary services, on hosts only admins can log into
• 192.168.0.128-255 - User-accessible machines

Note that no matter the prefix, the subnet is still the same (/24).

We put these on a seperate vLAN to prevent IP/ARP spoofing attacks, and some other LAN attacks that are possible with root.

Any unmanaged host must use the unmanaged subnet, and must go through the router's port on that vLAN in order to access anything outside that vLAN. This is so we can monitor/firewall traffic.