Management VLAN doesn't seem to do anything

Hi xes

Welcome to the community.

If you have enable routing in your M5300 Managed switch with IP interfaces on your VLANs, then your Layer 2 boundaries are gone due to inter-VLAN routing. ACLs should be used to protect Management VLAN in that case. ACLs can be binded to VLANs directly for quick implementation for inbound or outbound depending on your requirements.

Without routing enabled, then in pure Layer 2 configuration, you are right Management VLAN should be isolated from other VLANs. Now, if VLAN 72 still present as PVID on ports 1-47 it would be normal everyone can access CPU.

Please let us know your configuration better, and maybe copy and paste your VLAN configuration and port membership from on your running config file here. It will certainly help other members as well.

Regards,

Thanks for the quick reply! I found that disabling routing has the desired effect!

For switches that do require routing, what I would want to do is disable access to the web interface (ports 80 and 443) and telnet and ssh (ports 23 and 22) on all VLANs except the Management VLAN.

For example, let's say I configure the switch with these VLAN IPs (clients on each of these VLANs will use these IPs as their default gateway):

• VLAN 1 - 192.168.1.1
• VLAN 2 - 192.168.2.1
• VLAN 3 - 192.168.3.1
• VLAN 4 - 192.168.4.1

Now VLAN 4 is the Management VLAN, so I want to allow access to ports 22, 23, 80, and 443 on 192.168.4.1 but DENY access to those ports on 192.168.1.1, 192.168.2.1, and 192.168.3.1. Moreover, I want to prevent clients on VLANs 1-3 from being able to directly access 192.168.4.1. How can I do this with ACLs?

Thanks!

This looks like exactly what I am looking for. If I create one or more permit rules, like in your example, does that automatically then deny all traffic not matching those rules?

Great, thanks for the clarification!