networking - Using VLANs/subnetting to separate management from services?

Background: I recently purchased a server and a managed switch for my home in the hopes of getting more experience and some fun toys to play with. The devices and appliances I either have or plan to have cover a broad spectrum: router, DD-WRT AP, Dell switch, OpenLDAP server, FreeRADIUS server, OpenVPN gateway, home PCs, gaming consoles, etc. I intend to segment my network with VLANs and associated subnets (e.g., VID10 is populated by devices on 192.168.10.0/24). The idea is to secure the more sensitive appliances by forcing traffic through my router/FW.

Setup: After thinking and planning for some time, I have tentatively decided on 4 VLANs: one for the WAN connection, one for servers, one for home/personal devices, and one for management. In theory, the home VLAN will have limited access to the servers, and the management VLAN will be totally isolated for security.

Question: Since I want to restrict access to management interfaces, but some appliances have to be accessible to other devices, is it possible/wise to have only management (SSH, HTTP, RDP) available on one VLAN/IP and only services (LDAP, DHCP, RADIUS, VPN) available on other? Is this a thing that is done? Does it gain me the security I think it does, or hurt me in some way?

Yes, this kind of segmentation of logical services is performed in industrial and ultra-secure networks, though rarely in small scale deployments like a SOHO network. VLANs are not by nature a security barrier in and of themselves. Large scale networks need to break up their broadcast domain into much smaller segments, for efficiency purposes, but to do so, you used to need to make that change in hardware, which often cost more. VLANs are an attempt to allow flexible broadcast domains to be crafted in soft/firmware rather than purely via wiring.

You do gain some security related advantages from segregating the management vlan

• It is not exposed to Layer 2 attacks occuring on other vlans (though switch behavior exploits like an ARP flood would likely expose all vlans, unless the manufacturer has a mitigation in place).
• You can firewall the vlan such that only local stations can access the management services, and exact that control from the router itself, in addition to the server firewalls.
• The management vlan will carry a lot less traffic and would be a good place to deploy a IDPS or other monitoring tools without clumsy port mirroring.

There is some significant cost however, both in hardware and in management time.

• All your servers would need multiple nics and cabling (or really high end nics with vlan features), so you can bind the client services on one and the management services on the other.
• You do need a pretty strong router to not notice some detrimental lag on your services.
• Your DNS and IP administration becomes 4 times more involved, and there will be some firewall administration and routing mangement required.
• Some services will require special configuration to be visible to all hosts, and avahi/zeroconf stuff may not quite work right.

In your hypothetical network, every host's connection to a lan service would have to be routed onto the services network, and back again. while the routers hardware is switched, routing is a much more involved process than simple layer 2 switching, and is partially software-based. Having a router in the middle of core LAN functionality can be disruptive, in terms of performance, protocol support, and service visibility, so a cheap SOHO router probably isn't a good choice for that role.

So, in summary, yes large enterprises and ultra-secure systems like banking or SCADA networks do segment their services/ops from their management, and it does provide some benifets. The costs however may outweigh the benefits in a small scale deployment. It all depends on how much time and money you want to spend.