How to configure Management VLANs for Omada Switches and APs (for SOHO scenario)
Contents
This article will introduce how to configure separate management VLANs for Omada managed switches and APs and a client VLAN other than VLAN 1 and isolate them with the clients connected.
- Omada Controller (Software Controller / Hardware Controller / Cloud Based Controller, V5.9 and above)
- Omada Smart, L2+ and L3 switches
- Omada AP
- Omada Gateway
When configuring the network, many customers would like to change the management VLANs for the controller, gateway, AP and switch, then set another VLAN for clients, in this way, different kinds of devices are managed in different VLANs, and the clients connected won’t be able to access the devices, enhancing the network security.
This guide suits the configuration for a completely new network for SOHO scenario usage which means you don’t have any configurations like management VLANs before, and also the network scale is simple and typical. If you want to configure a set of professional business network or already have a set of network configuration and want to integrate the Omada devices into the network, please refer to the How to configure Management VLANs for Omada Switches and APs (for Business scenario).
Usually, the topologies are like the following, connecting the controller directly on gateway:
As shown in the topology, the final goal is to shutdown VLAN 1 from the network, set VLAN20 for clients usage, all the clients connected will obtain IP address at 192.168.20.x/24, set VLAN 30 for switch management, and the switches will use a management IP at 192.168.30.x/24, VLAN 40 for AP management, and the APs will use a management IP at 192.168.40.x/24, for gateway and controller, their VLAN will still remain default, but change to another VLAN ID, you can also change the IP addresses for them.
Following are the detailed configuration steps based on the example shown in the topologies above.
Step 1. Adopt the gateway in default VLAN.
Step 2. Create the VLANs needed.
First, create the client VLAN 20, switch management VLAN 30 and AP management VLAN 40. Go to Settings – Wired Networks – LAN - Networks, click Create New LAN.
Below is the example of switch management VLAN 30, its Purpose should be configured as Interface. In LAN Interfaces, tick all the LAN ports you are using, then configure its IP, subnet and DHCP Server. You can configure the name, VLAN ID, subnet IP as you want. Click Save after finished.
Then create the clients VLAN and AP management VLAN as the same method.
Step 3. Configure the default VLAN.
After that, make a change on the default VLAN, click Edit on Default VLAN, change its VLAN ID and subnet IP to bypass VLAN 1 in the network, here I choose to change it to VLAN 10, 192.168.10.x/24 and enable the DHCP server in this network.
Final result should be like this:
Till now, you have created the VLANs in the network and also the interfaces on the gateway. And the IP address of gateway will be switched to 192.168.10.1. After that, you will need to reboot the hardware controller to trigger the DHCP procedure and obtain IP address from 192.168.10.x/24 so you can readopt the gateway, if you are using software controller, just unplug the PC to obtain the IP address again or set a static IP for your PC. Now the Device page should be like:
Step 4. Adopt all switches and APs.
After adopting the switches and APs, they should all obtain IP address from the default VLAN, which subnet is 192.168.10.x/24.
Step 5. Configure the management VLAN for switches.
Go to Devices, click on the switch to enter its private configuration page, go to Config – VLAN Interface, enable the switch management VLAN Interface, click Apply.
Now the switch management VLAN interface has been enabled on the switch, next, configure the management VLAN of the switch. Click the Edit button of the switch management VLAN.
Tick the Enable box to set this VLAN as the management VLAN. After setting it as management VLAN, you can configure its fallback IP, which means when the device failed to get an IP address via DHCP, it will fallback to this IP address, ensuring the management of this device, here I set it as 192.168.30.10, included in the switch management VLAN. Click Apply to save the configuration.
Shutdown the default VLAN Interface to finish the switching of management VLAN, click Apply to save the configuration.
Wait for a moment to let the configurations hand out to the device, the switch may be readopted during this procedure. You will find that the IP address of the switch has been changed to the new VLAN after finished switching management VLAN.
Step 6. Configure the management VLAN for APs.
Go to Devices, click on the EAP to enter its private configuration page. Go to Config – Services and set Management VLAN as Custom, then choose the corresponding VLAN, click Apply to save the configuration.
Wait for a while, after the configuration is executed, you will find the IP address of AP has been changed.
Step 7. Configure port profiles on switches for the use of clients VLAN.
To ensure all the wired clients obtain IP address from clients VLAN, we need to change the port profile of all the downlink ports on switches which directly connect to end devices to the clients VLAN profile.
Go to Devices, click on the switch to enter its private configuration page, go to Ports, select the downlink ports which connect directly to end devices, then click Edit Selected to batch change their port profiles.
Change the profiles of these ports to the profile which is automatically created after creating the clients VLAN, click Apply to save the configuration.
Step 8. Configure SSID VLAN for wireless clients.
Go to Settings – Wireless Networks – WLAN, click Create New Wireless Network to create a SSID for wireless clients.
Set a name and password for this SSID, then click to expand the Advanced Settings, set VLAN to Custom, then in Add VLAN, select the clients VLAN we have created, click Apply to save the configuration.
Step 9. Create ACL rule to prevent clients from accessing controller and network devices.
Go to Settings – Network Security – ACL – Gateway ACL, click Create New Rule to create a new ACL rule.
Enter a name as the Description for this rule, for Direction, choose LAN -> LAN, for Policy, choose Deny, then select all the Protocols, for the Source and Destination, set the Type as Network, then choose the clients VLAN as source and all other management VLANs as the destination. Click Create to create this rule which denies clients to access the controller and other network devices.
By setting this ACL rule, when the client devices are connected and obtain IP address from 192.168.20.x/24, they will not be able to access the controller or the switch, enhancing the network security.
Step 10. Set DHCP Option 138 on all DHCP Servers.
DHCP Option 138 is used to inform the clients the IP address of Omada controller when offering IP address during DHCP procedure, although all the devices are successfully adopted and could communicate with the controller now, they may lost connection with Omada controller after a reboot, so the DHCP Option 138 is needed, after configured, the devices could still obtain the IP address of the controller after a reboot, ensuring their stable management.
Go to Settings – Wired Networks – LAN – Networks, click Edit on the interface, scroll down and expand Advanced DHCP Options, input the controller’s IP address in Option 138 column, click Save to apply the configuration.
|
After this configuration, the gateway, switches and APs are in different management VLANs.
The wired PC connected on the switch is obtaining IP address from the clients VLAN 192.168.20.x/24 :
The phone connected wirelessly is obtaining IP address from clients VLAN 192.168.20.x/24:
The client cannot access managed network devices:
Till now we have introduced how to set up a new network and use different VLAN networks to manage gateway, switches, APs, then connect clients in a specific VLAN and isolate them with the network devices.
Get to know more details of each function and configuration please go to Download Center to download the manual of your product.
Is this faq useful?
Your feedback helps improve this site.