This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
GS108e: Management UI accessible directly from VLAN without going to router (firewall)
I have a configuration of a Router and Netgear switches as shown in the picture below. I have added firewall rules and expect the VLAN-40 configured NOT to access the default/native VLAN (VLAN-1) in which the Switch is getting its IP (VLAN-1). But what I see is that VLAN-40 connected directly to the switch can access the management UI without the firewall rules being applied. I thought this is inter-vlan-routing (VLAN-40 to VLAN-1) and it won't/shouldn't be done by the switch directly. If the machine is not directly connected to the switch then the firewall is applied.
Is that a known feature/bug/behavior of Netgear switches? I cannot let the machines connected to the Switches access the management UI. Is there a way to block this behavior and not make the switches auto-magically-"intelligently" assume the switch management UI should be given direct access?
Re: GS108e: Management UI accessible directly from VLAN without going to router (firewall)
Not a bug, this is part of the simplified design of these Web configurable switches: There is no management VLAN feature, the tiny microcontroller does listen on all the frames, regardless of the VLAN tag.
Some of these switch models allow to limit the IP access to the admin Web UI only.
Note: These are by far not Managed Switches, these are so called Plus switches, simple non-managed cores with very basic Web config options, covered within the Plus And Smart Switches Forum
Re: GS108e: Management UI accessible directly from VLAN without going to router (firewall)
Not a bug, this is part of the simplified design of these Web configurable switches: There is no management VLAN feature, the tiny microcontroller does listen on all the frames, regardless of the VLAN tag.
Some of these switch models allow to limit the IP access to the admin Web UI only.
Note: These are by far not Managed Switches, these are so called Plus switches, simple non-managed cores with very basic Web config options, covered within the Plus And Smart Switches Forum
Re: GS108e: Management UI accessible directly from VLAN without going to router (firewall)
Thanks for the quick reply. These are considered business switches and I find it a bit surprising that there is no easy way to block this access. I find the only way for me is to return this switch and I would appreciate if Netgear makes this clear in the product pages. Anybody configuring VLANs are doing this to isolate the network. If the management UI can be hacked they can just change the configuration and my isolation will be over. I find this a deal breaking limitation of these "plus" switches.
Note: I'm not sure if you work for Netgear and I'm just making my opinion about this situation and not about your answer, which confirms what I assumed
Re: GS108e: Management UI accessible directly from VLAN without going to router (firewall)
Not a Netgear rep at all, just a user.
The VLANs on these switches work as expected - the exception is the lack of a management VLAN (in absence of a managed core [some newer/bigger Pro "E" model switches are built on managed cores and have a true managed core, allowing strict management VLAN isolation, too.
Re: GS108e: Management UI accessible directly from VLAN without going to router (firewall)
Thanks, but I do not see it as an issue with management vlan or management core. The switch could just stop doing inter-vlan routing (VLAN-40 to VLAN-1 in my example) and the issue is solved. Let me configure in my firewall what is allowed or not allowed. At least if Netgear give that option to turn it off (on by default in factory setting) and with a warning to users that this could lock them out of the switch and the only way to again access it is to reset the switch.
Re: GS108e: Management UI accessible directly from VLAN without going to router (firewall)
it's -not- a question of inter-VLAN switching. The point is that the management microcontroller does listen to complete data stream on all VLANs, not only for the Web UI, also for example for other features like the IGMP Multicast sniffing. again: The switches in question have a very low level L2/L3 IP-Stack with the Web UI pulse few more services in place on that named Micro Controller in place.
If you expect bullet-proof management VLAN, look for a Smart managed pro GSxxxTxx/MSxxxTxxx/XSxxxTxxx model instead.
