[NEBULA] Management VLAN is send tagged over each port! mayor security issue!
Hello all,
while working with the nebula CC and switches for a couple of months I've noticed something very worrying.
When configuring an port for only 1 specific VLAN, it also sends the management VLAN tagged over this interface. This is an very big issue because this port could be used to give internet access to guests for instance. I've tried accessing the management vlan over the configured port and it is accessible indeed.
We've already tried setting the port type to access and trunk, but the problem persists.
Please see the screenshots below for how it is set up and how it configures the switch.
Accepted Solution
-
Hello @VanWerven,
Thanks for post information.
Your discovery is correct, management VLAN will also be allowed by default. Basically, Nebula was designed to achieve the goal of Plug ang Play mechanism and help users to avoid getting Nebula devices offline on Nebula cloud by misconfiguration and connecting to wrong ports.
However, we do also receive other users' suggestion about the management VLAN, we had already included it to our road map for enhancement and the estimate release will be next year 2020 of June.
Please stay tuned.
Thanks for supporting Nebula.
Jonas,
Jonas,1
All Replies
-
Hello @VanWerven,
Thanks for post information.
Your discovery is correct, management VLAN will also be allowed by default. Basically, Nebula was designed to achieve the goal of Plug ang Play mechanism and help users to avoid getting Nebula devices offline on Nebula cloud by misconfiguration and connecting to wrong ports.
However, we do also receive other users' suggestion about the management VLAN, we had already included it to our road map for enhancement and the estimate release will be next year 2020 of June.
Please stay tuned.
Thanks for supporting Nebula.
Jonas,
Jonas,1 -
Hi Jason,
Thanks for your clear explanation. Is there any way to get this solved sooner or do we have to remove the devices from Nebula to solve this?
We like the flexibility of the platform but we don't want to make compromises as it comes to security.
Kind regards,
Johan de Zwaan
0 -
Hi @VanWerven ,
There is one option that could achieve the goal, but we don't recommend to use. Due to the configuration will be overwritten by Nebula Cloud again every time there are any changes been made through Nebula Cloud switch ports settings.
Solution:
You may connect to the switch via web GUI then go to:
Advanced Application => VLAN => VLAN Configuration => Static VLAN Setup then scroll down to choose which VID and to modify the VLAN member.
Sincerely yours,
Jonas
Jonas,0 -
Hi Jonas,
Thanks for your response. we already tried that and found out that it was overwriting our configuration indeed.
We will look at each device to determine what is needed.
Kind regards,
Johan de Zwaan
0 -
Hi @VanWerven ,
New update, I would like to inform that the schedule of the release has been moved to 2020 January.
Please stay tuned.
Happy Holidays and a Happy New Year!! ?
Jonas,
Jonas,0 -
Hi Jonas, that is great news.
Thanks for the update.
0 -
Hi everyone, is there still any solution for this problem?
0 -
Hi @KariS and all,
This feature is now supported on Nebula Control Center! If you'd like to prevent management VLAN traffic from being sent to other switch ports, simply disable the management control settings on the desired ports.
For more detailed instructions, please refer to this post:
Kay
See how you've made an impact in Zyxel Community this year!
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 148 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight