This guide applies to:
T1500G-8T v2 or above, T1500G-10PS v2 or above, T1500G-10MPS v2 or above, T1500-28PCT v3 or above, T1600G-18TS v2 or above, T1600G-28TS v3 or above, T1600G-28PS v3 or above, T1600G-52TS v3 or above, T1600G-52PS v3 or above, T1700X-16TS v3 or above, T1700G-28TQ v3 or above, T2500G-10TS v2 or above, T2600G-18TS v2 or above, T2600G-28TS v3 or above, T2600G-28MPS v3 or above, T2600G-28SQ v1 or above, T2600G-52TS v3 or above.
VLAN is generally divided by ports. It is a common way of division but isn’t suitable for those networks that require frequent topology changes. With the popularity of mobile office, at different times a terminal device may access the network via different ports. For example, a terminal device that accessed the switch via port 1 last time may change to port 2 this time. If port 1 and port 2 belong to different VLANs, the user has to re-configure the switch to access the original VLAN. Using MAC VLAN can free the user from such a problem. It divides VLANs based on the MAC addresses of terminal devices. In this way, terminal devices always belong to their MAC VLANs even when their access ports change.
The figure below shows a common application scenario of MAC VLAN.
Figure 1-1 Common Application Scenario of MAC VLAN
Two departments share all the meeting rooms in the company, but use different servers and laptops. Department A uses Server A and Laptop A, while Department B uses Server B and Laptop B. Server A is in VLAN 10 while Server B is in VLAN 20. It is required that Laptop A can only access Server A and Laptop B can only access Server B, no matter which meeting room the laptops are being used in. To meet this requirement, simply bind the MAC addresses of the laptops to the corresponding VLANs respectively. In this way, the MAC address determines the VLAN each laptop joins. Each laptop can access only the server in the VLAN it joins.
2 MAC VLAN Configuration
To complete MAC VLAN configuration, follow these steps:
1) Configure 802.1Q VLAN.
2) Bind the MAC address to the VLAN.
3) Enable MAC VLAN for the port.
Configuration Guidelines
When a port in a MAC VLAN receives an untagged data packet, the switch will first check whether the source MAC address of the data packet has been bound to the MAC VLAN. If yes, the switch will insert the corresponding tag to the data packet and forward it within the VLAN. If no, the switch will continue to match the data packet with the matching rules of other VLANs (such as the protocol VLAN). If there is a match, the switch will forward the data packet. Otherwise, the switch will process the data packet according to the processing rule of the 802.1 Q VLAN. When the port receives a tagged data packet, the switch will directly process the data packet according to the processing rule of the 802.1Q VLAN.
2.1 Using the GUI
2.1.1 Configuring 802.1Q VLAN
Before configuring MAC VLAN, create an 802.1Q VLAN and set the port type according to network requirements. For details, refer to Configuring 802.1Q VLAN .
2.1.2 Binding the MAC Address to the VLAN
Figure 2-1 Creating MAC VLAN
Follow these steps to bind the MAC address to the 802.1Q VLAN:
1) Enter the MAC address of the device, give it a description, and enter the VLAN ID to bind it to the VLAN.
MAC Address | Enter the MAC address of the device in the format of 00-00-00-00-00-01. |
Description | Give a MAC address description for identification with up to 8 characters. |
VLAN ID/Name | Enter the ID number or name of the 802.1Q VLAN that will be bound to the MAC VLAN.. |
2) Click Create .
| Note: One MAC address can be bound to only one VLAN. |
2.1.3 Enabling MAC VLAN for the Port
By default, MAC VLAN is disabled on all ports. You need to enable MAC VLAN for your desired ports manually.
Choose the menu L2 FEATURES > VLAN > MAC VLAN to load the following page.
Figure 2-2 Enabling MAC VLAN for the Port
In the Port Enable section, select the desired ports to enable MAC VLAN, and click Apply .
| Note: The member port of an LAG (Link Aggregation Group) follows the configuration of the LAG and not its own. The configurations of the port can take effect only after it leaves the LAG. |
2.2 Using the CLI
2.2.1 Configuring 802.1Q VLAN
2.2.2 Binding the MAC Address to the VLAN
Follow these steps to bind the MAC address to the VLAN:
Step 1 | configure Enter global configuration mode. |
Step 2 | mac-vlan mac-address mac-addr vlan vlan-id [description descript] Bind the MAC address to the VLAN. mac-addr: Specify the MAC address of the device in the format of xx:xx:xx:xx:xx:xx. vlan-id: Enter the ID number of the 802.1Q VLAN that will be bound to the MAC VLAN. descript: Specify the MAC address description for identification, with up to 8 characters. |
Step 3 | show mac-vlan { all | mac-address mac-addr | vlan vlan-id } Verify the configuration of MAC VLAN. vid: Specify the MAC VLAN to be displayed. |
Step 4 | end Return to privileged EXEC mode. |
Step 5 | copy running-config startup-config Save the settings in the configuration file. |
The following example shows how to bind the MAC address 00:19:56:8A:4C:71 to VLAN 10, with the address description as Dept.A.
Switch#configure
Switch(config)#mac-vlan mac-address 00:19:56:8a:4c:71 vlan 10 description Dept.A
Switch(config)#show mac-vlan vlan 10
MAC-Addr Name VLAN-ID
-------------- ----------- ------------
00:19:56:8A:4C:71 Dept.A 10
Switch(config)#end
Switch# copy running-config startup-config
2.2.3 Enabling MAC VLAN for the Port
Follow these steps to enable MAC VLAN for the port:
Step 1 | configure Enter global configuration mode. |
Step 2 | interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list} Enter interface configuration mode. |
Step 3 | mac-vlan Enable MAC VLAN for the port. |
Step 4 | show mac-vlan interface Verify the configuration of MAC VLAN on each interface. |
Step 5 | end Return to privileged EXEC mode. |
Step 6 | copy running-config startup-config Save the settings in the configuration file. |
The following example shows how to enable MAC VLAN for port 1/0/1.
Switch(config)#interface gigabitEthernet 1/0/1
Switch(config-if)#mac-vlan
Switch(config-if)#show mac-vlan interface
Port STATUS
------- -----------
Gi1/0/1 Enable
Gi1/0/2 Disable
Switch(config-if)#end
Switch#copy running-config startup-config
3 Configuration Example
3.1 Network Requirements
Two departments share all the meeting rooms in the company, but use different servers and laptops. Department A uses Server A and Laptop A, while Department B uses Server B and Laptop B. Server A is in VLAN 10 while Server B is in VLAN 20. It is required that Laptop A can only access Server A and Laptop B can only access Server B, no matter which meeting room the laptops are being used in. The figure below shows the network topology.
Figure 3-1 Network Topology
3.2 Configuration Scheme
You can configure MAC VLAN to meet this requirement. On Switch 1 and Switch 2, bind the MAC addresses of the laptops to the corresponding VLANs respectively. In this way, each laptop can access only the server in the VLAN it joins, no matter which meeting room the laptops are being used in. The overview of the configuration is as follows:
1) Create VLAN 10 and VLAN 20 on each of the three switches and add the ports to the VLANs based on the network topology. For the ports connecting the laptops, set the egress rule as Untagged; for the ports connecting to other switch, set the egress rule as Tagged.
2) On Switch 1 and Switch 2, bind the MAC addresses of the laptops to their corresponding VLANs, and enable MAC VLAN for the ports.
Demonstrated with T2600G-28TS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI.
3.3 Using the GUI
Configurations for Switch 1 and Switch 2
The configurations of Switch 1 and Switch 2 are similar. The following introductions take Switch 1 as an example.
Figure 3-2 Creating VLAN 10
Figure 3-3 Creating VLAN 20
Figure 3-4 Creating MAC VLAN
4) Choose the menu L2 FEATURES > VLAN > MAC VLAN to load the following page. In the Port Enable section select port 1/0/1 and click Apply to enable MAC VLAN.
Figure 3-5 Enabing MAC VLAN for the Port
Configurations for Switch 3
Figure 3-6 Creating VLAN 10
2) Click Create to load the following page. Create VLAN 20, and add untagged port 1/0/5 and tagged ports 1/0/2-3 to VLAN 20. Click Create .
Figure 3-7 Creating VLAN 20
3.4 Using the CLI
The configurations of Switch 1 and Switch 2 are the same. The following introductions take Switch 1 as an example.
1) Create VLAN 10 for Department A and create VLAN 20 for Department B.
Switch_1#configure
Switch_1(config)#vlan 10
Switch_1(config-vlan)#name deptA
Switch_1(config-vlan)#exit
Switch_1(config)#vlan 20
Switch_1(config-vlan)#name deptB
2) Add tagged port 1/0/2 and untagged port 1/0/1 to both VLAN 10 and VLAN 20. Then enable MAC VLAN on port 1/0/1.
Switch_1(config)#interface gigabitEthernet 1/0/2
Switch_1(config-if)#switchport general allowed vlan 10,20 tagged
Switch_1(config-if)#exit
Switch_1(config)#interface gigabitEthernet 1/0/1
Switch_1(config-if)#switchport general allowed vlan 10,20 untagged
Switch_1(config-if)#mac-vlan
3) Bind the MAC address of Laptop A to VLAN 10 and bind the MAC address of Laptop B to VLAN 20.
Switch_1(config)#mac-vlan mac-address 00:19:56:8A:4C:71 vlan 10 description PCA
Switch_1(config)#mac-vlan mac-address 00:19:56:82:3B:70 vlan 20 description PCB
Switch_1(config)#end
Switch_1#copy running-config startup-config
Switch_3#configure
Switch_3(config)#vlan 10
Switch_3(config-vlan)#name deptA
Switch_3(config-vlan)#exit
Switch_3(config)#vlan 20
Switch_3(config-vlan)#name deptB
2) Add tagged port 1/0/2 and port 1/0/3 to both VLAN 10 and VLAN 20.
Switch_3(config)#interface gigabitEthernet 1/0/2
Switch_3(config-if)#switchport general allowed vlan 10,20 tagged
Switch_3(config-if)#exit
Switch_3(config)#interface gigabitEthernet 1/0/3
3) Add untagged port 1/0/4 to VLAN 10 and untagged port 1/0/5 to VLAN 20.
Switch_3(config)#interface gigabitEthernet 1/0/4
Switch_3(config-if)#switchport general allowed vlan 10 untagged
Switch_3(config)#interface gigabitEthernet 1/0/5
Switch_3(config-if)#switchport general allowed vlan 20 untagged
Switch_3(config-if)#end
Switch_3#copy running-config startup-config
Verify the Configurations
Switch_1#show mac-vlan all
MAC Add Name VLAN-ID
---------------------- ----------------- ----------
00:19:56:8A:4C:71 PCA 10
00:19:56:82:3B:70 PCB 20
---------------------------------------------------------------------
Switch_2#show mac-vlan all
MAC Address Description VLAN
---------------------- --------------------- -----------
-------------------------------------------------------------------------
Switch_3#show vlan
VLAN Name Status Ports
-------- --------------- ------------- -------------------------------------
1 System-VLAN active Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4,
Gi1/0/5, Gi1/0/6, Gi1/0/7, Gi1/0/8
10 DeptA active Gi1/0/2, Gi1/0/3, Gi1/0/4
20 DeptB active Gi1/0/2, Gi1/0/3, Gi1/0/5
4 Appendix: Default Parameters
Default settings of MAC VLAN are listed in the following table.
Table 4-1 Default Settings of MAC VLAN
Parameter | Default Setting |
MAC Address | None |
Description | None |
VLAN ID | None |
Port Enable | Disabled |
Available languages, download options.
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Table Of Contents Configuring Dynamic VLAN Membership Understanding VMPS VMPS Server Overview Security Modes for VMPS Server Open mode Secure mode Multiple mode Fall-back VLAN Illegal VMPS client requests Understanding VMPS clients Dynamic VLAN Membership Overview Default VMPS Client Configuration Configuring a Switch as a VMPS Client Configuring the IP Address of the VMPS Server Configuring Dynamic Access Ports on a VMPS Client Reconfirming VLAN Memberships Configuring Reconfirmation Interval Configuring the Retry Interval Administering and Monitoring the VMPS Troubleshooting Dynamic Port VLAN Membership Dynamic Port VLAN Membership Configuration Example VMPS Database Configuration File Example Configuring Dynamic VLAN Membership This chapter describes how to configure dynamic port VLAN membership by using the VLAN Membership Policy Server (VMPS). This chapter includes the following major sections: • Understanding VMPS • Understanding VMPS clients Note For complete syntax and usage information for the switch commands used in this chapter, refer to the C atalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm. Understanding VMPS The following subsections describe what a VMPS server does and how it operates. The following topics are included: • VMPS Server Overview • Security Modes for VMPS Server • Fall-back VLAN • Illegal VMPS client requests VMPS Server Overview A VLAN Membership Policy Server (VMPS) provides a centralized server for selecting the VLAN for a port dynamically based on the MAC address of the device connected to the port. When the host moves from a port on one switch in the network to a port on another switch in the network, that switch dynamically assigns the new port to the proper VLAN for that host. A Catalyst 4500 series switch running Cisco IOS software does not support the functionality of a VMPS. It can only function as a VLAN Query Protocol (VQP) client, which communicates with a VMPS through the VQP. For VMPS functionality, you need to use a Catalyst 4500 series switch (or Catalyst 6500 series switch) running Catalyst operating system (OS) software. VMPS uses a UDP port to listen to VQP requests from clients, so, it is not necessary for VMPS clients to know if the VMPS resides on a local or remote device on the network. Upon receiving a valid request from a VMPS client, a VMPS server searches its database for an entry of a MAC-address to VLAN mapping. In response to a request, the VMPS takes one of the following actions: • If the assigned VLAN is restricted to a group of ports, the VMPS verifies the requesting port against this group and responds as follows: – If the VLAN is allowed on the port, the VMPS sends the VLAN name to the client in response. – If the VLAN is not allowed on the port and the VMPS is not in secure mode, the VMPS sends an " access-denied" response. – If the VLAN is not allowed on the port and the VMPS is in secure mode, the VMPS sends a "port-shutdown" response. • If the VLAN in the database does not match the current VLAN on the port and there are active hosts on the port, the VMPS sends an " access-denied" (open), a "fallback VLAN name" (open with fallback VLAN configured), a " port-shutdown" (secure) , or a " new VLAN name" (multiple) response, depending on the secure mode setting of the VMPS. If the switch receives an " access-denied" response from the VMPS, the switch continues to block traffic from the MAC address to or from the port. The switch continues to monitor the packets directed to the port and sends a query to the VMPS when it identifies a new address. If the switch receives a "port-shutdown" response from the VMPS, the switch disables the port. The port must be manually re-enabled by using the CLI, Cisco Visual Switch Manager (CVSM), or SNMP. You can also use an explicit entry in the configuration table to deny access to specific MAC addresses for security reasons. If you enter the none keyword for the VLAN name, the VMPS sends an "access-denied" or " port-shutdown" response. For more information on a Catalyst 6500 series switch VMPS running Catalyst operating system software, refer to the "Configuring Dynamic Port VLAN Membership with VMPS" chapter at the URL: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_3/confg_gd/vmps.htm Security Modes for VMPS Server VMPS operates in three different modes. The way a VMPS server responds to illegal requests depends on the mode in which the VMPS is configured: • Open mode • Secure mode • Multiple mode Open mode If the assigned VLAN is restricted to a group of ports, VMPS verifies the requesting port against this group: • If the VLAN is allowed on the port, the VLAN name is returned to the client. • If the VLAN is not allowed on the port, the host receives an "access denied" response. • If a VLAN in the database does not match the current VLAN on the port and a fallback VLAN name is configured, VMPS sends the fallback VLAN name to the client. • If a VLAN in the database does not match the current VLAN on the port and a fallback VLAN name is not configured, the host receives an "access denied" response. Secure mode If the assigned VLAN is restricted to a group of ports, VMPS verifies the requesting port against this group: • If the VLAN is allowed on the port, the VLAN name is returned to the client. • If the VLAN is not allowed on the port, the port is shut down. • If a VLAN in the database does not match the current VLAN on the port, the port is shutdown, even if a fallback VLAN name is configured. Multiple mode Multiple hosts (MAC addresses) can be active on a dynamic port if they are all in the same VLAN. If the link goes down on a dynamic port, the port returns to the unassigned state. Any hosts that come online through the port are checked again with VMPS before the port is assigned to a VLAN. If multiple hosts connected to a dynamic port belong to different VLANs, the VLAN matching the MAC address in the last request is returned to the client, provided that multiple mode is configured on the VMPS server. Note Although Catalyst 4500 series and Catalyst 6500 series switches running Catalyst operating system software support VMPS in all three operation modes, the Cisco network management tool URT (User Registration Tool) supports open mode only. Fall-back VLAN You can configure a fallback VLAN name on a VMPS server. If you connect a device with a MAC address that is not in the database, the VMPS sends the fallback VLAN name to the client. If you do not configure a fallback VLAN name and the MAC address does not exist in the database, the VMPS sends an " access-denied" response. If the VMPS is in secure mode, it sends a " port-shutdown" response, whether or not a fallback VLAN has been configured on the server. Illegal VMPS client requests Two examples of illegal VMPS client requests are as follows: • When a MAC-address mapping is not present in the VMPS database and "no fall back" VLAN is configured on the VMPS. • When a port is already assigned a VLAN (and the VMPS mode is not "multiple") but a second VMPS client request is received on the VMPS for a different MAC-address. Understanding VMPS clients The following subsections describe how to configure a switch as a VMPS client and configure its ports for dynamic VLAN membership. The following topics are included: • Dynamic VLAN Membership Overview • Default VMPS Client Configuration • Configuring a Switch as a VMPS Client • Administering and Monitoring the VMPS • Troubleshooting Dynamic Port VLAN Membership Dynamic VLAN Membership Overview When a port is configured as "dynamic," it receives VLAN information based on the MAC-address that is on the port. The VLAN is not statically assigned to the port; it is dynamically acquired from the VMPS based on the MAC-address on the port. A dynamic port can belong to one VLAN only. When the link becomes active, the switch does not forward traffic to or from this port until the port is assigned to a VLAN. The source MAC address from the first packet of a new host on the dynamic port is sent to the VMPS as part of the VQP request, which attempts to match the MAC address to a VLAN in the VMPS database. If there is a match, the VMPS sends the VLAN number for that port. If there is no match, the VMPS either denies the request or shuts down the port (depending on the VMPS security mode setting). See the "Understanding VMPS" section for a complete description of possible VMPS responses. Multiple hosts (MAC addresses) can be active on a dynamic port if all are in the same VLAN. If the link goes down on a dynamic port, the port returns to the unassigned state and does not belong to a VLAN. Any hosts that come online through the port are checked again with the VMPS before the port is assigned to a VLAN. For this behavior to work, the client device must be able to reach the VMPS. A VMPS client sends VQP requests as UDP packets, trying a certain number of times before giving up. For details on how to set the retry interval, refer to section "Configuring the Retry Interval" on page 8 . The VMPS client also periodically reconfirms the VLAN membership. For details on how to set the reconfirm frequency, refer to section "Administering and Monitoring the VMPS" on page 8 . A maximum of 50 hosts are supported on a given port at any given time. Once this maximum is exceeded, the port is shut down, irrespective of the operating mode of the VMPS server. Note The VMPS shuts down a dynamic port if more than 50 hosts are active on that port. Default VMPS Client Configuration Table 11-1 shows the default VMPS and dynamic port configuration on client switches. Table 11-1 Default VMPS Client and Dynamic Port Configuration Feature Default Configuration VMPS domain server None VMPS reconfirm interval 60 minutes VMPS server retry count 3 Dynamic ports None configured Configuring a Switch as a VMPS Client This section contains the following topics: • Configuring the IP Address of the VMPS Server • Configuring Dynamic Access Ports on a VMPS Client • Reconfirming VLAN Memberships • Configuring Reconfirmation Interval • Reconfirming VLAN Memberships Configuring the IP Address of the VMPS Server To configure a Catalyst 4500 series switch as a VMPS client, you must enter the IP address or hostname of the switch acting as the VMPS. To define the primary and secondary VMPS on a Catalyst 4500 series switch, perform this task: Command Purpose Step 1 Switch# configure terminal Enters global configuration mode. Step 2 Switch(config)# vmps server { ipaddress | hostname } primary Specifies the IP address or hostname of the switch acting as the primary VMPS server. Step 3 Switch(config)# vmps server { ipaddress | hostname } Specifies the IP address or hostname of the switch acting as a secondary VMPS server. Step 4 Switch(config)# end Returns to privileged EXEC mode. Step 5 Switch# show vmps Verifies the VMPS server entry. This example shows how to define the primary and secondary VMPS devices: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# vmps server 172.20.128.179 primary Switch(config)# vmps server 172.20.128.178 Switch(config)# end Note You can configure up to four VMPS servers using this CLI on the VMPS client. Switch# show vmps VQP Client Status: -------------------- VMPS VQP Version: 1 Reconfirm Interval: 60 min Server Retry Count: 3 VMPS domain server: 172.20.128.179 (primary, current) 172.20.128.178 Reconfirmation status --------------------- VMPS Action: No Dynamic Port Configuring Dynamic Access Ports on a VMPS Client To configure a dynamic access port on a VMPS client switch, perform this task: Command Purpose Step 1 Switch# configure terminal Enters global configuration mode. Step 2 Switch(config)# interface interface Enters interface configuration mode and specifies the port to be configured. Step 3 Switch(config -if )# switchport mode access Sets the port to access mode. Step 4 Switch(config -if )# switchport access vlan dynamic Configures the port as eligible for dynamic VLAN access. Step 5 Switch(config-if)# end Returns to privileged EXEC mode. Step 6 Switch# show interface interface switchport Verifies the entry. This example shows how to configure a dynamic access port and then verify the entry: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface fa1/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan dynamic Switch(config-if)# end Switch# show interface fa1/1 switchport Name: Fa0/1 Switchport: Enabled Administrative mode: dynamic auto Operational Mode: dynamic access Administrative Trunking Encapsulation: isl Operational Trunking Encapsulation: isl Negotiation of Trunking: Disabled Access Mode VLAN: 0 ((Inactive)) Trunking Native Mode VLAN: 1 (default) Trunking VLANs Enabled: NONE Pruning VLANs Enabled: NONE Voice Ports If a VVID (voice VLAN ID) is configured on a dynamic access port, the port can belong to both an access VLAN and a voice VLAN. Consequently, an access port configured for connecting an IP phone can have separate VLANs for the following: • Data traffic to and from the PC that is connected to the switch through the access port of the IP phone (access VLAN) • Voice traffic to and from the IP phone (voice VLAN) Reconfirming VLAN Memberships To confirm the dynamic port VLAN membership assignments that the switch has received from the VMPS, perform this task: Command Purpose Step 1 Switch# vmps reconfirm Reconfirms dynamic port VLAN membership. Step 2 Switch# show vmps Verifies the dynamic VLAN reconfirmation status. Configuring Reconfirmation Interval VMPS clients periodically reconfirm the VLAN membership information received from the VMPS. You can set the number of minutes the VMPS client waits before reconfirming the VLAN-to-MAC-address assignments. To configure the reconfirmation interval, perform this task: Command Purpose Step 1 Switch# configure terminal Enters global configuration mode. Step 2 Switch(config)# vmps reconfirm minutes Specifies the number of minutes between reconfirmations of the dynamic VLAN membership. Step 3 Switch(config)# end Returns to privileged EXEC mode. Step 4 Switch# show vmps Verifies the dynamic VLAN reconfirmation status. This example shows how to change the reconfirmation interval to 60 minutes and verify the change: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# vmps reconfirm 60 Switch(config)# end Switch# show vmps VQP Client Status: -------------------- VMPS VQP Version: 1 Reconfirm Interval: 60 min Server Retry Count: 10 VMPS domain server: 172.20.130.50 (primary, current) Reconfirmation status --------------------- VMPS Action: No Host Configuring the Retry Interval You can set the number of times that the VMPS client attempts to contact the VMPS before querying the next server. To set the retry interval, perform this task: Command Purpose Step 1 Switch# configure terminal Enters global configuration mode. Step 2 Switch(config)# vmps retry count Specifies the retry count for the VPQ queries. Default is 3. Range is from 1 to 10. Step 3 Switch(config)# end Returns to privileged EXEC mode. Step 4 Switch# show vmps Verifies the retry count. This example shows how to change the retry count to 5 and to verify the change: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# vmps retry 5 Switch(config)# end Switch# show vmps VQP Client Status: -------------------- VMPS VQP Version: 1 Reconfirm Interval: 60 min Server Retry Count: 5 VMPS domain server: 172.20.130.50 (primary, current) Reconfirmation status --------------------- VMPS Action: No Host Administering and Monitoring the VMPS You can display the following information about the VMPS with the show vmps command: VQP Version The version of VQP used to communicate with the VMPS. The switch queries the VMPS using VQP Version 1. Reconfirm Interval The number of minutes the switch waits before reconfirming the VLAN-to-MAC-address assignments. Server Retry Count The number of times VQP resends a query to the VMPS. If no response is received after this many tries, the switch starts to query the secondary VMPS. VMPS domain server The IP address of the configured VLAN membership policy servers. The switch currently sends queries to the one marked "current." The one marked "primary" is the primary server. VMPS Action The result of the most-recent reconfirmation attempt. This action can occur automatically when the reconfirmation interval expired, or you can force it by entering the vmps reconfirm command or its CVSM or SNMP equivalent. The following example shows how to display VMPS information: Switch# show vmps VQP Client Status: -------------------- VMPS VQP Version: 1 Reconfirm Interval: 60 min Server Retry Count: 3 VMPS domain server: Reconfirmation status --------------------- VMPS Action: other The following example shows how to display VMPS statistics: Switch# show vmps statistics VMPS Client Statistics ---------------------- VQP Queries: 0 VQP Responses: 0 VMPS Changes: 0 VQP Shutdowns: 0 VQP Denied: 0 VQP Wrong Domain: 0 VQP Wrong Version: 0 VQP Insufficient Resource: 0 Note Refer to the C atalyst 4500 Series Switch Cisco IOS Command Reference for details on VMPS statistics. Troubleshooting Dynamic Port VLAN Membership VMPS errdisables a dynamic port under the following conditions: • The VMPS is in secure mode, and it will not allow the host to connect to the port. The VMPS errdisables the port to prevent the host from connecting to the network. • More than 50 active hosts reside on a dynamic port. For information on how to display the status of interfaces in error-disabled state, refer to Chapter 5, "Checking Port Status and Connectivity" . To recover an errdisabled port, use the errdisable recovery cause vmps global configuration command . Dynamic Port VLAN Membership Configuration Example Figure 11-1 shows a network with a VMPS servers and VMPS client switches with dynamic ports. In this example, these assumptions apply: • The VMPS server and the VMPS client are separate switches. • The Catalyst 4000 family Switch 1 (running CatOS) is the primary VMPS server. • The Catalyst 6000 family Switch 3 (running CatOS) and the URT are secondary VMPS servers. • End stations are connected to these clients: – Catalyst 4500 series XL Switch 2 (running Catalyst IOS) – Catalyst 4500 series XL Switch 9 (running Catalyst IOS) • The database configuration file is called Bldg-G.db and is stored on the TFTP server with the IP address 172.20.22.7. Figure 11-1 Dynamic Port VLAN Membership Configuration In the following procedure, the Catalyst 4000 and Catalyst 6000 series switches (running CatOS) are the VMPS servers. Use this procedure to configure the Catalyst 4500 series switch clients in the network: Step 1 Configure the VMPS server addresses on Switch 2, the client switch. a. Starting from privileged EXEC mode, enter global configuration mode: switch# configuration terminal b. Enter the primary VMPS server IP address: switch(config)# vmps server 172.20.26.150 primary c. Enter the secondary VMPS server IP addresses: switch(config)# vmps server 172.20.26.152 d. To verify your entry of the VMPS IP addresses, return to privileged EXEC mode: switch#(config) exit e. Display VMPS information configured for the switch: switch# show vmps VQP Client Status: -------------------- VMPS VQP Version: 1 Reconfirm Interval: 60 min Server Retry Count: 3 VMPS domain server: 172.20.26.152 172.20.26.150 (primary, current Step 2 Configure port Fa0/1 on Switch 2 as a dynamic port. a. Return to global configuration mode: switch# configure terminal b. Enter interface configuration mode: switch(config)# interface fa2/1 c. Configure the VLAN membership mode for static-access ports: switch(config-if)# switchport mode access d. Assign the port dynamic VLAN membership: switch(config-if)# switchport access vlan dynamic e. Return to privileged EXEC mode: switch(config-if)# exit switch# Step 3 Connect End Station 2 on port Fa2/1. When End Station 2 sends a packet, Switch 2 sends a query to the primary VMPS server, Switch 1. Switch 1 responds with the VLAN ID for port Fa2/1. Because spanning-tree PortFast mode is enabled by default on dynamic ports, port Fa2/1 connects immediately and begins forwarding. Step 4 Set the VMPS reconfirmation period to 60 minutes. The reconfirmation period is the number of minutes the switch waits before reconfirming the VLAN to MAC address assignments. switch# config terminal switch(config)# vmps reconfirm 60 Step 5 Confirm the entry from privileged EXEC mode: switch# show vmps VQP Client Status: -------------------- VMPS VQP Version: 1 Reconfirm Interval: 60 min Server Retry Count: 3 VMPS domain server: Reconfirmation status --------------------- VMPS Action: No Dynamic Port Step 6 Repeat Steps 1 and 2 to configure the VMPS server addresses, and assign dynamic ports on each VMPS client switch. VMPS Database Configuration File Example This example shows a sample VMPS database configuration file as it appears on a VMPS server. A VMPS database configuration file is an ASCII text file that is stored on a TFTP server accessible to the switch that functions as the VMPS server. !vmps domain <domain-name> ! The VMPS domain must be defined. !vmps mode { open | secure } ! The default mode is open. !vmps fallback <vlan-name> !vmps no-domain-req { allow | deny } ! ! The default value is allow. vmps domain WBU vmps mode open vmps fallback default vmps no-domain-req deny ! ! !MAC Addresses ! vmps-mac-addrs ! ! address <addr> vlan-name <vlan_name> ! address 0012.2233.4455 vlan-name hardware address 0000.6509.a080 vlan-name hardware address aabb.ccdd.eeff vlan-name Green address 1223.5678.9abc vlan-name ExecStaff address fedc.ba98.7654 vlan-name --NONE-- address fedc.ba23.1245 vlan-name Purple ! !Port Groups ! !vmps-port-group <group-name> ! device <device-id> { port <port-name> | all-ports } ! vmps-port-group WiringCloset1 device 198.92.30.32 port Fa1/3 device 172.20.26.141 port Fa1/4 vmps-port-group "Executive Row" device 198.4.254.222 port es5%Fa0/1 device 198.4.254.222 port es5%Fa0/2 device 198.4.254.223 all-ports ! !VLAN groups ! !vmps-vlan-group <group-name> ! vlan-name <vlan-name> ! vmps-vlan-group Engineering vlan-name hardware vlan-name software ! !VLAN port Policies ! !vmps-port-policies {vlan-name <vlan_name> | vlan-group <group-name> } ! { port-group <group-name> | device <device-id> port <port-name> } ! vmps-port-policies vlan-group Engineering port-group WiringCloset1 vmps-port-policies vlan-name Green device 198.92.30.32 port Fa0/9 vmps-port-policies vlan-name Purple device 198.4.254.22 port Fa0/10 port-group "Executive Row"
> Configuring dynamic MAC-based VLAN assignment |
|
Configuration restrictions and guidelines.
When you configure dynamic MAC-based VLAN assignment, follow these restrictions and guideline:
As a best practice to ensure correct operation of 802.1X and MAC authentication, do not use dynamic MAC-based VLAN assignment with 802.1X or MAC authentication.
When dynamic MAC-based VLAN assignment is enabled on a port, the configuration of disabling of MAC address learning does not take effect.
For successful dynamic MAC-based VLAN assignment, use static VLANs when you create MAC-to-VLAN entries.
As a best practice, do not use dynamic MAC-based VLAN assignment with MSTP. In MSTP mode, if a port is blocked in the MSTI of its target VLAN, the port drops the received packets instead of delivering them to the CPU. As a result, the port will not be dynamically assigned to the target VLAN.
As a best practice, do not use dynamic MAC-based VLAN assignment with PVST. In PVST mode, if the target VLAN of a port is not permitted on the port, the port is placed in blocked state. The port drops the received packets instead of delivering them to the CPU. As a result, the port will not be dynamically assigned to the target VLAN.
As a best practice, do not configure both dynamic MAC-based VLAN assignment and automatic voice VLAN assignment mode on a port. They can have a negative impact on each other.
To configure dynamic MAC-based VLAN assignment:
Step | Command | Remarks |
---|---|---|
. Enter system view. |
| N/A |
. Create a MAC-to-VLAN entry. | [ ] | By default, no MAC-to-VLAN entries exist. |
. Enter interface view. |
| N/A |
. Set the port link type to hybrid. |
| By default, all ports are access ports. |
. Enable the MAC-based VLAN feature. |
| By default, MAC-based VLAN is disabled. |
. Enable dynamic MAC-based VLAN assignment. |
| By default, dynamic MAC-based VLAN assignment is disabled. The VLAN assignment for a port is triggered only when the source MAC address of its receiving packet exactly matches the MAC address in a MAC-to-VLAN entry. |
. (Optional.) Configure the system to assign VLANs based on the MAC address preferentially. |
| By default, the system assigns VLANs based on the MAC address preferentially when both the MAC-based VLAN and IP subnet-based VLAN are configured on a port. |
. (Optional.) Disable the port from forwarding packets that fail the exact MAC address match in its PVID. |
| By default, when a port receives packets whose source MAC addresses fail the exact match, the port forwards them in its PVID. |
|
|
|
Configuring static MAC-based VLAN assignment |
| Configuring server-assigned MAC-based VLAN |
© Copyright 2017 Hewlett Packard Enterprise Development LP
Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
I'd like to know how to assign someone's client device to a different VLAN based on MAC address of that device.What kind of hardware/software would make this solution possible (if possible at all)? Would it be possbible to achieve the same using RADIUS authorization credentials instead of MAC addresses?
The reason why I'm asking this is because I'd like to migrate my company's internal network structure to something divided into separate subnets, isolating specific departments from each other, and providing separated, intranet isolated, guest accessible internet access. Would the method above be a right solution for this?
I am on the 1st phase of implementing a similar solution. 802.1x it's been for a while now and although it's grown up and globally supported it's vulnerable when meeting local OS network stack. I have deployed it several times on small and medium networks and usually it works for 90% of the workstations, maybe 95%. There is always an old Windows install that simply turns off your day.
Based on that I am working with FreeRadius . It requires broader knowledge except basic networking, but it doesn't interact in any way with the workstations, it's transparent for the user.
You can also try FreeNAC which is similar still it's been discontinued for some time now.
Sign up or log in, post as a guest.
Required, but never shown
By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .
I'm looking for any documentation or tutorial how to configure dynamic MAC-based VLAN assignent on the OpenWrt router.
Precondition:
Goal details :
Any suggestion (the simplest way) how to start using MAC based authentication for the scenarios defined above on the OpenWrt v.21.0x or higher with DSA framework?
I do not think this is how VLANs actually work (they work on a per port basis not on a per-host basis independent of how you identify hosts)... so you want some special sauce here... if the end device is not using VLAN tags itself you require an untagged port, now if one of your guest MACs (hopefully your guests do not know how to spoof MAC addresses or have MAC randomization activated) shows up you will need to figure out the port they are switch/LAN they are connecting over, and then add/move that port to the guest VLAN (which might be empty). However if the switch port is connected to another switch and you see both guest and non-guest MACs on the same port you need to figure out how you want to to deal with it.
The more traditional approach is to statically assign one or more switch ports to the guest VLAN and only connect guest devices to those ports, and for WiFi you need to create a dedicated guest SSID and bridge it to the guest VLAN as well.
Honestly? Not at all, MACs are easily changed so they are no reliable identifiers for strict security isolation (however if your adversaries are not all that sophisticated MAC based isolation might be enough of a stumbling block to be worth your while).
BTW. I would not maintain two sets of MACs (because what to do with MACs in neither list) but would auto assign everything to guest and only elevate select devices to the lan if the MAC is in your allowlist...
Radius config can be used. Known Mac addresses gets defined vlan (private tunnel group id) and everything without a match a default vlan. Void phones, printer and other dump stuff without proper 802.1x support get their vlan this way in enterprise lan networks.
Edit: typos
yes, exactly. I would like to know if OpenWrt architecture theoretically allows config when multiple clients on a single switch port to receive different untagged VLAN assignments. If yes, then we can proceed with this.
Yes, but it more for flexibility. The idea is not related to security (although some minimum level of security is added here), but rather to flexible connection. All the requirements in the description are simplified, and there can be a much more VLANs, and I just need to allow clients to use any free untagged LAN ports in the specific public room, and any LAN-connected laptop should be auto-assigned to appropriate VLAN customer group based on the MAC.
I find your goal interesting and would like to see a proof on concept for wired 802.1x on OpenWrt too. Atm I have not the time to dig deeper into it but I found at least this somehow useful to get a rough idea: https://docs.nvidia.com/networking-ethernet-software/cumulus-linux-40/Layer-1-and-Switch-Ports/802.1X-Interfaces/ Please keep us updated on your progress! Atm I only have Mac addresses based vlan assignment on wifi with traditional PSK/wpa2 without wpa2-enterprise. But would like to get it for wired clients too. For the same reason: I'm lazy and want to just plugin a cable and at home I have no high security requirements ^^
Not sure if my level of experience with OpenWrt would allow me to configure it by my own from scratch.
I am currently just trying to get confirmation if this is even possible for OpenWrt. That's why i've started there with question, because there are a lot of info that can be googled for this "solution" for other projects or brands, but unfortunately nothing for OpenWrt i've found.
This looks promising: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/assembly_setting-up-an-802-1x-network-authentication-service-for-lan-clients-using-hostapd-with-freeradius-backend_configuring-and-managing-networking The last point 20.6. Configuring hostapd as an authenticator in a wired network
I guess yes and no... your switchport by itself will not be able to differentiate between different untagged packet sources, however you should be able to configure the switch such that all packets are passed to the kernel isolated and the kernel should be able to do what ever it likes based on whatever criterion. However that will create high traffic on the CPU-2-switch port, since now every packet between machines on the LAN needs to traverse the CPU port twice...
I still wonder what kind of flexibility you are looking for here, how many devices (wired and wireless) are you expecting in your network?
I respectfully argue, the default OpenWrt works out of the box by simply plugging devices in. Not saying your use-case is not justified, but it does not appear the most lazy/hands-off approach.
As OpenWrt nowadays runs on switches too with 10, 16, 24, .. ports you simple would not reconfigure Ports everytime you plug in a device. Especially based on the fact that you can not configure Ports like on an enterprise switch. You need to restart half the network stack which effects all connected devises. If however it's possible to configure easily individual ports on DSA please tell me I will be more then have an open ear. If I get me dsg1210 debricked soon I will try to configure hostapd with the red hat document because it looks really simple (as I mentioned I have the hostapd and freeradius setup already in place to put unknown wifi clients in a default guest vlan).
This is the promise of DSA individual ports can just be configured using the normal kernel tools for interfaces, in fact to make a switch a switch, you need to create a bridge over all its ports...
You have seen the note that hostpad will not do any interface configuration for you, so expect some shell scripting to get the required 'magic' performed.
Sweet! However I am simply minded enough that offering a guest and a non-guest SSID and configuring each device to select the desired one (for IoT devices that means never ever entering the password for the non-guest SSID). But I am only wrangling a small number of devices in a generally friendly setting, so I assume I am simply too naive/daft to see what a radius based approach can offer.
Log in to ask questions, share your expertise, or stay connected to content. Don’t have a login? Join now.
1. simple vlan assignment using mac address, 2. re: simple vlan assignment using mac address.
4. re: simple vlan assignment using mac address.
6. re: simple vlan assignment using mac address, 7. re: simple vlan assignment using mac address, 8. re: simple vlan assignment using mac address.
New best answer.
© Copyright 2024 Hewlett Packard Enterprise Development LP All Rights Reserved.
Maine Basan
eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More .
A VLAN (Virtual Local Area Network) is a logical grouping of devices that are all connected to the same network regardless of physical location. VLANs are an essential component of contemporary networking, allowing network traffic to be segmented and managed.
VLANs enable logical partitioning inside a single switch, resulting in multiple virtual local area networks where physical switch segmentation is not a possibility. These partitions enable the division of a large network into smaller, more manageable broadcast domains, thereby improving network security , efficiency, and flexibility. In this comprehensive guide, we will look at how VLANs function, when to use them, the benefits and drawbacks they provide, and the types of VLANs.
How do vlans work .
VLANs are assigned unique numbers, which enable network administrators to arrange and separate network traffic. A VLAN number is a label or tag that is applied to certain packets in order to determine their VLAN classification. The valid VLAN number range is typically 1 to 4094, providing adequate flexibility to build many VLANs within a network configuration.
VLAN numbers are assigned to switch ports to associate VLAN membership with network devices. The switch then permits data to be transmitted across ports that are part of the same VLAN. Network administrators can regulate the flow of traffic within the network by establishing VLAN membership for particular ports. By giving the right VLAN number to each port on a VLAN switch, ports may be identified as belonging to a certain VLAN. VLAN tagging, which adds a tiny header to Ethernet frames, is used by switches to identify the VLAN to which the frame belongs. This tagging guarantees that traffic is channeled correctly inside the VLAN and does not leak to other VLANs.
Since practically all networks include more than one switch, VLANs provide a means to transport traffic between them. After assigning VLAN numbers to switch ports, the switch ensures that data destined for devices in the same VLAN is transferred correctly. When two or more ports on the same switch are assigned the same VLAN number, the switch permits communication between those ports while isolating traffic from other ports. This segmentation improves network security, performance, and administration capabilities.
Because most networks are bigger than a single switch, it is necessary to facilitate communication across VLANs on various switches. A simple way to accomplish this is to configure particular ports on each switch to be part of a common VLAN and to make physical connections (usually through cables) between these designated ports. Switches enable inter-VLAN traffic to flow by connecting these ports, allowing communication between devices in different VLANs.
Also read: How to Implement Microsegmentation
VLANs provide several advantages in network management, performance enhancement, and security. They offer the flexibility and control required in enterprise network settings, whether it is the logical separation of devices based on function, the creation of isolated guest networks, the prioritization of critical traffic, or the optimization of large-scale networks. VLANs are particularly useful in situations such as:
See how one managed service provider used VLANs to protect backups from ransomware: Building a Ransomware Resilient Architecture
VLANs enable enterprises to improve network efficiency, scalability, and security while also simplifying network administration, increasing security, and boosting overall performance. Here are some of the advantages of using VLANs.
Also read: Network Protection: How to Secure a Network
While VLANs provide substantial benefits in network management and security, it is critical to understand their potential downsides. Understanding these drawbacks allows network managers to handle them proactively and guarantee a successful VLAN implementation that meets their unique organizational needs.
See the Top Microsegmentation Software
There are several types of VLANs commonly used in networking.
See the Best Next-Generation Firewalls (NGFWs)
VLANs are a powerful network strategy that enables efficient traffic control, better security, and optimal network performance. These are critical functions in modern network environments, allowing network traffic to be segregated and controlled. By assigning VLAN numbers to switch ports, network administrators may create logical network segments and regulate data flow inside and between VLANs.
VLANs provide the flexibility and control required in contemporary network settings, whether it is the logical separation of devices based on function, the creation of isolated guest networks, the prioritization of critical traffic, or the optimization of large-scale networks. Understanding the functions and advantages of VLAN types helps administrators to create efficient network configurations tailored to their organization’s needs.
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday
Previous article
Next article
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Vulnerability recap 7/8/24 – intel, cisco & more face risks.
Get the free newsletter.
Subscribe to Cybersecurity Insider for top news, trends & analysis
OpenWrt news, tools, tips and discussion. Related projects, such as DD-WRT, Tomato and OpenSAN, are also on-topic.
I'm running Openwrt 22.03 on a mini pc with the following config:
eth0 - LAN connected to a 8 port gigabit switch
eth1 - WAN connected to 1gbps internet
eth2 - AP (Asus AC87u in AP mode)
eth2 has both IOT devices (fridge, dishwasher, smart lightbulbs etc), Laptops, Firestick, TV's etc.
I want to enable time scheduling on the kids devices which are all connected to the AP on eth2, so want them in their own vlan. I was thinking if I could associate a device to a vlan by MAC address.
Is this possible with my current setup?
Created on 06-21-2024 02:11 PM
Created on 06-24-2024 12:42 AM
Created on 06-24-2024 06:14 AM
Created on 07-02-2024 01:54 PM
Created on 07-03-2024 04:43 AM
Created on 07-02-2024 05:48 PM Edited on 07-02-2024 07:31 PM
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1103 | |
895 | |
538 | |
441 | |
157 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.
COMMENTS
To do that, you can create a MAC address-to-VLAN map containing multiple MAC address-to-VLAN entries, and enable the MAC-based VLAN feature and dynamic MAC-based VLAN assignment on the port. Dynamic MAC-based VLAN assignment uses the following workflows. When the port receives a frame, the port first determines whether the frame is tagged.
Yes No. The MAC-based VLAN feature allows incoming untagged packets to be assigned to a VLAN and thus classify traffic based on the source MAC address of the packet. You define a MAC to VLAN mapping by configuring an entry in the MAC to VLAN table. An entry is specified using a source MAC address and the appropriate VLAN ID.
The 802.1x protocol is used for network access control. For devices like printers, cameras, etc. we will use mac-authentication as a fallback. We will also use dynamic VLAN assignment for the connected ports. Our radius server will be Microsoft NPS. You can activate this role on the Windows server:
It is recommended that MAC address-based VLAN assignment should be configured on the hybrid interface. Run port hybrid untagged vlan { { vlan-id1 [ to vlan-id2] } &<1-10> | all} On access and trunk interfaces, MAC address-based VLAN assignment can be used only when the MAC address-based VLAN is the same as the PVID.
Example for Configuring MAC Address-based VLAN Assignment
configure. Enter global configuration mode. Step 2. mac-vlan mac-address mac-addr vlan vlan-id [description descript] Bind the MAC address to the VLAN. mac-addr: Specify the MAC address of the device in the format of xx:xx:xx:xx:xx:xx. vlan-id: Enter the ID number of the 802.1Q VLAN that will be bound to the MAC VLAN.
The number of minutes the switch waits before reconfirming the VLAN-to-MAC-address assignments. Server Retry Count . The number of times VQP resends a query to the VMPS. If no response is received after this many tries, the switch starts to query the secondary VMPS. VMPS domain server . The IP address of the configured VLAN membership policy ...
In MAC address-based VLAN assignment mode, you do not need to reconfigure VLANs for users when their physical locations change. This improves network access security and flexibility. In MAC address-based VLAN assignment mode, only untagged packets are processed. For tagged packets, only interface-based VLAN assignment mode is used.
In dynamic MAC-based VLAN assignment, the port that receives a packet with an unknown source MAC address can be successfully assigned to the matched VLAN only when the matched VLAN is a static VLAN. With MSTP enabled, if a port is blocked in the MST instance (MSTI) of the target MAC-based VLAN, the port drops the received packets, instead of ...
By default, dynamic MAC-based VLAN assignment is disabled. The VLAN assignment for a port is triggered only when the source MAC address of its receiving packet exactly matches the MAC address in a MAC-to-VLAN entry. 7. (Optional.) Configure the system to assign VLANs based on the MAC address preferentially. vlan precedence mac-vlan
MAC-based VLANs. MAC-Based VLANs (MBVs) allow multiple clients on a single switch port to receive different untagged VLAN assignments. VLAN assignment of untagged traffic is based on the source MAC address rather than the port. Clients receive their untagged VLAN assignment from the RADIUS server. This feature adheres to the requirement that if ...
The assignment of VLANs are (from lowest to highest precedence): 1. The default VLAN is the VLAN configured for the WLAN (see Virtual AP Profiles ). 2. Before client authentication, the VLAN can be derived from rules based on client attributes (SSID, BSSID, client MAC, location, and encryption type).
Now when I connect these two laptops to the network, one lands on the 400 VLAN and gets a 4.x address, and the other lands on the 500 VLAN and gets a 5.x address. These assignments can be changed as easily as group membership. I believe this will be a pretty robust solution for us moving forward.
What I'd like to end up with is a solution where a client computer tries to connect to the network, gets authenticated via 802.1x, RADIUS, or plain MAC and is then assigned to a VLAN of my choice. So that it can be either separated from, or provided with access to our intranet. Sound doable? Specific product recommendations are going to be off ...
The MAC/IP/protocol-based VLAN feature enables the assignment of VLANs based on specific fields in an ingress packet (MAC address, IP address, or layer-2 protocol). Overview. When a MAC/IP/protocol-based VLAN is assigned to a port, the default behavior is for egress packets with that VLAN value to include the VLAN tag.
Known Mac addresses gets defined vlan (private tunnel group id) and everything without a match a default vlan. Void phones, printer and other dump stuff without proper 802.1x support get their vlan this way in enterprise lan networks. ... Atm I only have Mac addresses based vlan assignment on wifi with traditional PSK/wpa2 without wpa2 ...
Policy-based VLAN assignment (MAC addresses, IP addresses, and interfaces) VLANs are assigned based on policies such as combinations of interfaces, MAC addresses, and IP addresses. A network administrator preconfigures policies. When receiving an untagged frame that matches a configured policy, the switch adds a specified VLAN tag to the frame.
Apparently the mac address is sent to radius in several TLV's, for instance "Calling-Station-Id" and "User-Name". It's also in the "User-Password" TLV. I made a very simple entry in the radius server where username = password = mac address (without delimiter), assign vlan tag id and works!
If you create more VLANs than there are available MAC addresses, multiple VLANs are assigned the same MAC address. global - All VLANs are assigned the same MAC address. vmw-compat - Specific to VE systems, only one interface is allowed per VLAN, and the VLAN will use the MAC address of its corresponding interface. No trunks may be attached to ...
I would like to achieve the following: If a known host (identified by MAC address) is connected to any switch within the company network, the corresponding port should be configured automatically (assigned to a specific VLAN). At the same time, the host should automatically be assigned a defined IP address. If the host is unknown, it should end ...
MAC-based VLAN: This type of VLAN is ideal when network administrators require granular control over device placement. A MAC-based VLAN uses the MAC address of a device to identify it as a member ...
The other way would be using APVLANs. Your AP radio needs to support this function and a FreeRADIUS server setup to use MAC based authentication, then attach WiFi users to a given VLAN based on login (more work). I'd prefer to do the former, that way you know for sure which devices are theirs without fluffing MAC addresses.
1. The Network Override feature is used to assign a device to a VLAN that is already used as the Primary (Native) Network of the switch port it is connected to. The UniFi device will be unreachable because VLAN 20 is also configured as the Primary (Native) VLAN on the switch port to which the device is directly connected. 2.
This second rule will match all other devices , and assigned a policy that is mac based , so you can authenticate 20 different pc, ip phones, printers etc and based on user/mac or user name, the radius will send the configured vlan on its rules or policy. I did this for everything all ports on the switch are configured equally.
Although a UniFi Gateway or UniFi Cloud Gateway is recommended for the most integrated experience, it is possible to bridge networks/VLANs from a third-party gateway so that they can be assigned to UniFi Access Points (APs) and switch ports.. Configure your network's subnet, VLAN ID, DNS, and DHCP server on your third-party gateway.; In UniFi, navigate to Settings > Networks to create a new ...