d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dc8abb06e2bbd33e30803ca59d284ead8ea970c6
proxmox/docs/04-configuration/UDM_PRO_VLAN_PLAN_COMPLETE.md
defiQUG fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates 
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 15:46:57 -08:00

270 lines
6.7 KiB
Markdown
Raw Blame History

# UDM Pro VLAN Plan - 100% Complete! 🎉
**Last Updated:** 2026-01-14
**Status:****ALL 19 VLANs CONFIGURED**
---
## 🎉 Achievement Unlocked: Complete VLAN Plan
**All VLANs from the Network Architecture plan are now configured on the UDM Pro!**
---
## Complete VLAN Configuration (19 Networks)
### Core Networks
| VLAN ID | Name | Subnet | Status |
|--------:|------|--------|--------|
| 1 | Default | 192.168.0.0/24 | ✅ Configured |
| 11 | MGMT-LAN | 192.168.11.0/24 | ✅ Configured |
### Besu Networks
| VLAN ID | Name | Subnet | Status |
|--------:|------|--------|--------|
| 110 | BESU-VAL | 10.110.0.0/24 | ✅ Configured |
| 111 | BESU-SEN | 10.111.0.0/24 | ✅ Configured |
| 112 | BESU-RPC | 10.112.0.0/24 | ✅ Configured |
### Service VLANs
| VLAN ID | Name | Subnet | Status |
|--------:|------|--------|--------|
| 120 | BLOCKSCOUT | 10.120.0.0/24 | ✅ Configured |
| 121 | CACTI | 10.121.0.0/24 | ✅ Configured |
| 130 | CCIP-OPS | 10.130.0.0/24 | ✅ Configured |
| 132 | CCIP-COMMIT | 10.132.0.0/24 | ✅ Configured |
| 133 | CCIP-EXEC | 10.133.0.0/24 | ✅ Configured |
| 134 | CCIP-RMN | 10.134.0.0/24 | ✅ Configured |
| 140 | FABRIC | 10.140.0.0/24 | ✅ Configured |
| 141 | FIREFLY | 10.141.0.0/24 | ✅ Configured |
| 150 | INDY | 10.150.0.0/24 | ✅ Configured |
| 160 | SANKOFA-SVC | 10.160.0.0/22 | ✅ Configured |
### Sovereign Tenant VLANs
| VLAN ID | Name | Subnet | Status | Note |
|--------:|------|--------|--------|------|
| 200 | PHX-SOV-SMOM | 10.200.0.0/20 | ✅ Configured | |
| 201 | PHX-SOV-ICCC | 10.201.0.0/20 | ✅ Configured | |
| 202 | PHX-SOV-DBIS | 10.202.0.0/24 | ✅ Configured | ⚠️ Shows /24, plan had /20 |
| 203 | PHX-SOV-AR | 10.203.0.0/20 | ✅ Configured | |
**Total:****19/19 Networks (100%)**
---
## Configuration Verification Checklist
### ✅ Network Configuration
- [x] All 19 VLANs created
- [x] Subnets match plan (except PHX-SOV-DBIS - verify /24 vs /20)
- [x] DHCP Server enabled on all VLANs
- [x] All VLANs show "UDM Pro" as router
### ⏳ Settings Verification (Next Steps)
- [ ] **Network Isolation:** Verify "Isolate Network" is **UNCHECKED** for all VLANs
- [ ] **Zone Assignment:** Verify all VLANs are in "Internal" zone
- [ ] **Zone Matrix:** Verify Internal → Internal = "Allow All"
- [ ] **Gateway IPs:** Verify gateway IPs match plan (e.g., 10.110.0.1 for BESU-VAL)
- [ ] **DHCP Ranges:** Verify DHCP ranges are configured appropriately
### ⏳ Testing & Utilization
- [ ] **Inter-VLAN Routing:** Test routing between VLANs
- [ ] **Firewall Rules:** Configure inter-VLAN firewall rules
- [ ] **VM/Container Assignment:** Assign VMs/containers to VLANs
- [ ] **Connectivity Testing:** Test connectivity from each VLAN
---
## Critical Settings to Verify
### 1. Network Isolation (CRITICAL)
**For each VLAN:**
1. Navigate: Settings → Networks → [VLAN Name]
2. Scroll to "Network" section
3. Ensure **"Isolate Network"** is **UNCHECKED**
4. Save if changed
**Why:** Network Isolation blocks inter-VLAN routing. Must be disabled for VLANs to communicate.
### 2. Zone Matrix (CRITICAL)
1. Navigate: Policy Engine → Zone Matrix
2. Find: **Internal → Internal**
3. Verify it says **"Allow All"**
4. If not, click and change to "Allow All"
**Why:** Zone Matrix controls inter-zone communication. Internal → Internal = Allow All enables inter-VLAN routing.
### 3. Zone Assignment
**For each VLAN:**
1. Navigate: Settings → Networks → [VLAN Name]
2. Verify: **Zone = "Internal"**
3. All VLANs should be in Internal zone
---
## Next Steps for VLAN Utilization
### Immediate (Today)
1. **✅ Verify Network Isolation**
- Check all 19 VLANs
- Ensure "Isolate Network" is unchecked
2. **✅ Verify Zone Matrix**
- Policy Engine → Zone Matrix
- Internal → Internal = Allow All
3. **✅ Verify PHX-SOV-DBIS Subnet**
- Currently shows `/24` (10.202.0.0/24)
- Plan had `/20` (10.202.0.0/20)
- Verify if `/24` is intentional or needs update
### Short-term (This Week)
1. **Test Inter-VLAN Routing**
```bash
# From VLAN 11, test routing to other VLANs
ping 10.110.0.1 # BESU-VAL
ping 10.111.0.1 # BESU-SEN
ping 10.120.0.1 # BLOCKSCOUT
# etc.
```
2. **Configure Firewall Rules**
- Management → Service VLANs
- Service VLANs → Management
- Sovereign tenant isolation
3. **Assign VMs/Containers to VLANs**
- Via Proxmox Web UI or CLI
- Test connectivity
### Long-term (This Month)
1. **Migrate Services to VLANs**
- Move VMs/containers to appropriate VLANs
- Update service configurations
2. **Document VLAN Assignments**
- Document which services are on which VLANs
- Update architecture documentation
3. **Monitor and Optimize**
- Monitor inter-VLAN traffic
- Optimize firewall rules
- Adjust as needed
---
## VLAN Utilization Guide
### Assigning VMs/Containers to VLANs
**Via Proxmox Web UI:**
1. Go to: Datacenter → [Host] → VMs/Containers → [VM/Container ID]
2. Click: Hardware → Network Device
3. Edit: Bridge = `vmbr0`, VLAN Tag = [VLAN ID]
4. Save
**Via CLI:**
```bash
# For containers
pct set <CTID> -net0 name=eth0,bridge=vmbr0,tag=<VLAN_ID>
# For VMs
qm set <VMID> --net0 virtio,bridge=vmbr0,tag=<VLAN_ID>
```
### Example VLAN Assignments
**Besu Validators:**
- VLAN: 110 (BESU-VAL)
- Subnet: 10.110.0.0/24
**Besu Sentries:**
- VLAN: 111 (BESU-SEN)
- Subnet: 10.111.0.0/24
**Besu RPC:**
- VLAN: 112 (BESU-RPC)
- Subnet: 10.112.0.0/24
**Blockscout:**
- VLAN: 120 (BLOCKSCOUT)
- Subnet: 10.120.0.0/24
**FireFly:**
- VLAN: 141 (FIREFLY)
- Subnet: 10.141.0.0/24
**Sovereign Tenants:**
- VLANs: 200-203
- Subnets: 10.200.0.0/20, 10.201.0.0/20, 10.202.0.0/24, 10.203.0.0/20
---
## Testing Inter-VLAN Routing
### Test 1: Gateway Connectivity
```bash
# From VLAN 11, test routing to other VLAN gateways
ping 10.110.0.1 # BESU-VAL
ping 10.111.0.1 # BESU-SEN
ping 10.112.0.1 # BESU-RPC
ping 10.120.0.1 # BLOCKSCOUT
# etc.
```
### Test 2: VM/Container Connectivity
```bash
# After assigning VMs/containers to VLANs
# Test connectivity between VLANs
ping <VM_IP_ON_VLAN_110> # From VLAN 11
ping <VM_IP_ON_VLAN_120> # From VLAN 11
# etc.
```
### Test 3: Firewall Rules
```bash
# Test firewall rules
# Should allow: Management → Service VLANs (SSH, monitoring)
# Should block: Sovereign tenants → Each other
```
---
## Summary
**Status:****100% COMPLETE**
**Achievement:**
- ✅ All 19 VLANs configured
- ✅ Complete VLAN plan implemented
- ✅ Ready for VLAN utilization
**Next Steps:**
1. Verify Network Isolation settings
2. Verify Zone Matrix configuration
3. Test inter-VLAN routing
4. Configure firewall rules
5. Assign VMs/containers to VLANs
**VLAN Plan Utilization:****READY TO PROCEED**
---
**Last Updated:** 2026-01-14
Reference in New Issue View Git Blame Copy Permalink