How to configure Management VLANs for Omada Switches and APs (for Business scenario)

內容

目的

需求

介紹

設定

驗證

結果

目的

本文將為交換器和 AP 設定單獨的管理 VLAN，並為管理 VLAN 隔離的用戶端保留預設 VLAN(變更其 VLAN ID 和子網路 IP)。同時還介紹了將設備新增至正在運作中的網路的方法。

需求

• Omada 控制器 (軟體控制器 / 硬體控制器 / 雲端控制器，V5.9 或以上版本)
• Omada 智慧型，L2+ 和 L3 交換器
• Omada AP
• Omada 網關

介紹

許多用戶在設定網路時，會更改控制器、網關、AP 和交換器的管理 VLAN，接著為用戶端設定其他的 VLAN，此方式可以將不同類型的設備放在不同的 VLAN 中管理，因此在連線的用戶將無法存取設備，增加網路中的安全性。

本文內容適用於商務環境的設定，增加新設備整合至運作中網路環境的方法。以小型案場或家用規模的網路環境設置，請參考如何為 Omada 交換器和 AP 設定管理 VLAN(家用情境).

通常拓撲如下，使用核心交換器來承載所有 L3 的資料轉換，並在核心交換器設定 DHCP 伺服器，網關將僅負責處理流向核心交換器的網路流量：

如拓撲所示，最終的目的是停用網路中的 VLAN 1，設定 VLAN20 為客戶端使用，所有的用戶端連線將會取得 192.168.20.x/24 網段的 IP，VLAN 30 為交換器管理使用，交換器所使用的管理 IP 網段為 192.168.30.x/24，VLAN 40 為 AP 管理使用，AP 所使用的管理 IP 網段為 192.168.40.x/24，而路由器、核心交換器和控制器將沿用預設的配置，但 VLAN ID 會變更，同時您也可變更他們的 IP 位址。

以下是基於上述拓撲範例的詳細設定步驟。

設定

步驟 1. 將硬體控制器連接至核心交換器，並在硬體控制器上連接管理 PC，接著納管核心交換器，而目前 DHCP 伺服器尚未配置，因此核心交換器和硬體控制器是使用備援 IP 位址，核心交換器為 192.168.0.1，硬體控制器為 192.168.0.253，並將您的 PC 設定為 192.168.0.x/24 網段的固定 IP，如此才能存取硬體控制器並進行納管。

步驟 2. 建立需要的 VLAN。

首先，建立用戶端使用的 VLAN 20、交換器管理 VLAN 30 和 AP 管理 VLAN 40。請至 Settings – Wired Networks – LAN - Networks，點擊 Create New LAN。

以下為用戶端的 VLAN 20 範例，Purpose 應設定為 VLAN 並僅套用至 Switches。

接著用相同的方法建立交換器和 AP 的管理 VLAN。

最後結果應如下：

步驟 3. 在核心交換器上啟用 interfaces。

請到 Devices，點擊核心交換器以進入設定頁面，在 Config – VLAN Interface，啟用所有 interfaces，點擊 Apply 後儲存。

如下拓撲所示，我們將使用 MGMT，192.168.50.x/24 網段作為核心交換器的管理 VLAN，控制器和管理 PC 也將位於同個網段中。我們需要將連接至控制器連接埠的 Profile 設定為 "Core MGMT"，此為 VLAN 自動建立的 profile，啟用後，該交換器的連接埠將僅包含在 Core MGMT VLAN 中。接著將 Core MGMT 設定為核心交換器的管理 VLAN。

步驟 4. 將連接至控制器的核心交換器的連接埠設定連接埠 profile。

請到 Devices, 點擊交換器以進入設定頁面，在 Ports，點擊 Edit 在其他您要連接至控制器的連接埠(不同於目前已接在控制器的連接埠)，在變更核心交換器的管理 VLAN 後，我們會將控制器轉接到這個連接埠，在本範例中，我們將變更 連接埠3 的連接埠 profile。

將 Profile 項目內容指定為"Core MGMT"，接著點擊Apply。

步驟 5. 變更核心交換器的管理 VLAN。

請到 Devices，點擊核心交換器以進入設定頁面，在 Config - VLAN Interface，在我們要設定的管理 VLAN 點擊 Edit。

勾選 Enable 選取框以將 VLAN 設定為管理 VLAN。設定完成後，設定 IP Address Mode 為 Static，接著設定一固定 IP 位址，在此範例中設定為 192.168.50.1，而 DHCP Mode 則設定為 None。點擊 Apply 以儲存設定。

步驟 6. 變更控制器和管理 PC 的 IP 位址。

現在，核心交換器的 IP 位址將會切換至 192.168.50.x/24 網段，因此我們需要將控制器和管理 PC 設定為相同子網段的固定 IP，以利後續還能管理設備。

在硬體控制器上設定固定 IP 的方法如下：

在 Global View - Settings - Controller Settings，將 Network Settings 設定為 Static，接著設定 IP 位址，在此範例中設定為 192.168.50.100。

設定完硬體控制器的 IP 位址後，管理 PC 的 IP 位址同樣也需要變更。設定完成後請輸入硬體控制器的 IP 位址以再次進入控制器的 GUI。

步驟 7. 將控制器插入配置正確連接埠 profile 的端口。

在前一步驟中，我們已將新交換器連接埠的配改調整為 "Core MGMT", 在更改控制器和管理 PC 的 IP 位址後，我們需要將控制器插入該連接埠以確認控制器和核心交換器之前的連線狀態。此步驟完成後，核心交換器在控制器上應會重新納管成功。

步驟 8. 設定 default VLAN interface。

在 Settings - Wired Networks - LAN - Networks，在 Default VLAN 上點擊 Edit。

改更其 VLAN ID 和子網路 IP 以跳過網路中的 VLAN 1，本例調整為 VLAN 10，對於 Gateway/Subnet，將其設定為 192.168.10.x/24 網段，在本例中將其設定為 192.168.10.2，此為網關的 IP 位址，此將有助於日後將 Omada 網關納管至控制器，如您沒有 Omada 網關，也可在此輸入網關的 IP 位址。最後，關閉 DHCP Server。

最後結果應如下：

步驟 9. 在核心交換器上設定 interfaces 和 DHCP servers。

接下來，我們需要為其他 4 個 VLAN 設定 interface 和 DHCP server。請至 Devices，點擊交換器以進入設定頁面，在 Config - VLAN Interface，點擊每個 VLAN 的 Edit 按鈕以進入設定頁面。

對於每個 VLAN interface，我們需要先為它們在核心交換器上設定固定 IP 位址。設定 IP Address Mode 為 Static 並為 interface 設定固定 IP 位址。設定 DHCP Mode 為 DHCP Server 並設定 address pool，請注意，網關應設定為核心交換器，因為 Layer 3 轉發是由該核心交換器完成的。

舉例，在 SW MGMT VLAN 30，會將核心交換器的 IP 位址 interface 設為 192.168.30.1，pool 為 192.168.30.1/24，DNS 和 Default Gateway 皆為 192.168.30.1。DHCP Option 138 用於在 DHCP procedure 中通知設備控制器的 IP 位址，需要這樣設定的原因，在於網路中所有設備皆不在同一 VLAN 中，他們需要 DHCP Option 138 來尋找控制器和納管。此範例中，控制器的 IP 位址為 192.168.50.10。點擊 Apply 以儲存設定。

如說明內容所示，完成設定用戶端、SW MGMT 和 AP MGMT VLANs。

步驟 10. 納管所有交換器和 AP。

在納管交換器和 AP 後，他們應該都要從 Default VLAN 取得 IP 位址，子網路為 192.168.10.x/24。

步驟 11. 設定交換器的管理 VLAN。

在 Devices，點擊交換器進入設定介面，在 Config - VLAN Interface，啟用交器行管理 VLAN Interface，點擊Apply。

現在交換器的管理 VLAN interface 已在交換器上啟用，接著設定交換器的管理 VLAN。點擊交換器管理 VLAN 的 Edit按鈕。

Tick the Enable box to set this VLAN as the management VLAN. After setting it as management VLAN, you can configure its fallback IP, which means when the device failed to get an IP address via DHCP, it will fallback to this IP address, ensuring the management of this device, here I set it as 192.168.30.10, included in the switch management VLAN. Click Apply to save the configuration.

Shutdown the default VLAN Interface to finish the switching of management VLAN, click Apply to save the configuration.

Wait for a moment to let the configurations hand out to the device, the switch may be readopted during this procedure. You will find that the IP address of the switch has been changed to the new VLAN after finished switching management VLAN.

Step 12. Configure the management VLAN for APs.

Go to Devices, click on the EAP to enter its private configuration page. Go to Config – Services and set Management VLAN as Custom, then choose the corresponding VLAN, click Apply to save the configuration.

Wait for a while, after the configuration is executed, you will find the IP address of AP has been changed.

Step 13. Configure port profiles on switches for the use of clients VLAN.

To ensure all the wired clients obtain IP address from clients VLAN, we need to change the port profile of all the downlink ports on switches which directly connect to end devices to the clients VLAN profile.

Go to Devices, click on the switch to enter its private configuration page, go to Ports, select the downlink ports which connect directly to end devices, then click Edit Selected to batch change their port profiles.

Change the profiles of these ports to the profile which is automatically created after creating the clients VLAN, click Apply to save the configuration.

Step 14. Configure SSID VLAN for wireless clients.

Go to Settings – Wireless Networks – WLAN, click Create New Wireless Network to create a SSID for wireless clients.

Set a name and password for this SSID, then click to expand the Advanced Settings, set VLAN to Custom, then in Add VLAN, select the clients VLAN we have created, click Apply to save the configuration.

Step 15. Create IP groups and ACL rule to prevent clients from accessing controller and network devices.

Currently on controller, these VLANs are created as Layer 2 VLAN and then enabled VLAN interfaces on the core switch, so they are not included in the networks, we need to create IP groups first in order to create ACL rules based on them.

Go to Settings – Profiles – Groups, click Create New Group.

We need to create an IP group for each subnet, in this example, there are four subnets, Default, Clients, SW MGMT and AP MGMT, enter the name, select Type as IP Group, for IP Subnet, enter the network address of each subnet. For example, the Default group’s IP Subnet is 192.168.10.1/24. Click Apply to save the configuration.

Final result should be like this:

Go to Settings – Network Security – ACL – Switch ACL, click Create New Rule to create a new ACL rule.

Enter a name as the Description for this rule, for Policy, choose Deny, then select all the Protocols, for the Source and Destination, set the Type as IP Group, then choose the clients group as source and all other management groups as the destination, apply this rule on all ports. Click Create to create this rule which denies clients to access the controller and other network devices.

By setting this ACL rule, when the client devices are connected and obtain IP address from 192.168.20.x/24, they will not be able to access the controller or the switch, enhancing the network security.

Step 16. Adopt the Gateway on Omada Controller (In case you have Omada Gateway).

If you have Omada gateway, then you can also adopt it on the Omada controller for better management. But here we have already switched the default VLAN ID to 10, while the gateway will have DHCP server enabled by default and set itself as 192.168.0.1, this will cause the gateway failed to be adopted, so we need to make some pre-configuration on the gateway before adopting on the Omada controller.

Enter the WebUI of the gateway by accessing 192.168.0.1, set a username and password for it, then go to Network – LAN – LAN, click Edit on the default network.

Change this network to VLAN 10, and address to 192.168.10.x/24, for example, here I change it to 192.168.10.2. Also, we have enabled DHCP server on the core switch, so on the gateway, we disable the DHCP server by unticking the Enable box of Status. Click OK to save the configuration.

After changing its IP address, you will also need to change your PC’s IP address to the 192.168.10.x/24 subnet to access the WebUI of gateway again.

Go to System Tools – Controller Settings, in Controller Inform URL, enter the controller’s IP address: 192.168.50.100, click Save.

After configured the controller IP address, a static route is also needed for the gateway to find controller. Go to Transmission – Routing – Static Route, click Add to create a new static route.

Fill the Destination IP with the controller’s IP address, which is 192.168.50.100 in this example, and configure the Next Hop as the default VLAN interface IP address of core switch, which is 192.168.10.1, for Interface, select LAN. Click OK to create.

After the pre-configuration, connect the gateway to a port on the core switch which port profile is set as “All”, and you will see the gateway pending with IP address 192.168.10.2 in the device list, adopt it with the username and password you have set.

Step 17. Configure static routes on the core switch.

No matter you have Omada gateway or not, it’s necessary to set static routes on core switch and forward all the Internet traffic to the gateway, because all the layer 3 forwarding is done by the core switch, and the default gateway for each network is set as the core switch.

Go to Devices, click on the switch to enter its private configuration page. In Config > Static Route, click Add to add a new static route.

Tick to change the Status to Enable. Since we are dealing with all Internet traffic, you can set the Destination IP/Subnet to 0.0.0.0 and the Next Hop to the gateway at 192.168.10.2. For other traffic, more accurate default routes will be matched first, so just enter 1 for Distance, click Apply to save the configuration.

Result should be like this:

After setting static route on the core switch, we also need to set a reverse static route on the gateway to make sure all the traffic from Internet are forwarded to the core switch. On the core switch, we set the destination as 0.0.0.0/0 and next hop as 192.168.10.2, so on the gateway, we need to set a reverse one. As the subnets in this network are 192.168.10.x/24, 192.168.20.x/24, 192.168.30.x/24, 192.168.40.x/24 and 192.168.50.x/24, we need 5 static routes, and the next hop as 192.168.10.1 which is the default VLAN interface of the core switch.

If you don’t use Omada gateway, just set these static routes on your gateway, if you have Omada gateway and already adopted it, please follow step 15 to set static route on the gateway.

Step 18. Configure static routes on the gateway (In case you have Omada gateway).

Go to Settings>Transmission>Routing>Static Route, click Create New Route.

Here the static route for 192.168.50.0/24 has been configured in pre-configuration of the gateway, so we just need to configure four more static routes here. For the four static routes, the Destination IP/Subnet should be configure as 192.168.10.0/24, 192.168.20.0/24, 192.168.30.0/24 and 192.168.40.0/24, set the Route Type as Next Hop and Next Hop as 192.168.10.1. Click Create to create a static route.

Final result should be like:

Step 19. Adding more switches and APs to the network. (Optional)

To add more switches and APs to the network, just connect them to the switch port which profile is set as “All”, and they could be successfully obtain IP address from the default VLAN 192.168.10.x/24. After adopted, change their management VLAN the same as previous steps.

驗證

After this configuration, the gateway, switches and APs are in different management VLANs.

The wired PC connected on the switch is obtaining IP address from the clients VLAN 192.168.20.x/24 :

The phone connected wirelessly is obtaining IP address from clients VLAN 192.168.20.x/24:

The client cannot access managed network devices:

結果

Till now we have introduced how to set up a large scale network and use different VLAN networks to manage gateway, core switches, other switches and APs, then connect clients in a specific VLAN and isolate them with the network devices. The method of adding more devices in the running network and integrating gateways from Omada or other vendor is also introduced.

Get to know more details of each function and configuration please go to Download Center to download the manual of your product.