How to configure Management VLANs for Omada Switches and APs (for Business scenario)

Knowledgebase
Configuration Guide
Controller
Vlan
ACL
07-17-2024
75

Contents

Objective

Requirements

Introduction

Configuration

Verification

Conclusion

Objective

This article will configure separate management VLAN for switches and APs, and keep the default VLAN (changing its VLAN ID and subnet IP) for clients which is isolated from the management VLANs. The method of adding devices into a running network is also introduced.

Requirements

  • Omada Controller (Software Controller / Hardware Controller / Cloud Based Controller, V5.9 and above)
  • Omada Smart, L2+ and L3 switches
  • Omada AP
  • Omada Gateway

Introduction

When configuring the network, many customers would like to change the management VLANs for the controller, gateway, AP and switch, then set another VLAN for clients, in this way, different kinds of devices are managed in different VLANs, and the clients connected won’t be able to access the devices, enhancing the network security.

This guide suits the configuration for a for a business setup, adding the method for integrating new devices into the running network. For a simple and small-scale home network setup, please refer to How to configure Management VLANs for Omada Switches and APs (for SOHO scenario).

Usually, the topologies are like the following, use the core switch to handle all Layer 3 forwarding and configure the DHCP server on core switch, the gateway will only be responsible for handling Internet traffic towards core switch:

As shown in the topology, the final goal is to shutdown VLAN 1 from the network, set VLAN20 for clients usage, all the clients connected will obtain IP address at 192.168.20.x/24, set VLAN 30 for switch management, and the switches will use a management IP at 192.168.30.x/24, VLAN 40 for AP management, and the APs will use a management IP at 192.168.40.x/24, for router, core switch and controller, their VLAN will still remain default, but change to another VLAN ID, you can also change the IP addresses for them.

Following are the detailed configuration steps based on the example shown in the topologies above.

Configuration

Step 1. Connect the hardware controller on core switch and connect the management PC on the hardware controller, then adopt the core switch, currently the DHCP server is not yet configured, so the core switch and the hardware controller are using the fallback IP address, which are 192.168.0.1 for core switch and 192.168.0.253 for hardware controller, configure your PC’s static IP address in the 192.168.0.x/24 subnet to access the hardware controller and proceed the adoption.

Step 2. Create the VLANs needed.

First, create the client VLAN 20, switch management VLAN 30 and AP management VLAN 40. Go to Settings – Wired Networks – LAN - Networks, click Create New LAN.

Below is the example of Clients VLAN 20, its Purpose should be configured as VLAN and applied on Switches Only.

Then create the switch and AP management VLANs as the same method.

Final result should be like this:

Step 3. Enable the interfaces on the core switch.

Go to Devices, click on the core switch to enter its private configuration page, go to Config – VLAN Interface, enable all the interfaces, click Apply to save.

As shown in the topology, we will use core MGMT, 192.168.50.x/24 as the management VLAN of core switch, the IP address of controller and management PC will also be in this network. So what we need to do is set the port profile of the port connecting to the controller as “Core MGMT”, which is the profile automatically created for this VLAN, after enabled, this switch port will be only included in Core MGMT VLAN. Then set Core MGMT as the management VLAN of core switch.

Step 4. Configure the port profile on the core switch port connecting to controller.

Go to Devices, click on the switch to enter its private configuration page, go to Ports, click Edit on another port you want to connect the controller to (different from the port which the controller is connected now), we will switch the controller to this port after changing the management VLAN of core switch, in this example, I choose to move the controller to port 3, so I will change the port profile of port 3.

Select the Profile as “Core MGMT”, then click Apply.

Step 5. Change the management VLAN of the core switch.

Go to Devices, click on the core switch to enter its private configuration page, go to Config – VLAN Interface, click Edit on the management VLAN we are about to set.

Tick the Enable box to set this VLAN as the management VLAN. After setting it as management VLAN, set the IP Address Mode as Static, then set a static IP address for it, in this example I set it as 192.168.50.1, for DHCP Mode, set it as None. Click Apply to save the configuration.

Step 6. Change the IP address of controller and management PC.

Now, the IP address of core switch will be switched to 192.168.50.x/24, so we need to configure the static IP address of controller and management PC to the same subnet to continue managing the devices.

The way to configure static IP address on hardware controller is:

Go to Global View – Settings – Controller Settings, set the Network Settings as Static, then configure the IP address, in this example, it’s 192.168.50.100.

After configured the IP address of the hardware controller, the management PC’s IP address also needs to be changed. After configuring the IP address of the management PC, enter the new IP address of the hardware controller to enter the controller GUI again.

Step 7. Plug the controller to the port with correct port profile.

In the previous steps, we have changed the port profile of a new switch port to “Core MGMT”, now after changing the IP address of controller and management PC, we need to plug the controller on that port to ensure the communication between controller and core switch. After this step, the core switch should be readopted successfully on the controller.

Step 8. Configure the default VLAN interface.

Go to Settings – Wired Networks – LAN – Networks, click Edit on Default VLAN.

Change its VLAN ID and subnet IP to bypass VLAN 1 in the network, in this example it changed to VLAN 10, for the Gateway/Subnet, set it to 192.168.10.x/24, in this example, I set it as 192.168.10.2, which is the IP address of the gateway, this will help adopting the Omada gateway in the controller later, if you don’t have an Omada gateway, you can also enter the gateway’s IP address here. Finally, disable the DHCP server.

Final result should be like this:

Step 9. Configure the rest interfaces and DHCP servers on Core Switch.

Next, we need to configure the interfaces and the DHCP server for the other four VLANs. Go to Devices, click on the switch to enter its private configuration page, go to Config – VLAN Interface, click the Edit button on each VLAN to enter the configuration page.

For each VLAN interface, we need to configure a static IP address for it on the core switch first. Set the IP Address Mode as Static and set a static IP address for this interface. Set the DHCP Mode as DHCP Server and set the address pool, please beware that the gateway should be set as this core switch because the Layer 3 forwarding is done by it.

For example, in SW MGMT VLAN 30, I will configure the IP address of core switch interface as 192.168.30.1, the pool is 192.168.30.1/24, DNS and Default Gateway are both 192.168.30.1. DHCP Option 138 is used to inform the devices the IP address of the controller during the DHCP procedure, this is needed to be configured because finally all the network devices will not be in the same VLAN, they need DHCP Option 138 to find the controller and get adopted. In this example, the controller’s IP address is 192.168.50.100. Click Apply to save the configuration.

Finish the configuration of Clients, Default, SW MGMT and AP MGMT VLANs as introduced.

Step 10. Adopt all switches and APs.

After adopting the switches and APs, they should all obtain IP address from the default VLAN, which subnet is 192.168.10.x/24.

Step 11. Configure the management VLAN for switches.

Go to Devices, click on the switch to enter its private configuration page, go to Config – VLAN Interface, enable the switch management VLAN Interface, click Apply.

Now the switch management VLAN interface has been enabled on the switch, next, configure the management VLAN of the switch. Click the Edit button of the switch management VLAN.

Tick the Enable box to set this VLAN as the management VLAN. After setting it as management VLAN, you can configure its fallback IP, which means when the device failed to get an IP address via DHCP, it will fallback to this IP address, ensuring the management of this device, here I set it as 192.168.30.10, included in the switch management VLAN. Click Apply to save the configuration.

Shutdown the default VLAN Interface to finish the switching of management VLAN, click Apply to save the configuration.

Wait for a moment to let the configurations hand out to the device, the switch may be readopted during this procedure. You will find that the IP address of the switch has been changed to the new VLAN after finished switching management VLAN.

Step 12. Configure the management VLAN for APs.

Go to Devices, click on the EAP to enter its private configuration page. Go to Config – Services and set Management VLAN as Custom, then choose the corresponding VLAN, click Apply to save the configuration.

Wait for a while, after the configuration is executed, you will find the IP address of AP has been changed.

Step 13. Configure port profiles on switches for the use of clients VLAN.

To ensure all the wired clients obtain IP address from clients VLAN, we need to change the port profile of all the downlink ports on switches which directly connect to end devices to the clients VLAN profile.

Go to Devices, click on the switch to enter its private configuration page, go to Ports, select the downlink ports which connect directly to end devices, then click Edit Selected to batch change their port profiles.

Change the profiles of these ports to the profile which is automatically created after creating the clients VLAN, click Apply to save the configuration.

Step 14. Configure SSID VLAN for wireless clients.

Go to Settings – Wireless Networks – WLAN, click Create New Wireless Network to create a SSID for wireless clients.

Set a name and password for this SSID, then click to expand the Advanced Settings, set VLAN to Custom, then in Add VLAN, select the clients VLAN we have created, click Apply to save the configuration.

Step 15. Create IP groups and ACL rule to prevent clients from accessing controller and network devices.

Currently on controller, these VLANs are created as Layer 2 VLAN and then enabled VLAN interfaces on the core switch, so they are not included in the networks, we need to create IP groups first in order to create ACL rules based on them.

Go to Settings – Profiles – Groups, click Create New Group.

We need to create an IP group for each subnet, in this example, there are four subnets, Default, Clients, SW MGMT and AP MGMT, enter the name, select Type as IP Group, for IP Subnet, enter the network address of each subnet. For example, the Default group’s IP Subnet is 192.168.10.1/24. Click Apply to save the configuration.

Final result should be like this:

Go to Settings – Network Security – ACL – Switch ACL, click Create New Rule to create a new ACL rule.

Enter a name as the Description for this rule, for Policy, choose Deny, then select all the Protocols, for the Source and Destination, set the Type as IP Group, then choose the clients group as source and all other management groups as the destination, apply this rule on all ports. Click Create to create this rule which denies clients to access the controller and other network devices.

By setting this ACL rule, when the client devices are connected and obtain IP address from 192.168.20.x/24, they will not be able to access the controller or the switch, enhancing the network security.

Step 16. Adopt the Gateway on Omada Controller (In case you have Omada Gateway).

If you have Omada gateway, then you can also adopt it on the Omada controller for better management. But here we have already switched the default VLAN ID to 10, while the gateway will have DHCP server enabled by default and set itself as 192.168.0.1, this will cause the gateway failed to be adopted, so we need to make some pre-configuration on the gateway before adopting on the Omada controller.

Enter the WebUI of the gateway by accessing 192.168.0.1, set a username and password for it, then go to Network – LAN – LAN, click Edit on the default network.

Change this network to VLAN 10, and address to 192.168.10.x/24, for example, here I change it to 192.168.10.2. Also, we have enabled DHCP server on the core switch, so on the gateway, we disable the DHCP server by unticking the Enable box of Status. Click OK to save the configuration.

After changing its IP address, you will also need to change your PC’s IP address to the 192.168.10.x/24 subnet to access the WebUI of gateway again.

Go to System Tools – Controller Settings, in Controller Inform URL, enter the controller’s IP address: 192.168.50.100, click Save.

After configured the controller IP address, a static route is also needed for the gateway to find controller. Go to Transmission – Routing – Static Route, click Add to create a new static route.

Fill the Destination IP with the controller’s IP address, which is 192.168.50.100 in this example, and configure the Next Hop as the default VLAN interface IP address of core switch, which is 192.168.10.1, for Interface, select LAN. Click OK to create.

After the pre-configuration, connect the gateway to a port on the core switch which port profile is set as “All”, and you will see the gateway pending with IP address 192.168.10.2 in the device list, adopt it with the username and password you have set.

Step 17. Configure static routes on the core switch.

No matter you have Omada gateway or not, it’s necessary to set static routes on core switch and forward all the Internet traffic to the gateway, because all the layer 3 forwarding is done by the core switch, and the default gateway for each network is set as the core switch.

Go to Devices, click on the switch to enter its private configuration page. In Config > Static Route, click Add to add a new static route.

Tick to change the Status to Enable. Since we are dealing with all Internet traffic, you can set the Destination IP/Subnet to 0.0.0.0 and the Next Hop to the gateway at 192.168.10.2. For other traffic, more accurate default routes will be matched first, so just enter 1 for Distance, click Apply to save the configuration.

Result should be like this:

After setting static route on the core switch, we also need to set a reverse static route on the gateway to make sure all the traffic from Internet are forwarded to the core switch. On the core switch, we set the destination as 0.0.0.0/0 and next hop as 192.168.10.2, so on the gateway, we need to set a reverse one. As the subnets in this network are 192.168.10.x/24, 192.168.20.x/24, 192.168.30.x/24, 192.168.40.x/24 and 192.168.50.x/24, we need 5 static routes, and the next hop as 192.168.10.1 which is the default VLAN interface of the core switch.

If you don’t use Omada gateway, just set these static routes on your gateway, if you have Omada gateway and already adopted it, please follow step 15 to set static route on the gateway.

Step 18. Configure static routes on the gateway (In case you have Omada gateway).

Go to Settings>Transmission>Routing>Static Route, click Create New Route.

Here the static route for 192.168.50.0/24 has been configured in pre-configuration of the gateway, so we just need to configure four more static routes here. For the four static routes, the Destination IP/Subnet should be configure as 192.168.10.0/24, 192.168.20.0/24, 192.168.30.0/24 and 192.168.40.0/24, set the Route Type as Next Hop and Next Hop as 192.168.10.1. Click Create to create a static route.

Final result should be like:

Step 19. Adding more switches and APs to the network. (Optional)

To add more switches and APs to the network, just connect them to the switch port which profile is set as “All”, and they could be successfully obtain IP address from the default VLAN 192.168.10.x/24. After adopted, change their management VLAN the same as previous steps.

Verification

After this configuration, the gateway, switches and APs are in different management VLANs.

The wired PC connected on the switch is obtaining IP address from the clients VLAN 192.168.20.x/24 :

The phone connected wirelessly is obtaining IP address from clients VLAN 192.168.20.x/24:

The client cannot access managed network devices:

Conclusion

Till now we have introduced how to set up a large scale network and use different VLAN networks to manage gateway, core switches, other switches and APs, then connect clients in a specific VLAN and isolate them with the network devices. The method of adding more devices in the running network and integrating gateways from Omada or other vendor is also introduced.

Get to know more details of each function and configuration please go to Download Center to download the manual of your product.

Please Rate this Document

Related Documents