The following article guides you on how to configure your Nebula devices when the Management VLAN is not the default untagged traffic from the LAN interface of the gateway.
3. Setting up a VLAN Interface on the NSG/USG FLEX
4. Setting the Management VLAN of the Switch
5. Setting the Management VLAN of the Access Point
1. What is a management VLAN?
Management VLAN is a common practice used by network administrators that prevents end-users from accessing key network devices in their network infrastructure. This adds an extra layer of protection within your administrative network. This is done by configuring each network devices with a unique VLAN ID, while making sure end-users enters the network from a different VLAN. However, in the case of Nebula devices, misconfigurations may cut your remote devices from the Internet. If your Nebula devices retains a configuration that prohibits it from reaching Nebula CC, then the only way to recover device management may be to factory reset it. This guide details instructions on how to properly set a unique management VLAN ID (not VLAN 1) for your Nebula devices in a new site, while avoiding conditions that may cause your devices from losing access to Nebula CC.
2. Fall-back Mechanism
Nebula Switch and Access Points have a mechanism that prevents these devices from losing Internet access due to management changes made in Nebula CC. When attempting to change the Nebula device's IP address or management VLAN that causes loss of Internet access, the Nebula devices will revert back to it's old configurations. This is often indicated by a "Bad IP assignment configuration" in the device page.
The key to successfully configuring a new management IP address or VLAN is to ensure that both old and new settings can reach the Internet. Only after Nebula CC has verified that the changes made on the device does not cause loss of Internet access can you start scaling-back, removing VLANs, or IP interfaces on your switches and gateways.
3.Setting up a VLAN Interface on the NSG/USG FLEX
Add and Save a VLAN100 Interface
NSG series:
Site-wide > Configure > Security Gateway > Interfaces addressing > Interface [+Add]
USG FLEX series:
Site-wide > Configure > Firewall > Interface > LAN Interface [+Add]
This will create a tagged VLAN set to the selected VID on the respective Port Group (both USG and NSG show a similar configuration)
Please note, that LAN1 + LAN2 the ports always remain as untagged members in VLAN1 with the PVID set to 1 - these are non-changeable settings.
4. Setting the Management VLAN of the Switch:
Site-wide > Configure > Switch > Switch ports
Edit ports 1 and 28, as this are our uplinks ports for the switch itself and the AP (as shown in the above picture), and include the needed VLANs in the Allowed VLANs field:
*VLAN 10: Private Network , VLAN 20: Guest Network , VLAN 100: Management Network.
Now it is needed to configure and save switch's LAN IP
Site-wide > Devices > Switches > Select Switch > Edit LAN IP.
Note the importance of having the correct VLAN defined. This VLAN can be define in a per device basis or by setting it up globally on
Site-wide > Configure > Switch > Switch Settings > Management VLAN
Once the LAN settings are saved, we can confirm the LAN IP Address of switch (Nebula CC may take a few minutes to display the updated LAN IP)
Site-wide > Devices > Switches
5. Setting the Management VLAN of the Access Point
Configure and save management LAN IP
Site-wide > Devices > Access points > Select AP > Edit LAN IP
Note: setting up the Management VLAN as tagged will limit the AP to only forward tagged traffic, therefore the SSIDs should only use VLAN interfaces and no LAN untagged traffic.
And that should be enough for your devices to get an IP address from a management VLAN different than the untagged traffic from the LAN interface.
Also interesting:
Do you want to have a look directly on one of our test devices? Have a look here in our virtual Lab:
Virtual Lab - VPN Nebula to non Nebula device
KB-00269
Comments
0 commentsPlease sign in to leave a comment.