Almost. That is the right approach but you can’t leave the untagged interface without an IP set. I tend to treat the untagged LAN as the management VLAN. If it was me I would:
- Change the untagged LAN IP to something well away from enterprise norms ie 172.16.254.1/30 and disable DHCP
- Create a new VLAN with VID 254 and set to 192.168.254.1/24
Then because I don’t allow local management of devices as a general rule I would go and remove the management vlan from the trunk on all LANs ports and disabled web ui access from all other VLANs apart from the management VLAN.
What’s the right way to do this on the peplink balance without losing connectivity given the configuarion shown.
In your configuration there, the Balance has its own WAN connection so it will be accessible and manageable via InControl2 even if you make a mess of the LAN config.
InControl2, its API and the local Peplink Device API are the best ways to bulk manage and script Peplink device configuration.
eg: