I have a number of ready to use network appliances like router, print server, L2/L3 network switches, ip-pbx, access point and many others.
These devices are usually managed by web portal by accessing port 80 (http). And asking for user name and password for accessing.
With so many devices to manage, I usually use default user name and password without changing it in case I might forgot in future. However, this habit is risky and easy for someone to change the configuration easily.
Is there a way to leave the default username / password as is but prevent other local network users to do the changes on the configuration?
Can VLAN segmentation help by grouping all those devices in one VLAN? But doing so seems prevent workstations from other VLAN accessing the services of those devices.
Or may be firewall + VLAN may help?
Separation by VLANS may work. If you make the VLAN accessable i.e. only from a special port on the switch. Without routing from/to the "Management VLAN" it should be only accessible by the one port you specify. But it limits the location you can access the management systems. You could also make available the VLAN from a WiFi access point. You also must use a firewall to keep out potentially harmful traffic. Many devices also allow setting IPs or IP ranges to use the management interface.
However, I strongly recommend NOT to keep default username/passwords. If you can hard remember use a password safe and protect it using a master password. Best, additionally add 2FA (2-factor-authentication).
Many enterprise products will offer enterprise management features and those typically include the option to replace local management accounts with centralised authentication in the form of LDAP, radius or even AD.
Then after the initial configuration you can log in with your normal admin account credentials, benefit from your established password strength and expiration policies etc. and joiners and leavers are managed by adding/removing them to certain groups.
Restricting access to management interfaces by placing them in a separate management network segment is also good practice.
With appliances like network printers that may seem difficult, but you can set up a print server that bridges the network segment your workstations can access and the printer network segment to prevent your users from connecting directly to printers.
Actual network devices like routers, switches and WiFi AP's will often support VLAN tags and you can bind their admin interfaces to a specific management VLAN separate from the VLAN(s) used for other purposes.