[NEBULA] Management VLAN is send tagged over each port! mayor security issue!

VanWerven
VanWerven Posts: 9
First Anniversary First Comment
edited April 2021 in Nebula

Hello all,

while working with the nebula CC and switches for a couple of months I've noticed something very worrying.

When configuring an port for only 1 specific VLAN, it also sends the management VLAN tagged over this interface. This is an very big issue because this port could be used to give internet access to guests for instance. I've tried accessing the management vlan over the configured port and it is accessible indeed.

We've already tried setting the port type to access and trunk, but the problem persists.

Please see the screenshots below for how it is set up and how it configures the switch.


Accepted Solution

  • Zyxel_Jonas
    Zyxel_Jonas Posts: 313  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓

    Hello @VanWerven,


    Thanks for post information.

    Your discovery is correct, management VLAN will also be allowed by default. Basically, Nebula was designed to achieve the goal of Plug ang Play mechanism and help users to avoid getting Nebula devices offline on Nebula cloud by misconfiguration and connecting to wrong ports.

    However, we do also receive other users' suggestion about the management VLAN, we had already included it to our road map for enhancement and the estimate release will be next year 2020 of June.


    Please stay tuned.

    Thanks for supporting Nebula.

    Jonas,

    Jonas,

All Replies

  • Zyxel_Jonas
    Zyxel_Jonas Posts: 313  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓

    Hello @VanWerven,


    Thanks for post information.

    Your discovery is correct, management VLAN will also be allowed by default. Basically, Nebula was designed to achieve the goal of Plug ang Play mechanism and help users to avoid getting Nebula devices offline on Nebula cloud by misconfiguration and connecting to wrong ports.

    However, we do also receive other users' suggestion about the management VLAN, we had already included it to our road map for enhancement and the estimate release will be next year 2020 of June.


    Please stay tuned.

    Thanks for supporting Nebula.

    Jonas,

    Jonas,
  • Hi Jason,

    Thanks for your clear explanation. Is there any way to get this solved sooner or do we have to remove the devices from Nebula to solve this?

    We like the flexibility of the platform but we don't want to make compromises as it comes to security.

    Kind regards,

    Johan de Zwaan

  • Zyxel_Jonas
    Zyxel_Jonas Posts: 313  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @VanWerven ,

    There is one option that could achieve the goal, but we don't recommend to use. Due to the configuration will be overwritten by Nebula Cloud again every time there are any changes been made through Nebula Cloud switch ports settings. 

    Solution:

    You may connect to the switch via web GUI then go to:

    Advanced Application => VLAN => VLAN Configuration => Static VLAN Setup then scroll down to choose which VID and to modify the VLAN member.


    Sincerely yours,

    Jonas

    Jonas,
  • Hi Jonas,

    Thanks for your response. we already tried that and found out that it was overwriting our configuration indeed.

    We will look at each device to determine what is needed.

    Kind regards,

    Johan de Zwaan

  • Zyxel_Jonas
    Zyxel_Jonas Posts: 313  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @VanWerven ,

    New update, I would like to inform that the schedule of the release has been moved to 2020 January.

    Please stay tuned.

    Happy Holidays and a Happy New Year!! ?

    Jonas,

    Jonas,
  • Hi Jonas, that is great news.

    Thanks for the update.

Nebula Tips & Tricks