NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

xes's avatar
xes
Aspirant
Nov 18, 2016

Management VLAN doesn't seem to do anything

I have set up a M5300 switch with four VLANs. 1, 16, 32, and 72 using VLAN 72 as the Management VLAN. VLAN 72 is assigned to port 48. Ports 1-47 are assigned to VLANs 1,16 and 32.   The issue I am ...
Security
Troubleshooting
xes's avatar
xes
Aspirant
Nov 22, 2016

Thanks for the quick reply! I found that disabling routing has the desired effect!

 

For switches that do require routing, what I would want to do is disable access to the web interface (ports 80 and 443) and telnet and ssh (ports 23 and 22) on all VLANs except the Management VLAN.

 

For example, let's say I configure the switch with these VLAN IPs (clients on each of these VLANs will use these IPs as their default gateway):

  • VLAN 1 - 192.168.1.1
  • VLAN 2 - 192.168.2.1
  • VLAN 3 - 192.168.3.1
  • VLAN 4 - 192.168.4.1

Now VLAN 4 is the Management VLAN, so I want to allow access to ports 22, 23, 80, and 443 on 192.168.4.1 but DENY access to those ports on 192.168.1.1, 192.168.2.1, and 192.168.3.1. Moreover, I want to prevent clients on VLANs 1-3 from being able to directly access 192.168.4.1. How can I do this with ACLs?

 

Thanks!

  • Retired_Member's avatar
    Retired_Member
    Nov 22, 2016

    Hi xes

     

    Welcome to our community!

     

    In your scenario, I suggest it's better to reach your requirement via Access Control.

     

    Below is the configure Guide:

     

    Switch GUI go to 'Security-->Access-->Access Control'

     

    1. Create a new Access Profile, but not Activate Profile(remember do not activate, otherwire you will cannot access the switch again! )

    1.jpg

    2. Add Access Rule according your requirement

    For example: permit 192.168.1.1/24 access to Switch via HTTP/HTTPs/Telnet/SSH

    2.jpg

     

    3. Activate Access Profile

    3.jpg

     

    And you will find that only 192.168.1.1/24 can access the Switch via HTTP/HTTPs/Telnet/SSH, other IP segment cannot access the Switch.

     

     

    Hope that it helps !

     

    Eric_z

    NETGEAR Employee

    • xes's avatar
      xes
      Aspirant
      Nov 29, 2016

      This looks like exactly what I am looking for. If I create one or more permit rules, like in your example, does that automatically then deny all traffic not matching those rules?

      • Retired_Member's avatar
        Retired_Member
        Nov 29, 2016

        Hi xes,

         

              Yes, sure, you are right. It have one default rule that will deny all.

        Look forward to receiving your good news.

         

        Regards,

         

        Ericz

        NETGEAR Employee

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More