× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Orbi WiFi 7 RBE973

Re: I want to move my Defualt/Native Vlan 1 for Security

AP514
Tutor

I want to move my Defualt/Native Vlan 1 for Security

 

Title says it all......

I want to move my Defualt/Native Vlan 1 to another Vlan. Say Vlan 83..example.

 

I am having trouble figuring it out......

 

Thanks in advance

 

   AP514

 
 
Model: GS728TPPv2|24-Port Gigabit Ethernet PoE+ Smart Managed Pro Switch with 4 SFP Ports (380W)
Model: GS728TPPv2|24-Port Gigabit Ethernet PoE+ Smart Managed Pro Switch with 4 SFP Ports (380W)
Message 1 of 6

Accepted Solutions
DaneA
NETGEAR Employee Retired

Re: I want to move my Defualt/Native Vlan 1 for Security

@AP514,

 

I suggest the steps below:

 

1. Create VLAN 83 then select all ports as members of the VLAN 83. The port members should be set as untagged with a PVID of 83.  

2. By default, all ports belong to VLAN 1 set as untagged.  Remove all port members from VLAN 1. 

3. Go to System > Management > IP Configuration. Specify VLAN 83 as the Management VLAN.

 

 

Regards,

 

DaneA

NETGEAR Community Team

View solution in original post

Message 2 of 6

All Replies
DaneA
NETGEAR Employee Retired

Re: I want to move my Defualt/Native Vlan 1 for Security

@AP514,

 

I suggest the steps below:

 

1. Create VLAN 83 then select all ports as members of the VLAN 83. The port members should be set as untagged with a PVID of 83.  

2. By default, all ports belong to VLAN 1 set as untagged.  Remove all port members from VLAN 1. 

3. Go to System > Management > IP Configuration. Specify VLAN 83 as the Management VLAN.

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 2 of 6
AP514
Tutor

Re: I want to move my Defualt/Native Vlan 1 for Security

Humm..I did all that you suggested already..But they were not in MGT VLAN but on Vlan listed as something else. And not UNTAGGED(tagged)..Will give that a try.

Maybe I have the tagging confused.....More reading needed I guess.

Side Note:

I guess if MGT Vlan is going to have all the ports. I really do not need another VLAN (NATIVE) listed ?

 

 

 

Thanks for the info..great community here.

 

AP514

Model: GS728TPPv2|24-Port Gigabit Ethernet PoE+ Smart Managed Pro Switch with 4 SFP Ports (380W)
Message 3 of 6
schumaku
Guru

Re: I want to move my Defualt/Native Vlan 1 for Security

Scratch the term of a "native" VLAN - there is no such thing.

On a flat switch configuration, internally there is the VLAN 1 used (resp. pre-configured) - as long as it's used Untagged (each port is by default configured to VLAN 1 untagged, PVID1), it does never become visible outside of the switch. Similar the Management VLAN is pre-configured to VLAN 1.

 

If using the switch in a flat network, it does not matter if this is 1, 83, 4001 ... or whatever. If you want to reach the management on that very same VLAN, the management VLAN must be set to that very same VLAN ID.

Explain us what concerns you have ref. security. To me, the idea to move it tastes like security by obscurity at most (if any).

Of course, you could consider to use a dedicated VLAN for the management for all you network devices. This requires a lot more infrastructure (router, DHCP server, potentially an additional SSID mapping to the management VLAN in the wireless APs if you desire wireless access).

Message 4 of 6
AP514
Tutor

Re: I want to move my Defualt/Native Vlan 1 for Security

Looking to do something like this.(attached).To keep my Cams from AUTO Phoning Home.......

The Blue Iris-PC has the software to run my Cams. But it also needs to be able to get to the net for time stamps on Cams and VPN for veiwing Cams on my Phone when away...

I would also like to have only 1 Port as the Access for my MGT. Vlan to a PC.  Say port 24

 

 

On a Side Note..I can use the Fiber Cable as a Trunk even though just 1 Vlan on it ATM  ? or would LAG be better ?

(Maybe for another Post)

Model: GS728TPPv2|24-Port Gigabit Ethernet PoE+ Smart Managed Pro Switch with 4 SFP Ports (380W)
Message 5 of 6
schumaku
Guru

Re: I want to move my Defualt/Native Vlan 1 for Security

What you are looking for is not changing the default VLAN ... much more you intend to create a second VLAN for the cameras. To make this happen, you need some additional infrastructure to operate the camera VLAN (DHCP server, a router [a real one, not a NAT router as the consumer stuff usually are] to connect from the amber home VLAN to the camera VLAN). The Smart Managed Pro switches don't offer a DHCP server, however you could run the routing between the two IP subnets there - but some ACL might be required.

 

Comes into my mind that it might be possible to put up some ACLs* on the camera ports (and in case the garage switch isn't VLAN capable) the link/trunk port blocking the Internet access for the cameras, or block the camera IPs on the router** - and keep everything on one VLAN.

* Put up some ACLs on the port, e.g. if the LAN is on the common 192.168.1.0/24 (255.255.255.255) 
Src: IP Address 192.168.1.0 0.0.0.255
Dst: IP Address 192.168.1.0 0.0.0.255
...rest shoud be hit by the default hidden deny ACL.

** Another possibility is - permitting the cameras have static IPs or reserved DHCP - to deny the Internet access for these addresses on your router.

 

For the connection to the garage switch (permitting there are SFP (Gigabit SFP) on both ends, you can deploy SFP-Fiber modules together with the appropriate matching fiber. The requirement for a LAG (or not) depends on the bandwidth required to operate the x cameras on the other switch.

Last, AFAIK Netgear does not support asymmetric VLANs (it's not part of the 802.1Q standard, and can lead to several issues), so the surveillance PC interface can't be run as an [U]ntagged connection for both VLANs. Not sure if the PC and/or the camera software allows to run the camera network on a trunked interface - that would be required if using the same physical link.  Easier would be a second Ethernet interface to connect into the camera VLAN/subnet, and the existing one for home VLAN/subnet. Worth to out your surveillance software btw if such a set-up is possible, there might be a DHCP server available to drive the camera network.

I fear the solution market isn't the final design.

Message 6 of 6
Top Contributors
Discussion stats
  • 5 replies
  • 5163 views
  • 1 kudo
  • 3 in conversation
Announcements