Management VLAN is still using default VLAN

Management VLAN is still using default VLAN

Management VLAN is still using default VLAN
Management VLAN is still using default VLAN
2024-07-01 17:28:18

Hello,

I have some trouble with the "Management VLAN" feature. I have Omada router, switch and EAP.

According to the following thread https://www.tp-link.com/de/support/faq/2814/ I tried to setup the management vlan.

Controller, switch and EAP are in the management VLAN.


With the discovery tool I was also able to move the router somehow into the management vlan but the router is still using an ip address of the default vlan 1.

Is that correct? My expectation was that the router is also using an ip address of the management vlan interface as it is case for the controller, switch and eap

 

Management VLAN uses the following ip subnet 192.168.90.0/24

Router still uses the following ip subnet 192.168.0.0/24

 

 

 

 

The switch communicates with the connected EAP via tagged management vlan. Here I can use another native vlan than vlan 1 (default vlan). Communication takes place via tagged management vlan port. If I set here the management vlan as native vlan, then the communication fails and controller reports a heartbeat failue.

 

From switch to router it looks like if vlan 1 (default vlan) is still required for the communication between controller (connected via switch) and router, because router is still using vlan 1 as native vlan for its ports. Here I have to add the management vlan as a tagged vlan to the trunk port

When I try to block the communication between the vlans to the management vlans, then the controller is not able to communicate with the router anymore and I get a heartbeat failure for the router. Looks like if the communication still happens via valn 1 (default 1)


Then I tried to change the pvid of the router ports to the management vlan. This was working when I set the pvid to management vlan of the uplink port from switch to router.

 


 

 

But I think using the management vlan as native vlan is also not best practise from security point of view.

 

For me it's now not completely clear what's correct configuration here or if I did something wrong.
I have not understood so far, why Omada still needs another vlan for the communication and does not completely use the management vlan for that purpose.
In my point of view it's somehow an inconsistency when switch and router require another vlan for their internal communication .

Can someone help me and explain me how to use it in the correct/intended way, please?

 

Greetings
Michael

  0      
  0      
#1
Options
4 Reply
Re:Management VLAN is still using default VLAN
2024-07-01 19:09:40

  @Mikka19 

 

 I've never seen settings for this, on the router vlan 1 is untagged and it can't be changed.

 

you can change the pvid on a router port but vlan1 is still there like a ghost in the background, you can't create a port profile on the router like you can on a switch. pvid only

 

 

 

  0  
  0  
#2
Options
Re:Management VLAN is still using default VLAN
2024-07-02 00:46:13 - last edited 2024-07-02 00:47:32

Hi  @Mikka19 

 

The router does not support management VLAN. It always uses the default LAN IP to communicate with the controller. 

Mikka19 wrote

Hello,

I have some trouble with the "Management VLAN" feature. I have Omada router, switch and EAP.

According to the following thread https://www.tp-link.com/de/support/faq/2814/ I tried to setup the management vlan.

Controller, switch and EAP are in the management VLAN.


With the discovery tool I was also able to move the router somehow into the management vlan but the router is still using an ip address of the default vlan 1.

Is that correct? My expectation was that the router is also using an ip address of the management vlan interface as it is case for the controller, switch and eap

 

Management VLAN uses the following ip subnet 192.168.90.0/24

Router still uses the following ip subnet 192.168.0.0/24

 

 

 

 

The switch communicates with the connected EAP via tagged management vlan. Here I can use another native vlan than vlan 1 (default vlan). Communication takes place via tagged management vlan port. If I set here the management vlan as native vlan, then the communication fails and controller reports a heartbeat failue.

 

From switch to router it looks like if vlan 1 (default vlan) is still required for the communication between controller (connected via switch) and router, because router is still using vlan 1 as native vlan for its ports. Here I have to add the management vlan as a tagged vlan to the trunk port

When I try to block the communication between the vlans to the management vlans, then the controller is not able to communicate with the router anymore and I get a heartbeat failure for the router. Looks like if the communication still happens via valn 1 (default 1)


Then I tried to change the pvid of the router ports to the management vlan. This was working when I set the pvid to management vlan of the uplink port from switch to router.

 


 

 

But I think using the management vlan as native vlan is also not best practise from security point of view.

 

For me it's now not completely clear what's correct configuration here or if I did something wrong.
I have not understood so far, why Omada still needs another vlan for the communication and does not completely use the management vlan for that purpose.
In my point of view it's somehow an inconsistency when switch and router require another vlan for their internal communication .

Can someone help me and explain me how to use it in the correct/intended way, please?

 

Greetings
Michael

 

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#3
Options
Re:Management VLAN is still using default VLAN
2024-07-04 15:52:11 - last edited 2024-07-04 16:45:53

Hi   @Fae 

But why is it then possible to change the PVID on each router port?

And on the switch port to which the router is connected I can also set related VLAN as PVID to make sure that controller can communicate also with the router.

But router becomes always an ip address assinged from default VLAN (VLAN 1)

Then I don't understand the use case of changing the PVID of the router ports and using the mangement vlan. Because then I can directly use default VLAN (VLAN 1) as kind of management VLAN

  0  
  0  
#4
Options
Re:Management VLAN is still using default VLAN
2024-07-05 00:11:59

Hi @Mikka19 

 

Here is what I know:

 

In the very beginning, the router does not support change PVID on the LAN ports, then some people feedback that they want to link up unmanaged switch to the port but want the switch in specified VLAN. Then we add this feature. 

 

No matter what the port PVID is, the router only use it's default LAN to communicate with the controller, even if it requires routing. 

 

You can send a feature request on Requests & Suggestions

Mikka19 wrote

Hi   @Fae 

But why is it then possible to change the PVID on each router port?
 

And on the switch port to which the router is connected I can also set related VLAN as PVID to make sure that controller can communicate also with the router.

But router becomes always an ip address assinged from default VLAN (VLAN 1)

Then I don't understand the use case of changing the PVID of the router ports and using the mangement vlan. Because then I can directly use default VLAN (VLAN 1) as kind of management VLAN

 

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#5
Options