Don’t refactor your network unless you have no other choice. I didn’t, so I had to endure this bit of pain. After several weeks of experimentation I finally decided on the subnet scheme I wanted. I need the additional complexity of multiple VLANs to make my network resemble an office network.
I choose a design with 4 VLANs:
- End user (desktop computer, VoIP phones, and other devices)
- DevOps (development and operations)
- Production (production servers)
- User Acceptance (simulation of the production network)
I use the well-known router-on-a-stick design pattern to route between these subnets and from them to the Internet. I use Sophos UTM 9 as my router which works very well. This design allows me to control access among the VLANs. For example, I now block access to the DevOps VLAN from the end user VLAN. And, access to Production is only allowed for designated services such as DNS, NTP, LDAP, etc.
I still haven’t worked out how to best design the user acceptance subnet. I want it to closely mirror the production subnet so I can test changes. The challenge is that I want them to have the same host names as the ones in the production subnet. This way I only need to pass Ansible a different inventory file and it will run the same configuration it does for production. This is a problem for DNS of course.
I think I will isolate this subnet and add a VM router, probably with NAT, to connect it with the DevOps subnet and the Internet. I have to be able to move the Ansible and serverspec code from the DevOps subnet to the user acceptance one so I need a network path.