[NEBULA] Management VLAN is send tagged over each port! mayor security issue!

VanWerven
VanWerven Posts: 9  Freshman Member
First Comment Fourth Anniversary
edited April 2021 in Nebula

Hello all,

while working with the nebula CC and switches for a couple of months I've noticed something very worrying.

When configuring an port for only 1 specific VLAN, it also sends the management VLAN tagged over this interface. This is an very big issue because this port could be used to give internet access to guests for instance. I've tried accessing the management vlan over the configured port and it is accessible indeed.

We've already tried setting the port type to access and trunk, but the problem persists.

Please see the screenshots below for how it is set up and how it configures the switch.


Accepted Solution

  • Zyxel_Jonas
    Zyxel_Jonas Posts: 313  Zyxel Employee
    25 Answers First Comment Friend Collector Fifth Anniversary
    Answer ✓

    Hello @VanWerven,


    Thanks for post information.

    Your discovery is correct, management VLAN will also be allowed by default. Basically, Nebula was designed to achieve the goal of Plug ang Play mechanism and help users to avoid getting Nebula devices offline on Nebula cloud by misconfiguration and connecting to wrong ports.

    However, we do also receive other users' suggestion about the management VLAN, we had already included it to our road map for enhancement and the estimate release will be next year 2020 of June.


    Please stay tuned.

    Thanks for supporting Nebula.

    Jonas,

    Jonas,

All Replies

  • Zyxel_Jonas
    Zyxel_Jonas Posts: 313  Zyxel Employee
    25 Answers First Comment Friend Collector Fifth Anniversary
    Answer ✓

    Hello @VanWerven,


    Thanks for post information.

    Your discovery is correct, management VLAN will also be allowed by default. Basically, Nebula was designed to achieve the goal of Plug ang Play mechanism and help users to avoid getting Nebula devices offline on Nebula cloud by misconfiguration and connecting to wrong ports.

    However, we do also receive other users' suggestion about the management VLAN, we had already included it to our road map for enhancement and the estimate release will be next year 2020 of June.


    Please stay tuned.

    Thanks for supporting Nebula.

    Jonas,

    Jonas,
  • VanWerven
    VanWerven Posts: 9  Freshman Member
    First Comment Fourth Anniversary

    Hi Jason,

    Thanks for your clear explanation. Is there any way to get this solved sooner or do we have to remove the devices from Nebula to solve this?

    We like the flexibility of the platform but we don't want to make compromises as it comes to security.

    Kind regards,

    Johan de Zwaan

  • Zyxel_Jonas
    Zyxel_Jonas Posts: 313  Zyxel Employee
    25 Answers First Comment Friend Collector Fifth Anniversary

    Hi @VanWerven ,

    There is one option that could achieve the goal, but we don't recommend to use. Due to the configuration will be overwritten by Nebula Cloud again every time there are any changes been made through Nebula Cloud switch ports settings. 

    Solution:

    You may connect to the switch via web GUI then go to:

    Advanced Application => VLAN => VLAN Configuration => Static VLAN Setup then scroll down to choose which VID and to modify the VLAN member.


    Sincerely yours,

    Jonas

    Jonas,
  • VanWerven
    VanWerven Posts: 9  Freshman Member
    First Comment Fourth Anniversary

    Hi Jonas,

    Thanks for your response. we already tried that and found out that it was overwriting our configuration indeed.

    We will look at each device to determine what is needed.

    Kind regards,

    Johan de Zwaan

  • Zyxel_Jonas
    Zyxel_Jonas Posts: 313  Zyxel Employee
    25 Answers First Comment Friend Collector Fifth Anniversary

    Hi @VanWerven ,

    New update, I would like to inform that the schedule of the release has been moved to 2020 January.

    Please stay tuned.

    Happy Holidays and a Happy New Year!! ?

    Jonas,

    Jonas,
  • VanWerven
    VanWerven Posts: 9  Freshman Member
    First Comment Fourth Anniversary

    Hi Jonas, that is great news.

    Thanks for the update.

  • KariS
    KariS Posts: 4  Freshman Member
    First Comment

    Hi everyone, is there still any solution for this problem?

  • Zyxel_Kay
    Zyxel_Kay Posts: 1,204  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security

    Hi @KariS and all,

    This feature is now supported on Nebula Control Center! If you'd like to prevent management VLAN traffic from being sent to other switch ports, simply disable the management control settings on the desired ports.

    For more detailed instructions, please refer to this post:

    Kay

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

Nebula Tips & Tricks