we have multiple Netgear switches (3300, 5300, 4300... - current firmware) and on most of them we have the same behavior.
Let's say we have two networks. One is the main office network 192.168.1.0/24 - the second is the management network 192.168.10.0/24. Management network runs as VLAN 10 on the switches, the office network runs on the "default" VLAN 1 on the Netgear devices.
Now we define an IP Address in the management network (no DHCP there) for the Management Interface of the switch. We configure the VLAN, set the IP address, and can connect. But as soon as we connect the switch to both networks, we get a secondary IP address in the office network (we have a DHCP server here). I don't want these addresses to exist, once because they are unnecessarily using DHCP leases, and also because I don't want the swtiches to be availble in the office network.
How can I tell my switch not to enable VLAN 1 as additional management interface?
The Netgear managed switches provide management ACLs on the in-band of course - the management for the switch can be either OOB, or Management VLAN on the in-band, or a specific hardware interface (port) on the in-band too. For the last two, ACLs can be put in place.
The VLAN subnet iP address is required for features different from the switch management, being monitoring, troubleshooting, routing, ... as such it's not a pure management address. The beauty of managed switches is in the fact that much more is under the admin control than on the average Web Managed Smart switches.
I am not sure if I understand your reply - I am looking for a way to prevent my Netgear Switches from creating a second management IP via DHCP on connected VLAN 1 after I created a fixed IP on another VLAN.
Again, this isn't a secondary management IP as you know from some junky consumer router designs. Technically, these switches have by default an IP address on the OOB and in-band networks. If you don't want the management capabilities, you need to put ACLs in place (by network, by port).
By rule of thumb - considering the full config is accessible - I would guess it should be possible to disable it completely if you have no other dependency (L3 routing, DHCP, ...).
So there is no easy way to prevent that the switch is accessable from the network running on VLAN 1? I have to say I really do not understand this design choice, and I do not like it. Even if we block management access to this IP, we still have 1 address blocked in the DHCP range per switch, and from a security perspective, the most secure way to protect a system is to remove it from the main network. I understand that this is not possible in an easy way - from a security perspective a really stupid and dangerous setting in my opinion.
