NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
GS108e: Management UI accessible directly from VLAN without going to router (firewall)
I have a configuration of a Router and Netgear switches as shown in the picture below. I have added firewall rules and expect the VLAN-40 configured NOT to access the default/native VLAN (VLAN-1) in which the Switch is getting its IP (VLAN-1). But what I see is that VLAN-40 connected directly to the switch can access the management UI without the firewall rules being applied. I thought this is inter-vlan-routing (VLAN-40 to VLAN-1) and it won't/shouldn't be done by the switch directly. If the machine is not directly connected to the switch then the firewall is applied.
Is that a known feature/bug/behavior of Netgear switches? I cannot let the machines connected to the Switches access the management UI. Is there a way to block this behavior and not make the switches auto-magically-"intelligently" assume the switch management UI should be given direct access?
Not a bug, this is part of the simplified design of these Web configurable switches: There is no management VLAN feature, the tiny microcontroller does listen on all the frames, regardless of the VLAN tag.
Some of these switch models allow to limit the IP access to the admin Web UI only.
Note: These are by far not Managed Switches, these are so called Plus switches, simple non-managed cores with very basic Web config options, covered within the Plus And Smart Switches Forum
5 Replies
Not a bug, this is part of the simplified design of these Web configurable switches: There is no management VLAN feature, the tiny microcontroller does listen on all the frames, regardless of the VLAN tag.
Some of these switch models allow to limit the IP access to the admin Web UI only.
Note: These are by far not Managed Switches, these are so called Plus switches, simple non-managed cores with very basic Web config options, covered within the Plus And Smart Switches Forum
Thanks for the quick reply. These are considered business switches and I find it a bit surprising that there is no easy way to block this access. I find the only way for me is to return this switch and I would appreciate if Netgear makes this clear in the product pages. Anybody configuring VLANs are doing this to isolate the network. If the management UI can be hacked they can just change the configuration and my isolation will be over. I find this a deal breaking limitation of these "plus" switches.
Note: I'm not sure if you work for Netgear and I'm just making my opinion about this situation and not about your answer, which confirms what I assumed
Not a Netgear rep at all, just a user.
The VLANs on these switches work as expected - the exception is the lack of a management VLAN (in absence of a managed core [some newer/bigger Pro "E" model switches are built on managed cores and have a true managed core, allowing strict management VLAN isolation, too.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
