The CWX network uses a structured VLAN architecture to separate production systems, client devices, management appliances, and development environments.
VLANs are implemented on all CWX datacenter-grade sites, with clearly defined routing, firewalling, and access controls.
Segmentation is designed around:
- Security (prevent lateral movement)
- Performance (control broadcast domains)
- Access control & policy enforcement
- Scalability (multipurpose /21 and /23 networks)
- Consistency across all CWX sites
A VLAN (Virtual Local Area Network) allows multiple isolated networks to exist on the same physical switching infrastructure.
Key benefits:
- Isolation between devices and services
- Cleaner network hierarchy
- Reduced broadcast traffic
- Ability to apply firewall rules per segment
- Easier extension of networks across multiple switches
- Access Port: One VLAN only (endpoint devices, servers, sensors)
- Trunk Port: Multiple VLANs tagged (switch-to-switch, switch-to-router, hypervisors)
Performed by:
- Mikrotik router
- VyOS router
- Or firewall appliances
Policies control which VLANs can communicate.
CWX VLAN usage ensures:
- Production workloads separated from clients
- IoT & sensors isolated for security
- Management interfaces unreachable from users
- Development/testing environments isolated
- Simplified firewalling and monitoring
¶ LOK3 — VUKOMEREC (Main Datacenter)
LOK3 is a core CWX datacenter with multiple servers, IoT systems, environmental sensors, and critical security infrastructure.
It uses four VLANs, each with a specific role.
Subnet: 10.232.50.0/23
Purpose:
- WiFi clients
- General workstations
- Mobile devices
- IoT devices (TVs, printers, home automation where applicable)
Access Control:
- NO access to VLAN200
- Can reach internet
- Can reach selected services via firewall rules (DNS, DHCP, routing gateway)
- Lowest trust zone in the datacenter
Subnet: 172.16.0.0/21
Purpose:
- Cameras (IP CCTV)
- Sensors (temperature, humidity, power, UPS communication)
- Alarm systems
- Environmental monitoring
- Power distribution network
- iLO / iDRAC / IPMI interfaces
- Local BMC / OOB management
- Networking out-of-band management
Access Control:
- No internet access
- Only accessible from VLAN200 (Production Admin VLAN)
- Firewall fenced as a Management & Security Zone
- Zero-trust access from non-admin networks
Subnet: 10.130.100.0/24
Purpose:
- Ceph storage backend
- Cluster replication
- Heartbeat and OSD traffic
Characteristics:
- Layer‑2 ONLY (no routing)
- MTU 9000 Jumbo Frames
- Dedicated 10/25/40G links depending on node
- Critical for performance of Proxmox/Ceph
Access:
- Not reachable from any other VLAN
- No internet
- Only storage nodes participate
Subnet: 10.237.120.0/21
Purpose:
- All production virtual machines
- All physical servers
- Storage nodes
- Proxmox clusters
- Databases
- Monitoring stack
- PKI, DNS, DHCP, SSO
- All core CWX backend services
Access Control:
- Can access all other VLANs
- Not reachable from VLAN10
- Can reach VLAN600 test environment
- Primary high-trust administrative and workload segment
Subnet: 192.168.84.0/23
Purpose:
- Development virtual machines
- Kubernetes test clusters
- Sandbox servers
- Application testing
- Experimental services
Access Control:
- Only permitted to reach VLAN200
- No access to VLAN10 or VLAN30
- Internet access allowed depending on firewall policy
Subnet: 10.10.1.0/24
Purpose: Router, switch, hypervisor, iLO/IPMI
Access: Only from trusted networks
Subnet: 10.10.2.0/24
Purpose: All local virtual machines
Access: Routed to core via WireGuard
Subnet: 10.10.3.0/24
Purpose: Primary household WiFi
Access: Internet only; no access to VLAN10/11/14/15/16
Subnet: 10.10.4.0/24
Purpose: Guest devices
Access: Internet only; complete isolation from LAN
Subnet: 10.10.5.0/24
Purpose: Public-facing services, reverse proxies, LOK2 entry points
Access: Highly restricted, isolated from LAN
Subnet: 10.10.6.0/24
Purpose: Testing VMs with internet access
Access: Can reach the internet; no access to production networks
Subnet: L2 only, no gateway
Purpose:
- Pure L2 experiments
- Non‑routed test environments
Access:
VLAN10:
- Cannot reach production
- Cannot reach management
- Only essential outbound allowed
- No internet
- No inbound from clients
- Limited access from VLAN200 only
- Full administrative network
- Hosts all core services
- Reaches all VLANs for control
- Can reach prod APIs only
- No lateral movement
CWX VLAN segmentation:
- Secures traffic between client, production, and management zones
- Prevents lateral movement
- Organizes workloads
- Supports both production and development clusters
- Scales cleanly across all CWX datacenters
This VLAN architecture forms the foundation of secure and maintainable CWX infrastructure.