Hello,
Just some background, I am helping setup a Ubiquiti Unifi deployment with multiple AP, Switches and a USG. All the Unifi devices will be on a separate management VLAN10 with its own DHCP range (instead of using the default untagged one VLAN1) and I am also setting up another VLAN20 for all the clients with a separate DHCP range and firewalling the client VLAN20 from accessing the Management VLAN10. The wireless AP network will also use the client VLAN20.
The issue I have is that the physical switches and APs will be accessible by the clients and I am worried about unauthorized access to the management VLAN10. On the switch ports where the APs are not connected, I was going to set them (untag) with the Client VLAN20 so this shouldn't allow access to VLAN10. However for the ports where the APs are connected to, if I set them (untag) with VLAN10, if someone unplugs an AP and then plugs their computer, then they would be on the management VLAN10 network, wouldn't they?
I was thinking of setting two VLANs to this port as I believe Ubiquiti now allows APs to be assigned to VLANs. So for this port, I would set the native (untagged) VLAN to VLAN20 for the clients and leave the management VLAN10 tagged for the AP to still receive data. This way, if someone unplugs the AP and plug their computer, they would be on the VLAN20 network (as that is the untagged data) and not on the management VLAN10 network. I suppose if they had a VLAN sensing device and knew the VLAN ID of the management network, they could technically see VLAN10, however this is the only way I can see to try to safe guard physical access to the port.
Does anyone see an issue with this (I know its not perfect)? Is there another way of doing this? Any help would be appreciated.
Thanks!
No comments:
Post a Comment