VLANs: Why You Need Them and How They Work (Part 3)

Management VLANs: IT Room Case Study
Before we delve in, have you read the previous posts (Part 1 and Part 2) in this series? Click over to these links if you’d like to catch up.

VLANs: Why You Need Them and How They Work (Part 1)
VLANs: Why You Need Them and How They Work (Part 2)

What is a Management VLAN, and Should I Use It?

Just as your operations and your visitors are put on two (or more) VLANs to separate the network traffic, it is a best practice to use a separate management VLAN for the web and CLI* for your network equipment—router, switch(es), and access point(s). This way, users cannot access (and therefore hack) your hardware.

By default, all networking devices come with the management VLAN set to one (1), and all managed and smart switches are configured such that every port is PVID one (1)/untagged VLAN one (1). If your staff and visitors are on separate VLANs, then the original LAN is isolated from both and can act as yet another VLAN; this one is usually designated “VLAN one (1).”

Can I Get Myself Into Trouble Using VLANs?

Here are some issues that may arise, and how to troubleshoot:

  • Device is on the wrong VLAN: This happens when traffic is sent to the wrong VLAN as it enters the network. Fortunately, this is fairly easy to catch, especially if your client device is configured for DHCP. One look at the IP address on the client device will indicate whether it has a DHCP address on the correct subnet. For static clients, an arping or nmap on the wrong VLAN will reveal the presence of the client. To get your device back on the correct VLAN, make sure your SSID settings and PVID/untagged VLAN switch settings are correct.
  • Data traffic doesn’t flow: This results when traffic is sent to the wrong VLAN as it enters the network, or when switch ports are not properly and explicitly configured to pass traffic on that VLAN. Remember that all ports on a switch** should be trunk ports, configured for all tagged VLANs used in the network, including management VLANs. To prevent this issue, remember to configure ports connected to client devices or network appliances for the correct PVID/untagged VLAN for the client.
  • Device loses access to network configuration: This is usually the result of a mismatch between the PC used to configure the network devices and the management VLAN set up on the device. Management VLANs should generally be configured last (after devices), because once you set a network device to use a VLAN, you will lose access to the device until its PC port connects to the same VLAN.*** To ensure connection, make sure the PC port used by the device is configured to the management VLAN used by the device.
I advise designating one port on each network switch a management port, configured as PVID/untagged VLAN on the management VLAN.

VLANs are a powerful tool, and should be an integral part of all of your Wi-Fi network designs.

Editor’s Note:  This post was originally published in June 2015 and has been updated.

*Command Line Interface
**Defined here as ports connected to either the router, backhaul to other switches, or access points.
***Example: If you have a switch configured to management VLAN 4000, but none of the switch ports are configured for tagged or untagged access on VLAN 4000, you are cut off from the switch and have no way to access the configuration, short of a serial interface or a hard reset.