Configuring MAC-based VLAN

Owned by Tracy Yang (Unlicensed)
Apr 26, 2023
3 min read

Overview

The traditional VLAN assignment method is based on the switch access port of the traffic, MAC-based VLAN assigns VLAN based on the source MAC address of untagged traffic rather than port.

When users have the demand for security and mobility, they can configure MAC-based VLAN. MAC-based VLAN means that MAC addresses are associated with VLANs, VLAN members are defined according to the source MAC address of the packet, then the VLAN Tag is added to the packet before sending it. There is no need to re-assign VLANs when physical location changed, which improves the security and access flexibility of end users.

You define a MAC to VLAN mapping by configuring an entry in the MAC to VLAN table. An entry is specified using a source MAC address and the appropriate VLAN ID. The MAC to VLAN configurations are shared across all ports of the device (i.e., there is a system-wide table that has MAC address to VLAN ID mappings).

MAC-based VLAN only handles untagged packets. Tagged packets are processed the same way as port-based VLAN.

When an untagged packet is received by the interface, the interface will look up the MAC to VLAN table entry based on the source MAC address of the packet.

  • If an entry is found, the corresponding VLAN ID is assigned to the packet, and the priority value in the VLAN tag is set to 0 (zero).
  • If no entries are found, the untagged packet will be forwarded in the native VLAN of the

For tagged packets, if the VLAN ID carried by the packet is in the list of VLANs allowed to be transmitted through the port, the packet is allowed to pass, otherwise the packet is dropped.

NOTEs:

  • The same MAC address can be bound to no more than one VLAN.
  • The number of MAC-VLAN entry supported by the whole switch varies in different switch platforms, for details please see the following attached file.

Maximum Number of MAC VLAN Mapping on Different Platforms.xlsx

  • To enable MAC-based VLAN function, add the port to the VLAN with MAC address bound. Do not forget to configure the port mode to trunk if there are more than one VLANs transported across this port.
  • MAC-based VLAN will not work if 802.1X, voice VLAN or VXLAN is enabled on the same port.
  • QinQ will not work if MAC-based VLAN is enabled.
  • MAC-based VLAN can work with private VLAN.

Configuring MAC-based VLAN

Step 1            Create VLAN and add port to the VLAN.

  set vlans vlan-id <vlan-id>

  set interface gigabit-ethernet <interface-name> family ethernet-switching vlan members <vlan-id>

 Step 2            (Optional) Configure the port mode to trunk.

  set interface gigabit-ethernet <interface-name> family ethernet-switching port-mode <port-mode>

 Step 3            Configure MAC address and VLAN mapping entry.

  set mac-map mac-address <mac-address> vlan <vlan-id>

 Step 4            View the configuration information of MAC-based VLAN.

  run show mac-map [mac-address <mac-address>]

Example for Configuring MAC-based VLAN

Networking Requirements

Figure 1. MAC-based VLAN Configuration Example

In a company network, the network administrator divides the employees of different departments into different VLANs. In order to improve the information security in the department, only the PCs belonging to the department are allowed to access the network of the department.

As shown in Figure 1, PC1 (00:22:22:22:22:22:20), PC2 (00:33:33:33:33:20) and PC3 (00:44:44:44:44:44:20) are PCs of employees in different departments. It is required that these PCs can only access their respective department networks. If they are replaced by other PCs, they cannot access the network.

You can configure MAC-based VLAN to bind the MAC addresses of PCs in different departments to different VLANs to achieve this requirement.

Procedure

 Step 1            Configure VLAN, configure port-mode to trunk port and add to VLAN.

admin@SwitchA# set vlans vlan-id 200
admin@SwitchA# set vlans vlan-id 300
admin@SwitchA# set vlans vlan-id 400
admin@SwitchA# set interface gigabit-ethernet ge-1/1/1 family ethernet-switching port-mode trunk
admin@SwitchA# set interface gigabit-ethernet ge-1/1/1 family ethernet-switching vlan members 200
admin@SwitchA# set interface gigabit-ethernet ge-1/1/2 family ethernet-switching port-mode trunk
admin@SwitchA# set interface gigabit-ethernet ge-1/1/2 family ethernet-switching vlan members 300
admin@SwitchA# set interface gigabit-ethernet ge-1/1/3 family ethernet-switching port-mode trunk
admin@SwitchA# set interface gigabit-ethernet ge-1/1/3 family ethernet-switching vlan members 400
admin@SwitchA# set interface gigabit-ethernet te-1/1/1 family ethernet-switching port-mode trunk
admin@SwitchA# set interface gigabit-ethernet te-1/1/1 family ethernet-switching vlan members 200,300,400

 Step 2            Configure MAC address and VLAN mapping entry.

admin@SwitchA# set mac-map mac-address 00:22:22:22:22:20 vlan 200
admin@SwitchA# set mac-map mac-address 00:33:33:33:33:20 vlan 300
admin@SwitchA# set mac-map mac-address 00:44:44:44:44:20 vlan 400

 Step 3            Commit the configurations.

admin@SwitchA# commit

 Step 4            View the configuration information of MAC-based VLAN.

admin@SwitchA# run show mac-map
Total entries: 4096
MAC                 VLAN
00:22:22:22:22:20   200
00:33:33:33:33:20   300
00:44:44:44:44:20   400





Copyright © 2024 Pica8 Inc. All Rights Reserved.