@Hansontech Can anyone explain why the gateway isn't on the management VLAN?  For security shouldn't all devices be managed on the management VLAN.  If the gateway remains on the main LAN then isn't that an issue as any devices on the main LAN can then technically access the gateway?  I'm guessing as the gateway is the main routing point it has to exist on the main LAN in order to route traffic.  So I assume the rule is keep everything off the main LAN except for devices you know need access to the main LAN?

Sorry if this is obvious.

@Virgo Thanks for the reply but it doesn't address exactly what I was getting at.  I already have a management VLAN setup and working.  What I was asking was whether the gateway itself can be on the management VLAN.  However after some research it's obvious why this can't be.  There is confusion, certainly on my part, between the default VLAN, Native VLAN and the rest of the network.  The gateway has to exist in all VLANs in order to provide routing capability as far as I understand it.  The default VLAN (VLAN1) is always present and cannot be deleted.  However the Native VLAN, which on initial configuration is VLAN1 named LAN, can be changed and the security advice is to change it.  The gateway will always occupy the native VLAN, again from my understanding.  You then need to create ACL rules to ensure that clients cannot connect to the router interface.  I've now configured this and all VLANs are now isolated from each other and there's a deny rule on access to the gateway from any VLAN except the native VLAN.

I could have the above all wrong but everything seems to work at the minute and achieves what I need.