Sat Sep 30, 2023 8:54 pm
It's easy to do - done it myself. I generally leave the management pretty unrestricted until I have a switch completely set up and the save a backup to the PC before restricting access. That way if I mess it up and lock myself out, there is a backup from just before I locked myself out. Generally restricting ports is not a problem (as long as you really know where you are accessing the switch - more on that later). Restricting IPs or VLANs can be more dangerous.
The more on what port goes like this. My family room has a CSS326 that has my family room desktop PC plugged in on port 12 (untagged on VLAN 201). The Family room CSS326 is connected via a VLAN trunk to another CSS326 in my data cabinet which is where my RB4011 router is located. The switches have a dedicated management LAN (VLAN 99) with their own series of IP addresses. So if I connect to the family room switch management from my family room PC, even though the computer is connected to the switch on port 12, the connection to the switch is actually: Family room PC --untagged VLAN 201--> Family room switch port 12 --> tagged VLAN 201 on port 1 --> VLAN trunk (tagged VLAN 201) --> Garage switch port 1 --> Garage switch port 2 --untagged VLAN 201--> RB4011 port 6 (untagged VLAN 201) --> Router port 5 (tagged VLAN 99) --tagged VLAN 99 on trunk--> Garage switch port 10 --> Garage switch port 1 (tagged VLAN 99) --tagged VLAN 99 on trunk--> Family room switch port 1. So I really am accessing the family room switch on port 1 even though I am plugged into port 12.