As the management interface is the device access vector, whether you manage the device directly or not, typically has (an) open port(s). Just because a device has an open or closed port doesn't mean it's vulnerable to exploit, but it does add risk. It's just standard industry best practice to change management ports from VLAN 1, have a management VLAN where device management lives, shutdown all unused ports, and on and on.
Pretend for a moment an Instant On device has a local vulnerability (known or unknown), with everything living on VLAN 1, an attacker who just phished their way into an office building, now can see all these APs, switch, and anything else and can fire away if they wish. Had the devices lived on a management VLAN, which naturally users wouldn't have access too, these devices would probably be still considered "safe" from attack.
I realize the Instant On is being targeted at a non-technical business owner crowd who will set-it-and-forget it but in the real world, technical folks will be configuring and installing a lot of this stuff for businesses where VLANs and firewall rules are an essential part to compartmentalizing traffic and limit the attack surface...at least it should be standard operating procedure to do so.
------------------------------
T Cannon
------------------------------
Original Message:
Sent: 07-04-2021 07:19 PM
From: Pierre Lorier
Subject: Uplink/Management VLAN
I disagree, the management interface is to manage devices that have an exposed interface, with access to http/snmp/ssh/capwap etc. But the instant on does not have anything of the sorts. It phones home, picks up the configuration from the cloud and its done. What should an management vlan add, there nothing to interface with !
------------------------------
Pierre Lorier
Original Message:
Sent: 06-25-2021 08:18 AM
From: T Cannon
Subject: Uplink/Management VLAN
This is absolutely the correct answer.
------------------------------
T Cannon
Original Message:
Sent: 12-11-2019 01:04 PM
From: Anthony Laatz
Subject: Uplink/Management VLAN
This seems like something that Aruaba should be doing. With all the cyber threats and security issues on any network. Aruba should be thinking about security first, no matter the 'grade' of their product.