- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Management VLAN doesn't seem to do anything
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Management VLAN doesn't seem to do anything
I have set up a M5300 switch with four VLANs. 1, 16, 32, and 72 using VLAN 72 as the Management VLAN. VLAN 72 is assigned to port 48. Ports 1-47 are assigned to VLANs 1,16 and 32.
The issue I am having is that I can still access the web interface from any of the VLANs. It seems to me that the point of the Management VLAN is to rescrict who can access the web interface. Is there some setting that I am missing that will lockdown the web interface to just the Management VLAN or is this functioning as intended?
Thanks in advance.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Management VLAN doesn't seem to do anything
Hi xes
Welcome to the community.
If you have enable routing in your M5300 Managed switch with IP interfaces on your VLANs, then your Layer 2 boundaries are gone due to inter-VLAN routing. ACLs should be used to protect Management VLAN in that case. ACLs can be binded to VLANs directly for quick implementation for inbound or outbound depending on your requirements.
Without routing enabled, then in pure Layer 2 configuration, you are right Management VLAN should be isolated from other VLANs. Now, if VLAN 72 still present as PVID on ports 1-47 it would be normal everyone can access CPU.
Please let us know your configuration better, and maybe copy and paste your VLAN configuration and port membership from on your running config file here. It will certainly help other members as well.
Regards,
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Management VLAN doesn't seem to do anything
Thanks for the quick reply! I found that disabling routing has the desired effect!
For switches that do require routing, what I would want to do is disable access to the web interface (ports 80 and 443) and telnet and ssh (ports 23 and 22) on all VLANs except the Management VLAN.
For example, let's say I configure the switch with these VLAN IPs (clients on each of these VLANs will use these IPs as their default gateway):
- VLAN 1 - 192.168.1.1
- VLAN 2 - 192.168.2.1
- VLAN 3 - 192.168.3.1
- VLAN 4 - 192.168.4.1
Now VLAN 4 is the Management VLAN, so I want to allow access to ports 22, 23, 80, and 443 on 192.168.4.1 but DENY access to those ports on 192.168.1.1, 192.168.2.1, and 192.168.3.1. Moreover, I want to prevent clients on VLANs 1-3 from being able to directly access 192.168.4.1. How can I do this with ACLs?
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Management VLAN doesn't seem to do anything
Hi xes
Welcome to our community!
In your scenario, I suggest it's better to reach your requirement via Access Control.
Below is the configure Guide:
Switch GUI go to 'Security-->Access-->Access Control'
1. Create a new Access Profile, but not Activate Profile(remember do not activate, otherwire you will cannot access the switch again! )
2. Add Access Rule according your requirement
For example: permit 192.168.1.1/24 access to Switch via HTTP/HTTPs/Telnet/SSH
3. Activate Access Profile
And you will find that only 192.168.1.1/24 can access the Switch via HTTP/HTTPs/Telnet/SSH, other IP segment cannot access the Switch.
Hope that it helps !
Eric_z
NETGEAR Employee
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Management VLAN doesn't seem to do anything
This looks like exactly what I am looking for. If I create one or more permit rules, like in your example, does that automatically then deny all traffic not matching those rules?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Management VLAN doesn't seem to do anything
Hi xes,
Yes, sure, you are right. It have one default rule that will deny all.
Look forward to receiving your good news.
Regards,
Ericz
NETGEAR Employee
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Management VLAN doesn't seem to do anything
Great, thanks for the clarification!