Network Reference

Complete network reference for the Domus Digitalis infrastructure. Pairs with the infrastructure radial diagram in Vault Enterprise Hardening Roadmap.

1. Architecture Overview

Infrastructure Overview

2. Network Segments

2.1. Dedicated Interfaces (Not VLANs)

VyOS IF Name Subnet Purpose

eth1

MGMT

10.50.1.0/24

Management - servers, switches, infrastructure

eth0

WAN

192.168.1.0/24

ISP uplink (DHCP from ISP router)
MGMT is a dedicated interface on VyOS, NOT a VLAN. This provides layer 2 isolation without 802.1Q tagging overhead. VyOS HA pair uses VRRP with VIP at 10.50.1.1.

2.2. VLAN Allocation

VLAN Name Subnet Purpose

Infrastructure VLANs (servers/services)

100

INFRA

10.50.1.0/24

Network hardware, hypervisors, k3s nodes

110

SECURITY

10.50.110.0/24

Crown jewels: Vault, ISE, secrets

120

SERVICES

10.50.120.0/24

General VMs: Keycloak, Gitea, FreeIPA, BIND

Client VLANs (endpoints only)

10

DATA

10.50.10.0/24

Corporate wired/wireless devices

20

VOICE

10.50.20.0/24

VoIP phones (QoS)

30

GUEST

10.50.30.0/24

Guest portal (internet only)

40

IOT

10.50.40.0/24

IoT devices, limited access

999

CRITICAL_AUTH

 — 

802.1X failure quarantine (no gateway)

2.3. VyOS Interface Mapping

Interface Description IP Address Type

eth0

WAN

192.168.1.x (DHCP)

Dedicated

eth1

MGMT

10.50.1.2/10.50.1.3 (VRRP VIP: 10.50.1.1)

Dedicated

eth1.10

DATA_VLAN

10.50.10.1

VLAN 10

eth1.20

VOICE_VLAN

10.50.20.1

VLAN 20

eth1.30

GUEST_VLAN

10.50.30.1

VLAN 30

eth1.40

RESEARCH_VLAN

10.50.40.1

VLAN 40
VyOS HA pair (vyos-01 at 10.50.1.2, vyos-02 at 10.50.1.3) provides VRRP failover with VIP at 10.50.1.1.

3. IP Range Allocation (MGMT: 10.50.1.0/24)

IP Range Purpose Status

10.50.1.1-3

Gateway (VyOS HA)

Allocated (.1=VIP, .2=vyos-02, .3=vyos-01)

10.50.1.10-19

Network Devices (Switches)

Allocated (3560CX, C9300)

10.50.1.20-29

Identity Services (ISE HA)

Allocated (ise-01, ise-02)

10.50.1.30-39

iPSK Manager (HA)

Allocated (ipsk-mgr-01/02)

10.50.1.40-49

Wireless (WLC, APs)

Allocated (9800-CL-WLC)

10.50.1.50-59

Domain Controllers (AD DS)

Allocated (home-dc01/02)

10.50.1.60-69

PKI & Secrets (Vault HA)

Allocated (vault-01/02/03)

10.50.1.70-79

Storage & Git

Allocated (NAS, Gitea, MinIO)

10.50.1.80-89

IdP/SSO (Keycloak)

Allocated (keycloak-01/02)

10.50.1.90-99

DNS (BIND)

Allocated (bind-01/02)

10.50.1.100-109

LDAP/Directory (FreeIPA)

Allocated (ipa-01/02)

10.50.1.110-111

Hypervisors

Allocated (kvm-01=.110, kvm-02=.111)

10.50.1.112-119

Reserved for Expansion

Available

10.50.1.120-125

k3s Cluster Nodes

Allocated (3 masters + 3 workers)

10.50.1.128-143

Cilium BGP LB Pool

Allocated (10.50.1.128/28)

10.50.1.144-149

Reserved for Growth

Available

10.50.1.150-159

EVE-NG Lab Infrastructure

Allocated (.150=eve-ng-01 on kvm-01)

10.50.1.160-199

Reserved for Growth

Available

10.50.1.200-201

IPMI/OOB Management

Allocated (ipmi-01/02)
Load balancing handled by Traefik (k3s ingress). No dedicated LB IPs needed.

4. Current Allocations

4.1. Gateway & Core (.1-9)

IP Hostname Purpose

10.50.1.1

vyos (VIP)

VyOS HA firewall/router (VRRP VIP)

10.50.1.2

vyos-01

VyOS HA primary node

10.50.1.3

vyos-02

VyOS HA secondary node

4.2. Network Devices (.10-19)

IP Hostname Purpose

10.50.1.10

3560cx-01

Cisco 3560-CX access switch (802.1X)

10.50.1.11

9300-01

Cisco Catalyst 9300 distribution (TrustSec SGT)

4.3. Identity Services (.20-29)

IP Hostname Purpose

10.50.1.20

ise-01

ISE PAN/MnT/PSN primary

10.50.1.21

ise-02

ISE PSN/MnT secondary (HA)

4.4. iPSK Manager (.30-39)

IP Hostname Purpose

10.50.1.30

ipsk-mgr-01

iPSK self-service portal primary

10.50.1.31

ipsk-mgr-02

iPSK secondary (MySQL replication)

4.5. Wireless (.40-49)

IP Hostname Purpose

10.50.1.40

wlc-01

Cisco C9800-CL Wireless Controller

4.6. Domain Controllers (.50-59)

IP Hostname Purpose

10.50.1.50

home-dc01

Windows Server 2025 Core (AD DS primary)

10.50.1.51

home-dc02

Windows Server 2025 Core (AD DS replica)

4.7. PKI & Secrets (.60-69)

IP Hostname Purpose

10.50.1.60

vault-01 (vault-01)

Vault HA Leader + DOMUS-ROOT-CA + DOMUS-ISSUING-CA

10.50.1.61

vault-02

Vault HA Standby (Raft follower)

10.50.1.62

vault-03

Vault HA Standby (Raft follower)

4.8. Storage & Git (.70-79)

IP Hostname Purpose

10.50.1.70

nas-01

Synology DS1621+ (NFS, iSCSI, Docker)

10.50.1.71

nas-02

Synology backup NAS (rsync target)

10.50.1.72

gitea-01

Gitea Git server (Docker on nas-01)

10.50.1.73

minio-01

MinIO S3-compatible object storage (planned)

4.9. IdP/SSO (.80-89)

IP Hostname Purpose

10.50.1.80

keycloak-01

Keycloak IdP (SAML 2.0, OIDC)

10.50.1.81

keycloak-02

Keycloak secondary (planned)

4.10. DNS Services (.90-99)

IP Hostname Purpose

10.50.1.90

bind-01

BIND9 authoritative DNS primary

10.50.1.91

bind-02

BIND9 DNS secondary (zone transfer)

10.50.1.99

kvm-01

Supermicro KVM hypervisor (Host A)

4.11. LDAP/Directory (.100-109)

IP Hostname Purpose

10.50.1.100

ipa-01

FreeIPA primary (LDAP, Kerberos)

10.50.1.101

ipa-02

FreeIPA replica (planned)

4.12. Available (.110-119)

IP Hostname Purpose

10.50.1.110-119

unassigned

Available for future services

4.13. k3s Cluster (.120-129)

IP Hostname Purpose

10.50.1.120

k3s-master-01

k3s control plane (Rocky 9, Cilium CNI) - Active

10.50.1.121

k3s-master-02

k3s control plane (planned - Host B)

10.50.1.122

k3s-master-03

k3s control plane (planned - HA quorum)

10.50.1.123-125

k3s-worker-*

k3s worker nodes (planned)

4.14. MetalLB LoadBalancer Pool (.130-140)

IP Service Purpose

10.50.1.130

traefik-lb

Traefik Ingress VIP (HTTP/HTTPS)

10.50.1.131

available

MetalLB pool

10.50.1.132

available

MetalLB pool

10.50.1.133-140

available

MetalLB pool (reserved)
Monitoring services (Prometheus, Grafana, AlertManager) run on k3s and are accessed via Traefik Ingress at 10.50.1.130:443. No dedicated IPs needed.

4.15. IPMI/OOB (.200+)

IP Hostname Purpose

10.50.1.200

ipmi-01

Supermicro BMC (Host A)

10.50.1.201

ipmi-02

Supermicro BMC (Host B - planned)

5. Service Ports

5.1. Authentication & Identity

Port Protocol Service

88

TCP/UDP

Kerberos KDC (AD, FreeIPA)

389

TCP

LDAP (AD, FreeIPA)

636

TCP

LDAPS (secure LDAP)

3268

TCP

AD Global Catalog

3269

TCP

AD Global Catalog (SSL)

1812

UDP

RADIUS Authentication (ISE)

1813

UDP

RADIUS Accounting (ISE)

49

TCP

TACACS+ (ISE)

5.2. Network Services

Port Protocol Service

53

TCP/UDP

DNS (BIND, VyOS)

67

UDP

DHCP Server

68

UDP

DHCP Client

123

UDP

NTP

22

TCP

SSH

443

TCP

HTTPS (Web UIs)

5.3. PKI & Secrets

Port Protocol Service

8200

TCP

Vault API (HTTPS)

8201

TCP

Vault Cluster (Raft)

5.4. Infrastructure Services

Port Protocol Service

5432

TCP

PostgreSQL (Keycloak DB)

3306

TCP

MySQL (iPSK Manager)

9090

TCP

Prometheus metrics

3000

TCP

Grafana web UI

9000

TCP

MinIO API

9001

TCP

MinIO Console

2049

TCP/UDP

NFS (Synology)

3260

TCP

iSCSI (Synology)

5.5. Wireless & ISE

Port Protocol Service

5246

UDP

CAPWAP Control (WLC)

5247

UDP

CAPWAP Data (WLC)

8443

TCP

ISE Admin (HTTPS)

8905

TCP

ISE Posture/CPP

9060

TCP

ISE ERS API

6. DNS Zones

6.1. Internal Zones (BIND)

Zone Purpose

inside.domusdigitalis.dev

Internal services (A records for servers)

1.50.10.in-addr.arpa

Reverse DNS for 10.50.1.0/24

6.2. External Zones (Cloudflare)

Zone Purpose

domusdigitalis.dev

Public DNS (guest portal, docs)

docs.domusdigitalis.dev

Antora documentation (Cloudflare Pages)

guest.domusdigitalis.dev

ISE guest portal (Let’s Encrypt cert)

7. Naming Convention

Type Pattern Example

Internal services

<service>-<##>.inside.domusdigitalis.dev

ise-01.inside.domusdigitalis.dev

HA pairs

<service>-01 (primary), <service>-02 (secondary)

vault-01, vault-02

Kubernetes

k3s-<role>-<##>

k3s-master-01, k3s-worker-01

External portals

<service>.domusdigitalis.dev

guest.domusdigitalis.dev

8. Hypervisor Allocation

For detailed network discovery (interfaces, bridges, storage pools), see KVM Network Discovery.

8.1. Host A (KVM-01) - Production

VM vCPU RAM Role

vyos-01

4 (pinned 0-3)

4GB

VyOS HA Master (VRRP + Zone Firewall + BGP)

home-dc01

2 (pinned 4-5)

4GB

AD DS / GPO / Kerberos

ise-01

4 (pinned 6-9)

16GB

ISE 3.4 RADIUS/NAC

9800-CL-WLC

4 (pinned 10-13)

16GB

Wireless Controller

vault-01

1

1GB

Vault PKI + SSH CA

k3s-master-01

4

8GB

Kubernetes (Cilium CNI)

ipsk-manager

2

4GB

iPSK Self-Service Portal

keycloak-01

2

4GB

SAML/OIDC IdP

bind-01

2

2GB

Authoritative DNS

ipa-01

2

4GB

FreeIPA (Linux auth)
Total: 27 vCPU, 63GB RAM. Host has 6C/12T and 128GB RAM.

8.2. Host B (KVM-02) - Planned DR

VM vCPU RAM Purpose

ise-02 ✓

4

12GB

ISE 3.5 (temp primary) - DEPLOYED

ipsk-mgr-02

2

4GB

iPSK Self-Service Portal HA

vault-02 ✓

2

4GB

Vault HA (Raft follower) - DEPLOYED

vault-03 ✓

2

4GB

Vault HA (Raft follower) - DEPLOYED

home-dc02

2

4GB

AD DS Secondary

bind-02 ✓

1

2GB

DNS Secondary (AXFR slave) - DEPLOYED

ipa-02

2

4GB

FreeIPA Replica (LDAP HA)

vyos-02 ✓

2

2GB

VyOS Router HA (VRRP backup) - DEPLOYED

k3s-master-02

4

8GB

k3s HA control plane

k3s-master-03

4

8GB

k3s HA control plane

k3s-worker-01

4

8GB

k3s workloads

k3s-worker-02

4

8GB

k3s workloads

k3s-worker-03

4

8GB

k3s workloads

9800-WLC-02 ✓

4

16GB

WLC HA Standby (SSO) - DEPLOYED

9. Related Pages