Netgear should post KB entry on these kind of questions.
Like (almost, with a few exceptions only) all Plus GSxxxxE[n][n] switches, there is no managed core, and no management VLAN, never was. Management access is indeed possible from any VLAN, _and_ on untagged connections only, and in case there is IP access configured only for that specific IP (again on any untagged) connection configured to any VLAN. Tagged connections ie. over a trunk don't allow any management access when I have it right (or one could consider this as a bug).
Be informed that the GS308E does NOT support Management VLAN since it is a Smart Managed Plus Switch. It is by design.
Smart Managed Plus Switch Models gives user the flexibility to configure certain static layer 2 settings in order to improve network efficiency and performance. The configurable features are Port Mirroring, VLAN, QoS, Rate Limit, and Broadcast Storm Filtering.
If ever you want to implement a Management VLAN to your network, I suggest you either of the following switch models below. Click the links to learn more:
You can always deploy as many GS308E in a network with trunked connections as you desire, keep the management on the untagged network on the trunk, while operate as many tagged VLANs as the system specs allow. The same applies to all Netgear Plus Managed Network Switches
Anything else does come from pure educational, university, or other theoretical studies. A tagged network on a trunk is neither more secure or private than an untagged network. For many deployments and customers, the plus switches are an absolute reasonable product.
If you have concerns that untrained or bad players can connect whatever system to what makes up your network "backhaul" giving physical access to any VLAN in the trunk, you need to work on the physical security.
@Retired_Member wrote:
we bought a lot of them without knowing about this.
All the documentation is readily available. If a need for a tagged exclusive management VLAN is a requirement (for whatever reason or interoperability eg. with an existing network). before buying large number of devices, set-up a test environment on a smaller amount of devices would be a common advise.
You acquired and probably already deployed web configurable unmanaged core switches at the per-port cost of an unmanaged switch, expect business class features. For just a few bucks more for the switch, Netgear offers the Smart Managed Switches and the Smart Cloud Managed Switches with management VLAN implementation as per your books.
@Retired_Member wrote:
Where can I report this?
This is not a missing feature, this is a serious security flaw and needs to be reported - where can I do this?
Of course it's a missing feature. Netgear does know about the limitations, so do the community members here. What do you expect now?
You still owe us the effective security flaw you are so keen for reporting. There are a few possible ones which can be "designed" by the unaware admin or network engineer over-spanning the scope of this simple design, e.g. by implementing multi VLAN networks, especially when other networks are exposed as untagged access ports. However, this isn't what these switches are intended for.
Some monkeys don't like fact and truth .... typical style: Asking questions, talking about vulnerabilities, and not answering questions - just bail out. Hey, it's my personal private time and bandwidth I'm spending here.
