How to Configure Management VLANs for Omada Switches and APs (for SOHO / Home Networking Scenario)

Configuration Guide
Updated 08-05-2024 23:05:16 PM FAQ view icon12676
This Article Applies to: 

Contents

Objective

Requirements

Introduction

Configuration

Verification

Conclusion

Objective

This guide will provide detailed instructions on how to configure separate management VLANs for Omada managed switches and Aps, a client VLAN other than VLAN 1, and isolate them with the clients connected.

Requirements

  • Omada Controller (Software Controller / Hardware Controller / Cloud Based Controller, V5.9 and above)
  • Omada Smart, L2+ and L3 switches
  • Omada AP
  • Omada Gateway

Introduction

When setting up the network, some customers prefer to modify the management VLANs for the controller, gateway, AP, and switch, and then designate a separate VLAN for clients. This approach ensures that different types of devices are managed in different VLANs, and prevents connected clients from accessing the devices, thereby improving network security.

This guide is suitable for configuring a completely new network for a Small Office/Home Office (SOHO) scenario. This means there are no pre-existing configurations, such as management VLANs, and the network scale is simple and typical. If you want to configure a set of professional business networks or already have a set of network configurations and want to integrate the Omada devices into the network, please refer to the How to configure Management VLANs for Omada Switches and APs (for Business scenario).

Usually, the topologies are like the following, connecting the controller directly to the gateway:

As shown in the topology, the final goal is to shutdown VLAN 1 from the network, set VLAN20 for clients usage, all the clients connected will obtain IP address at 192.168.20.x/24, set VLAN 30 for switch management, and the switches will use a management IP at 192.168.30.x/24, VLAN 40 for AP management, and the APs will use a management IP at 192.168.40.x/24, for gateway and controller, their VLAN will still remain default, but change to another VLAN ID, you can also change the IP addresses for them.

Following are the detailed configuration steps based on the example shown in the topologies above.

Configuration

Step 1. Adopt the gateway in default VLAN.

Step 2. Create the VLANs needed.

First, create the client VLAN 20, switch management VLAN 30 and AP management VLAN 40. Go to Settings – Wired Networks – LAN - Networks, click Create New LAN.

Below is the example of switch management VLAN 30, its Purpose should be configured as Interface. In LAN Interfaces, tick all the LAN ports you are using, then configure its IP, subnet and DHCP Server. You can configure the name, VLAN ID, subnet IP as you want. Click Save after finished.

Then create the clients VLAN and AP management VLAN as the same method.

Step 3. Configure the default VLAN.

After that, make a change on the default VLAN, click Edit on Default VLAN, change its VLAN ID and subnet IP to bypass VLAN 1 in the network, here I choose to change it to VLAN 10, 192.168.10.x/24 and enable the DHCP server in this network.

Final result should be like this:

Till now, you have created the VLANs in the network and also the interfaces on the gateway. And the IP address of gateway will be switched to 192.168.10.1. After that, you will need to reboot the hardware controller to trigger the DHCP procedure and obtain IP address from 192.168.10.x/24 so you can readopt the gateway, if you are using software controller, just unplug the PC to obtain the IP address again or set a static IP for your PC. Now the Device page should be like:

Step 4. Adopt all switches and APs.

After adopting the switches and APs, they should all obtain IP address from the default VLAN, which subnet is 192.168.10.x/24.

Step 5. Configure the management VLAN for switches.

Go to Devices, click on the switch to enter its private configuration page, go to Config – VLAN Interface, enable the switch management VLAN Interface, click Apply.

Now the switch management VLAN interface has been enabled on the switch, next, configure the management VLAN of the switch. Click the Edit button of the switch management VLAN.

Tick the Enable box to set this VLAN as the management VLAN. After setting it as management VLAN, you can configure its fallback IP, which means when the device failed to get an IP address via DHCP, it will fallback to this IP address, ensuring the management of this device, here I set it as 192.168.30.10, included in the switch management VLAN. Click Apply to save the configuration.

Shutdown the default VLAN Interface to finish the switching of management VLAN, click Apply to save the configuration.

Wait for a moment to let the configurations hand out to the device, the switch may be readopted during this procedure. You will find that the IP address of the switch has been changed to the new VLAN after finished switching management VLAN.

Step 6. Configure the management VLAN for APs.

Go to Devices, click on the EAP to enter its private configuration page. Go to Config – Services and set Management VLAN as Custom, then choose the corresponding VLAN, click Apply to save the configuration.

Wait for a while, after the configuration is executed, you will find the IP address of AP has been changed.

Step 7. Configure port profiles on switches for the use of clients VLAN.

To ensure all the wired clients obtain IP address from clients VLAN, we need to change the port profile of all the downlink ports on switches which directly connect to end devices to the clients VLAN profile.

Go to Devices, click on the switch to enter its private configuration page, go to Ports, select the downlink ports which connect directly to end devices, then click Edit Selected to batch change their port profiles.

Change the profiles of these ports to the profile which is automatically created after creating the clients VLAN, click Apply to save the configuration.

Step 8. Configure SSID VLAN for wireless clients.

Go to Settings – Wireless Networks – WLAN, click Create New Wireless Network to create a SSID for wireless clients. 

Set a name and password for this SSID, then click to expand the Advanced Settings, set VLAN to Custom, then in Add VLAN, select the clients VLAN we have created, click Apply to save the configuration.

Step 9. Create ACL rule to prevent clients from accessing controller and network devices.

Go to Settings – Network Security – ACL – Gateway ACL, click Create New Rule to create a new ACL rule.

Enter a name as the Description for this rule, for Direction, choose LAN -> LAN, for Policy, choose Deny, then select all the Protocols, for the Source and Destination, set the Type as Network, then choose the clients VLAN as source and all other management VLANs as the destination. Click Create to create this rule which denies clients to access the controller and other network devices.

By setting this ACL rule, when the client devices are connected and obtain IP address from 192.168.20.x/24, they will not be able to access the controller or the switch, enhancing the network security.

Step 10. Set DHCP Option 138 on all DHCP Servers.

DHCP Option 138 is used to inform the clients the IP address of Omada controller when offering IP address during DHCP procedure, although all the devices are successfully adopted and could communicate with the controller now, they may lost connection with Omada controller after a reboot, so the DHCP Option 138 is needed, after configured, the devices could still obtain the IP address of the controller after a reboot, ensuring their stable management.

Go to Settings – Wired Networks – LAN – Networks, click Edit on the interface, scroll down and expand Advanced DHCP Options, input the controller’s IP address in Option 138 column, click Save to apply the configuration.

1

Verification

After this configuration, the gateway, switches and APs are in different management VLANs. 

The wired PC connected on the switch is obtaining IP address from the clients VLAN 192.168.20.x/24 :

The phone connected wirelessly is obtaining IP address from clients VLAN 192.168.20.x/24:

The client cannot access managed network devices:

Conclusion

Till now we have introduced how to set up a new network and use different VLAN networks to manage gateway, switches, APs, then connect clients in a specific VLAN and isolate them with the network devices.

Get to know more details of each function and configuration please go to Download Center to download the manual of your product.

 

Related FAQs

Looking for More

Is this faq useful?

Your feedback helps improve this site.

Recommend Products

Community

TP-Link Community

Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.

Visit the Community >