VLAN Design
VLAN Overview
Section titled “VLAN Overview”| VLAN ID | Name | Subnet | Gateway | MTU | Purpose |
|---|---|---|---|---|---|
| 1 | zrh-default-v1 | 10.1.1.0/24 | 10.1.1.1 | 1500 | UniFi Devices |
| 10 | zrh-mgmt-v10 | 10.10.10.0/24 | 10.10.10.1 | 1500 | Management |
| 20 | zrh-san-v20 | 10.20.20.0/24 | - | 9000 | Storage (isolated) |
| 30 | zrh-srv-v30 | 10.30.30.0/24 | 10.30.30.1 | 9000 | Servers |
| 40 | zrh-clt-v40 | 10.40.40.0/22 | 10.40.40.1 | 1500 | Clients |
| 50 | zrh-dmz-v50 | 10.50.50.0/28 | 10.50.50.1 | 1500 | DMZ |
| 60 | zrh-vpn-v60 | 10.60.60.0/24 | 10.60.60.1 | 1280 | VPN |
UniFi Network Configuration
Section titled “UniFi Network Configuration”VLAN 1 - Default (zrh-default-v1)
Section titled “VLAN 1 - Default (zrh-default-v1)”Name: zrh-default-v1Router: fw-edge-zrh-01Zone: InternalVLAN ID: 1Gateway/Subnet: 10.1.1.1/24DHCP Mode: DHCP ServerDHCP Range: 10.1.1.100 - 10.1.1.254Allow Internet Access: YesVLAN 10 - Management (zrh-mgmt-v10)
Section titled “VLAN 10 - Management (zrh-mgmt-v10)”Name: zrh-mgmt-v10Router: fw-edge-zrh-01Zone: InternalVLAN ID: 10Gateway/Subnet: 10.10.10.1/24DHCP Mode: NoneDomain Name: corp.microsoftlab.chAllow Internet Access: YesIGMP Snooping: OffVLAN 20 - Storage (zrh-san-v20)
Section titled “VLAN 20 - Storage (zrh-san-v20)”Name: zrh-san-v20Network Type: VLAN Only (no router!)VLAN ID: 20MTU: 9000Important: VLAN 20 has no gateway - it’s an isolated storage network.
VLAN 30 - Servers (zrh-srv-v30)
Section titled “VLAN 30 - Servers (zrh-srv-v30)”Name: zrh-srv-v30Router: fw-edge-zrh-01Zone: InternalVLAN ID: 30Gateway/Subnet: 10.30.30.1/24DHCP Mode: None (DHCP on srv-dc-zrh-01)Domain Name: corp.microsoftlab.chMTU: 9000Allow Internet Access: No (blocked by firewall)VLAN 40 - Clients (zrh-clt-v40)
Section titled “VLAN 40 - Clients (zrh-clt-v40)”Name: zrh-clt-v40Router: fw-edge-zrh-01Zone: InternalVLAN ID: 40Gateway/Subnet: 10.40.40.1/22DHCP Mode: None (DHCP on srv-dc-zrh-01)Domain Name: corp.microsoftlab.chAllow Internet Access: YesVLAN 50 - DMZ (zrh-dmz-v50)
Section titled “VLAN 50 - DMZ (zrh-dmz-v50)”Name: zrh-dmz-v50Router: fw-edge-zrh-01Zone: DMZVLAN ID: 50Gateway/Subnet: 10.50.50.1/28DHCP Mode: NoneAllow Internet Access: Yes (restricted)VLAN 60 - VPN (zrh-vpn-v60)
Section titled “VLAN 60 - VPN (zrh-vpn-v60)”Name: zrh-vpn-v60Router: fw-edge-zrh-01Zone: InternalVLAN ID: 60Gateway/Subnet: 10.60.60.1/24DHCP Mode: None (WireGuard assigns IPs)Allow Internet Access: YesInter-VLAN Routing
Section titled “Inter-VLAN Routing”All routing is handled by fw-edge-zrh-01 (UniFi Enterprise Fortress Gateway).
Routing Matrix
Section titled “Routing Matrix”| From \ To | MGMT | SAN | SRV | CLT | DMZ | VPN |
|---|---|---|---|---|---|---|
| MGMT | ✓ | ✗ | ✓ | ✓ | ✓ | ✓ |
| SAN | ✗ | ✓ | ✗ | ✗ | ✗ | ✗ |
| SRV | ✓ | ✗ | ✓ | ✓ | ✗ | ✓ |
| CLT | ✓ | ✗ | ✓ | ✓ | ✗ | ✓ |
| DMZ | ✗ | ✗ | ✗ | ✗ | ✓ | ✗ |
| VPN | ✓ | ✗ | ✓ | ✓ | ✗ | ✓ |