Management VLAN

[Alpha 007]

I am experimenting with segregating my LAN into VLANs. I have two RT-AC68U running merlin – one used as gateway and one as access point. In addition, I have a couple of servers and managed switches that supports VLAN. My RT-AC68U gateway is routing between the VLANs

One of the goals is to move management access to devices to a separate VLAN where the only way into that VLAN is by physically connecting to a management port on a switch or by using VPN. To achieve this I would like management access (HTTP, SNMP, etc) to the router to only be allowed from the management VLAN.

Suggestions on how to achieve this?

 

[coxhaus]

The easiest way I can think of doing that is with a layer 3 switch. Connect the router to a VLAN defined on the layer 3 switch with an IP network address which corresponds to the LAN IP network address on the ASUS router. I would use the default VLAN defined to the same network. Add all the network equipment to the same VLAN. Then use another VLAN or VLANs of course with a second IP network address to connect the workstations and devices too. I do this right now. I have 3 separate wireless WAPs using the same multiple SSIDs and only one of the SSIDs are defined to the management VLAN.

 

[Alpha 007]

I was hoping to avoid having to buy additional hardware – thus having the router being the layer 3 switch.

I was kind of hoping that by manipulation of the iptables in the router, I could ensure that only some bridges (vlans) would be forwarded to the various processes running in the router (e.g. HTTP and SNMP access should only be allowed on the management VLAN, DHCP should be allowed on the every LAN).