Nebula [AP/Switch] - Configure a non-default Management VLAN

The following article guides you on how to configure your Nebula devices when the Management VLAN is not the default untagged traffic from the LAN interface of the gateway.

 

1.  What is Management VLAN?

2. Fall-back Mechanism

3. Setting up a VLAN Interface on the NSG/USG FLEX

4. Setting the Management VLAN of the Switch

5. Setting the Management VLAN of the Access Point

 

 

1. What is a management VLAN?

Management VLAN is a common practice used by network administrators that prevents end-users from accessing key network devices in their network infrastructure. This adds an extra layer of protection within your administrative network. This is done by configuring each network devices with a unique VLAN ID, while making sure end-users enters the network from a different VLAN. However, in the case of Nebula devices, misconfigurations may cut your remote devices from the Internet. If your Nebula devices retains a configuration that prohibits it from reaching Nebula CC, then the only way to recover device management may be to factory reset it. This guide details instructions on how to properly set a unique management VLAN ID (not VLAN 1) for your Nebula devices in a new site, while avoiding conditions that may cause your devices from losing access to Nebula CC.

 

1.PNG

 

2. Fall-back Mechanism

Nebula Switch and Access Points have a mechanism that prevents these devices from losing Internet access due to management changes made in Nebula CC. When attempting to change the Nebula device's IP address or management VLAN that causes loss of Internet access, the Nebula devices will revert back to it's old configurations. This is often indicated by a "Bad IP assignment configuration" in the device page.

 

mceclip0.png

 

The key to successfully configuring a new management IP address or VLAN is to ensure that both old and new settings can reach the Internet. Only after Nebula CC has verified that the changes made on the device does not cause loss of Internet access can you start scaling-back, removing VLANs, or IP interfaces on your switches and gateways.

3.PNG

 

3.Setting up a VLAN Interface on the NSG/USG FLEX

Add and Save a VLAN100 Interface

NSG series:

Site-wide > Configure > Security Gateway > Interfaces addressing > Interface [+Add]

USG FLEX series:

Site-wide > Configure > Firewall > Interface > LAN Interface [+Add]



This will create a tagged VLAN set to the selected VID on the respective Port Group (both USG and NSG show a similar configuration)

 

mceclip1.png

 

Please note, that LAN1 + LAN2 the ports always remain as untagged members in VLAN1 with the PVID set to 1 - these are non-changeable settings. 

 

4. Setting the Management VLAN of the Switch:

 

Site-wide > Configure > Switch > Switch ports 

Edit ports 1 and 28, as this are our uplinks ports for the switch itself and the AP (as shown in the above picture), and include the needed VLANs in the Allowed VLANs field:

 

mceclip0.png

 

*VLAN 10: Private Network , VLAN 20: Guest Network , VLAN 100: Management Network.

 

Now it is needed to configure and save switch's LAN IP

Site-wide > Devices > Switches > Select Switch > Edit LAN IP.

 

mceclip2.png

 

Note the importance of having the correct VLAN  defined. This VLAN can be define in a per device basis or by setting it up globally on 

Site-wide > Configure > Switch > Switch Settings > Management VLAN

 

Once the LAN settings are saved, we can confirm the LAN IP Address of switch (Nebula CC may take a few minutes to display the updated LAN IP)

Site-wide > Devices > Switches

 

mceclip3.png

 

5. Setting the Management VLAN of the Access Point

Configure and save management LAN IP

Site-wide > Devices > Access points > Select AP > Edit LAN IP

 

mceclip4.png

Note: setting up the Management VLAN as tagged will limit the AP to only forward tagged traffic, therefore the SSIDs should only use VLAN interfaces and no LAN untagged traffic.

 

And that should be enough for your devices to get an IP address from a management VLAN different than the untagged traffic from the LAN interface.

 

 

Also interesting:
Do you want to have a look directly on one of our test devices? Have a look here in our virtual Lab:

Virtual Lab - VPN Nebula to non Nebula device

 

KB-00269

Articles in this section

Was this article helpful?
1 out of 3 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.