# D-058: full plane renumber -- clean fabric-grouped /22 scheme (2026-06-29)

**Status:** DECIDED (operator). Supersedes the D-057 minimal-delta placement of
provider-vip at 10.12.24.0/22, and resolves R4 (oob). grep-before-assign: D-058 free
(max prior D-057; D-054/055/056 are DOCFIX).

**What:** renumber the v1 plane scheme so CIDRs are contiguous /22 blocks grouped by
fabric and ordered to match the layer model, instead of the historical scatter. This
is a cloud-wide re-IP, intentionally larger than D-057, accepted by the operator for
Roosevelt addressing fidelity. It is executed as a teardown/redeploy (no in-place
re-CIDR), so there is no transient subnet overlap.

## The map (authoritative)

| Plane           | old           | NEW           | gateway (was -> now)        |
|-----------------|---------------|---------------|-----------------------------|
| provider-public | 10.12.4.0/22  | 10.12.4.0/22  | 10.12.4.1 (unchanged)       |
| provider-vip    | 10.12.24.0/22 | 10.12.8.0/22  | 10.12.24.1 -> 10.12.8.1     |
| metal-admin     | 10.12.8.0/22  | 10.12.12.0/22 | 10.12.8.1  -> 10.12.12.1    |
| metal-internal  | 10.12.12.0/22 | 10.12.16.0/22 | none (L2 east-west)         |
| data-tenant     | 10.12.16.0/22 | 10.12.20.0/22 | none (isolated L2)          |
| storage         | 10.12.32.0/22 | 10.12.32.0/22 | none (unchanged)            |
| replication     | 10.12.36.0/22 | 10.12.36.0/22 | none (unchanged)            |
| oob             | 10.12.64.0/22 | 10.12.60.0/22 | 10.12.64.1 -> 10.12.60.1    |

Rotate rule (collision-safe): 8->12, 12->16, 16->20, 24->8, 64->60; 4/32/36 fixed.
VLAN IDs unchanged (metal-internal VID 103, provider-vip VID 104). VIP triple becomes
provider-vip .8.5x / metal-admin .12.5x / metal-internal .16.5x (octets 50-60).
Host statics (.40-.43) follow each plane. metal-admin PXE-DHCP band -> 10.12.12.9-.11.

## JUMPHOST ORDERING TRAP (must respect on the host)

The jumphost owns three gateways that move. provider-vip's NEW gateway 10.12.8.1
is metal-admin's OLD address. So on the jumphost, in this order:
  1. move virbr2 (metal-admin) 10.12.8.1 -> 10.12.12.1
  2. move virbr7 (oob)        10.12.64.1 -> 10.12.60.1
  3. THEN add virbr1.104 (provider-vip) = 10.12.8.1   <-- only after step 1 frees .8.1
Adding virbr1.104=.8.1 while virbr2 still holds .8.1 is a same-subnet collision. In a
clean rebuild the bridges are reconfigured as a set, but the free-then-claim order
still applies. (Step 3 is the jumphost-provider-vip-gateway.md runbook.)

## APEX / NetBox note (IaC discipline)

NetBox is the apex; this renumber's authoritative home is NetBox. BUT the committed
netbox/ipv4-prefixes-import.py is itself stale (pre-D-052: only Metal/Provider/LBaaS-mgmt,
provider VLAN VID 240, API VIPs at .224-.254 -- none of the 6-plane D-052/053 model). It
must FIRST be brought current to D-052/053, THEN carry the D-058 scheme, before it can be
the source of truth. Until that reconciliation, scripts/lib-net.sh is the working contract
and already carries D-058. Do NOT hand-edit downstream MAAS for these values once NetBox
is current -- regenerate.

## DONE in this pack (renumbered + re-validated: both suites ALL PASS, d057-check PASS)

scripts/lib-net.sh (PLANE_CIDRS, PLANE_NAME, PLANE_GW, DATA_PLANE_CIDRS,
METAL_INTERNAL_CIDR, PROVIDER_VIP_CIDR, VIP_PREFIX_* triple),
scripts/carve-host-interfaces.sh, scripts/provider-vip-standup.sh,
scripts/d057-bundle-check.py, bundle.yaml (11 VIP triples), both test suites +
fixtures, provider-vip-maas-standup.md, jumphost-provider-vip-gateway.md, README.

## COMMITTED-FOUNDATION CASCADE (still on the OLD scheme -- next sweep)

Apply the same rotate (8->12, 12->16, 16->20, 24->8, 64->60; 4/32/36 fixed). These are
in the committed repo, not this pack, and several are prose runbooks -- sweep with care,
NetBox-anchored:
  - netbox/ipv4-prefixes-import.py   (APEX -- de-stale to D-052/053 first, then D-058)
  - netbox/README.md
  - scripts/phase-00-maas-carve.sh   (METAL_CIDR default 10.12.8 -> 10.12.12; ranges)
  - scripts/lib-hosts.sh             (VIRSH_POWER_ADDRESS 10.12.64.1 -> 10.12.60.1)
  - scripts/review-bundle.py         (stale pre-D-052 already -- R2; fold in with that)
  - runbooks/phase-00-teardown-maas-reset.md, phase-01-bundle-deploy.md,
    phase-03-core-verify.md, phase-04-network-carve.md, phase-05-octavia-enablement.md,
    phase-08-workload-cluster-acceptance.md, appendix-A-troubleshooting.md
  - docs/maas-as-built-reference.md, docs/design-decisions.md (append D-058),
    docs/v1-redeploy-changelog.md, docs/netbox-vip-queue.md
  - tests/phase-00-carve/run-tests.sh, tests/phase-04/make_fixtures.py
  - jumphost underlay: virbr2 -> 10.12.12.1, virbr7 -> 10.12.60.1 (see ordering trap)
  - host-nginx :81 upstream: Horizon -> 10.12.8.58