Business Community > Controllers > How useful is a Management VLAN if all clients are out of the default/native LAN?
< Controllers

How useful is a Management VLAN if all clients are out of the default/native LAN?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

How useful is a Management VLAN if all clients are out of the default/native LAN?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
How useful is a Management VLAN if all clients are out of the default/native LAN?
How useful is a Management VLAN if all clients are out of the default/native LAN?
2024-04-16 00:30:05 - last edited 2024-04-16 00:34:22
Tags: #VLAN & Multi-Networks
Model: OC200  
Hardware Version: V2
Firmware Version: 2.14.4 Build 20240304 Rel.54311

After a failed attempt at moving all devices into a Management VLAN (a while back), I was up for giving it another try.

I reread some of the docs, browsed the forums about this matter.

Beyond the effort that it will take now, I'm a bit worried going forward about some of the things I just found out (in particular difficulties adopting new devices).

It's actually a bit nuts that having an ER605 (that needs a special step to be told where the controller is) makes things more difficult than having a 3rd party router... 

 

So I did a quick cost/benefit analysis and I'm now wondering if I should bother with that VLAN.

The main (if not only) benefit of the management VLAN seems to be proper isolation from random clients on the network.

But I have no clients in the native network because they are all in a few VLANs.

 

I did a quick test in a test VLAN (couple switch ACLs to allow members of the VLAN to access the VLAN's GW, one switch rule to deny access to the native VLAN).

I have at least DHCP, Internet DNS, Web.

I also tested SSH into the test VLAN (it took one more rule if the client is in LAN).

 

Am I missing something?

 

[Edit] FWIW, as an added benefit, having all Omada devices in the native VLAN makes things effectively simpler.

I should have no issues onboarding new devices. I don't have to worry as much about GW<->Controller discovery/comms.

  0      
 
  0      
 
#1
Options
4 Reply
Re:How useful is a Management VLAN if all clients are out of the default/native LAN?
2024-04-17 09:45:51

 

EricPerl wrote

After a failed attempt at moving all devices into a Management VLAN (a while back), I was up for giving it another try.

I reread some of the docs, browsed the forums about this matter.

Beyond the effort that it will take now, I'm a bit worried going forward about some of the things I just found out (in particular difficulties adopting new devices).

It's actually a bit nuts that having an ER605 (that needs a special step to be told where the controller is) makes things more difficult than having a 3rd party router... 

 

So I did a quick cost/benefit analysis and I'm now wondering if I should bother with that VLAN.

The main (if not only) benefit of the management VLAN seems to be proper isolation from random clients on the network.

But I have no clients in the native network because they are all in a few VLANs.

 

I did a quick test in a test VLAN (couple switch ACLs to allow members of the VLAN to access the VLAN's GW, one switch rule to deny access to the native VLAN).

I have at least DHCP, Internet DNS, Web.

I also tested SSH into the test VLAN (it took one more rule if the client is in LAN).

 

Am I missing something?

 

[Edit] FWIW, as an added benefit, having all Omada devices in the native VLAN makes things effectively simpler.

I should have no issues onboarding new devices. I don't have to worry as much about GW<->Controller discovery/comms.

Hi @EricPerl 

The management VLAN improves network security, performance, and manageability by providing a dedicated, isolated environment for managing network devices and infrastructure.

 

For the normal VLAN interface, you need to configure the ACL for the certain VLANs to isolate the devices from different VLANs.

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#2
Options
Re:How useful is a Management VLAN if all clients are out of the default/native LAN?
2024-04-17 20:31:21

Hi again @Hank21,

 

Maybe I'm going to summarize this differently. It doesn't look like I got my point across.

 

Typical Management VLAN:

Once setup, the gateway stays in the native VLAN, all other Omada devices end up in the management VLAN, other clients are either in the native VLAN or other VLANs (but not management, obviously).

 

Alternative VLAN proposal for similar isolation:

All Omada devices stay with the gateway in the native VLAN, all other cliens are in other VLANs. No wireless in the native VLAN.

 

In both cases, I assume the existence of ACLs to truly isolate the VLAN where most of the Omada devices reside from other VLANs.

Obviously, the wireless clients are following the same boundaries.

 

Excerpt from the documentation:

It seems both options achieve that goal.

 

It's not immediately clear to me why option #2 would be inferior to option #1.

I'd argue that option #2 makes adoption of future devices easier, so if they are equivalent security wise, my choice is clear.

 

The Management VLAN FAQ (2814), besides being obsolete (batch config no longer allows VLAN config in my experience), doesn't mention anything around port tagging/untagging which could be another area where options could differ. Maybe...

 

So again, am I missing something?

 

  0  
  0  
#3
Options
Re:How useful is a Management VLAN if all clients are out of the default/native LAN?
2024-04-22 05:32:37 - last edited 2024-04-22 05:33:31

  @EricPerl 

 

Short answer, no, you are not missing anything, using the management VLAN sucks, it's poorly supported and as you have already noticed actually makes the management of the network much more complicated. 

 

I use the default LAN of 192.168.0.0/24 as my Management network. All clients are on other VLANs.

 

This simple setup means that any piece of the infrastructure (routers, switches, access points) can be replaced simply be taking it out of the box and plugging it in. 

 

If your network is configured ANY other way, eg. you change the native subnet to something else, use the Management or any other VLAN configuration for the infrastructure equipment, then this will NOT work and you will have to perform a number of manual steps in order to get the network running, which totally defeats the object of having a fully managed SDN in the first place. 

 

 

 

  1  
  1  
#4
Options
Re:How useful is a Management VLAN if all clients are out of the default/native LAN?
2024-04-22 19:24:36

Hi  @Tescophil ,

 

It appears I've ended up with something close if not identical to your configuration.

I had created the management VLAN already, in prep for another attempt. I guess I'll get rid of it...

  0  
  0  
#5
Options

Information

Helpful: 0

Views: 742

Replies: 4

Tags

VLAN & Multi-Networks
Related Articles
VLAN configuration
268 0
 Configuring Management VLAN in Omada
1573 1
Prevent an ACL being created that blocks management VLAN from itself
171 2
VLAN clients not following DHCP reservations
705 0
No internet via WLAN in VLAN
628 0
 Second VLAN not working
1289 0
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.