DLB-AP Management VLAN

From Deliberant wiki

Jump to: navigation, search

Introduction

This tutorial explains how to create a management VLAN on a DLB-AP device.

A management VLAN allows the ability to limit management access (via http(s)/ssh) to the device from traffic only tagged with a certain VLAN while still allowing customer traffic to pass through. This will add a layer of protection to the Deliberant device, because customers will not be able to access the device even if they know the IP address.

In this example, we have a bridged access point that we want to only allow management access from traffic tagged with VLAN 500. The router that is connected to the DLB-AP will also have a VLAN interface created with VLAN ID 500. This will allow the router to communicated with the DLB-AP device on the management VLAN. The router will also accept untagged traffic (the customer traffic). It will be able to distinguish between management traffic and customer traffic, and handle them appropriately. We will want the management VLAN IP settings to reside on 192.168.10.66/24.

We will begin this example with the default settings (bridge mode with 192.168.2.66 as default IP).

Example

1) By default the device is in bridge mode

Image:mgmtvlan_1.png


2) We will want to change the mode to advanced mode to access the VLAN functionality

Image:mgmtvlan_2.png


3) Navigate to the VLAN section and create a VLAN interface for each physical interface (In this example the VLAN ID is 500)

Image:mgmtvlan_3.png


4) If successful you will see newly created VLAN interfaces in list

Image:mgmtvlan_4.png


5) Next, we will add the new VLAN interfaces to a new bridge. Navigate to the bridge section. You will see that the two new VLAN interfaces are available to add to a bridge. Highlight both and select Create a New Bridge from the drop down list and click the Add button

Image:mgmtvlan_5.png


6) If successful, you will see a new bridge created (in this case br1) with the new VLAN interfaces

Image:mgmtvlan_6.png


7) Next we will configure the IP settings for the new VLAN bridge. Navigate to the Interfaces section. You will see both bridges. Click the Edit button to edit the br1 bridge

Image:mgmtvlan_7.png


8) Configure the IP settings of the management VLAN bridge interface

Image:mgmtvlan_8.png


9) Now edit br0 (the customer traffic bridge). We do not want any IP information assigned to this bridge, since we don't want customers to have access. Enter 0.0.0.0 for the IP and 255.255.255.255 for the subnet mask

Image:mgmtvlan_9.png


10) Now you should see the summary of bridge interfaces, with br1 having IP information and br0 not having IP information

Image:mgmtvlan_11.png


11) Click the save button to save changes

Image:mgmtvlan_12.png


12) Click reboot to reboot the device and apply changes.

Image:mgmtvlan_13.png


Once the device comes back up, it will only be accessible from traffic tagged with VLAN ID 500.

Retrieved from "http://wiki.deliberant.com/index.php/DLB-AP_Management_VLAN"
Personal tools