-NOC runs 2 core switches (one in each room), carrying a bunch of VLANs:
-- 33 is the management VLAN (192.168.33.0/24);
-- 127 is the LAN (192.168.127.0/24);
-- 255 (`0xFF`) is our Funkfeuer VLAN.
+NOC operates a number of networks, available as tagged VLANs on the core
+switches (one in each half of the hackerspace). These networks are:
+
+| name | VLAN id | RFC1918 | Extra subnets | Comment |
+|----------|---------|---------|------------------|--------------------------------------|
+| mgmt | 32 | y | -- | Management network |
+| iot | 33 | y | -- | IoT devices, room infrastructure |
+| svc | 34 | y | -- | Services LAN, see below |
+| pub | 36 | n | 89.106.211.64/27 | Publicly-available services |
+| [HAMNET] | 44 | n | 44.0.0.0/8 | Amateur Radio Digital Communications |
+| guests | 127 | y | -- | Exposed through the “realraum” SSIDs |
+| members | 128 | y | 89.106.211.32/27 | Accessed with per-member credentials |
+| `0xFF` | 255 | n | -- | Funkfeuer VLAN |
+
+[HAMNET]: https://wiki.oevsv.at/index.php/Kategorie:Digitaler_Backbone
+
+
+### `svc` -- Services LAN
+
+This network is intended for services that aren't directly exposed to users
+(be they humans or machines); this includes services exposed through a frontend
+(like realraum web services) and services only meant to be consumed by another
+service (like a database server).
+
+
+### `pub` -- Publicly-available services
+
+This network is intended for services that can be consumed by non-NOC systems,
+including our HTTP(S) frontend -- `entrance`, `mqtt`, ...
+
+Services in this network can restrict availability, for instance by only
+allowing clients connecting from our LANs, or by requiring authentication.
+
+No RFC 1918 subnet is used on this network, only `89.106.211.64/27`.