Hello, I found the MAC-based vlans very usefull to let users connect everywhere they want. Is it a good practice to implement that, I mean on security point of view ?
What would be the solution to redirect unknown MAC to a specific vlan ? For exemple vlan 100 for known MAC and vlan 200 for unknown MAC (guest) ?
Is is possible to have a MAC on multiple VLAN ? I’m using CRS3XX to implement that.
Thanks for your contribution !
I found the switch rule can help, but what about multiple VLAN for a single MAC ?
Is it possible to implement vlan tuneling this way ?
Best regards
Assuming clients are using untagged frames (or else MAC-based VLANs would not work anyway), they can bi-directionally directly communicate only inside single VLAN … switch has to tag frames on ingress and mostly doesn’t perform any frame analysis apart from frame headers. Which means it doesn’t have any information that would allow it to decide between multiple VLAN IDs. And switch also doesn’t multiplicate frames on ingress (so that it could pass one copy of frame in each VLAN).
mac addresses are easily spoofed and thus never a good starting point from security.
MAC-based access control is inherently insecure - anyone can easily spoof a MAC and gain access. There are limitations using switch ACLs, only packets with the specified source MAC addresses are placed on the VLANs - packets with any other source MAC addresses, e.g. multicast, will not.
Using 802.1x allows ports to be dynamically configured to be placed on certain VLANs - this can still be done using MAC addresses, or more securely using certificates or credentials. I’m not sure why you would want multiple VLANs to be accessible to some devices, it is likely this would only be for some servers which would likely be trusted with statically configured untagged & tagged membership on the switch ports.