My MS120 switch has an ip of xx.xx.99.242 and a gateway of xx.xx.99.254. My management VLAN is 99. The VLAN is also set as 99 -- I'm assuming that makes 99 my native VLAN, i.e. all untagged traffic will be on 99?
Sorry -- I've revised this question as the original post was not well written.
My MS120 switch has an ip of xx.xx.99.242 and a gateway of xx.xx.99.254. My management VLAN is 99. The VLAN is also set as 99 -- I'm assuming that makes 99 my native VLAN? Does that mean traffic from ports that are tagged 30 and 60 is still traveling on VLAN 99? VLANs 30 and 60 are configured on an L3 device upstream with gateways xx.xx.30.254 and xx.xx.60.254 configured on the VLANs, and allowed on the MS120.
I just want management traffic on VLAN99 and all other traffic on VLANs as per the tag on the ports.
I have been able to set up our test networks so
all network devices are on VLAN 11 - the management VLAN
nothing uses VLAN1
uplink ports only pass explicit VLANs (no defaults, nothing untagged)
Sometimes the software insists on a VLAN value being entered, if that is the case, I use VLAN101 (what other number would one pick). VLAN101 does not exist.
Because I saw something from a VLAN that should not be on a specific uplink, I was able to point out a security issue to the engineering team, and fingerprint a couple of organisations with reputations for this sort of thing.
For several reasons, this being one of them, I have since split the network in two, with anything that does not need to be on the core secure network split off ahead of the MX. Devices that still need to communicate mostly manage to do so using HDMI (avoid USB, like the plague) and Chromecast/Bonjour is in the process of being nailed down so that a secure device can control the Chromecast host.
As a lot of what we do involves Industrial/Transportation IoT devices, we are very aware of odd stuff flying around. Just as many of the banks split themselves into two (Bad Bank and Good Bank) after the last financial crisis, so has our network.