VLAN by MAC on CCR2004?

SaS · January 27, 2023, 5:00pm

Hi,

I’m doing port-based VLAN at the moment.
This is pretty work-intensive - e.g. a SIP-devices who have to be put in their own VLAN may only be plugged into network-ports with a “voip”-VLAN.
Question: can RouterOS on CCR2004 do VLAN-assignment based on the MAC-Address of a device?
(like DHCP can do it with static leases and IP-Addresses)
If yes, how can this be made possible?

Thanks for any help!
Sascha

chechito · January 27, 2023, 5:54pm

i think this can help

https://wiki.mikrotik.com/wiki/Manual:CRS3xx_series_switches#MAC_Based_VLAN

ConradPino · January 27, 2023, 6:16pm

That page cover CRS3xx series switches which makes me wonder …

ConradPino · January 27, 2023, 6:37pm

TL;DR - only if CCR2004 model has 88E6191X switch chip; models with 98PX1012 don’t support VLAN

This forum post is highly relevant:
CCR2004-1G-12S+2XS - Hardware switching features
http://forum.mikrotik.com/t/ccr2004-1g-12s-2xs-hardware-switching-features/158691/1

That topic points to this page:
Switch Chip Features
https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features

SaS · January 28, 2023, 7:24am

Unfortunately, it has a Marvell-98PX1012 switch chip.
Is it possible to make VLAN by MAC done using CPU?

tdw · January 29, 2023, 1:13am

I don’t think the bridge firewall rules have the necessary functionality.

Using MAC addresses to control access is very dated and easily spoofed, there are more modern approaches it may be worth considering. e.g. 802.1X, LLDP voice VLAN or vendor specific DHCP options.

SaS · February 1, 2023, 8:36am

Okay, thats a point.
What’s the best approach when using RouterOS? (which one is supported best / maintained easily?)

tdw · February 1, 2023, 2:21pm

Certainly the DHCP option method works with Yealink phones - they initially make a DHCP request untagged, then release the address provided and make a second DHCP request tagged on the VLAN specified in the options from the first DHCP reply.

At the time (prior to RouterOS V6.48) there was no support for LLDP-MED network policy VLAN, this is probably the most straightforward method.

The DHCP vendor-class-id matcher was replaced with a generic matcher as of RouterOS 7.4 so any implementations on older versions will require some rework when their RouterOS is upgraded.

802.1X requires support by every edge switch port, and a RADIUS server with a database of MAC addresses, user credentials or certificates, the new RouterOS 7 user manager may be sufficient for some setups rather than a separate RADIUS server.

LLDP-MED, DHCP vendor and 802.1X MAC authorisation can all still be spoofed by non-telephony client devices having a VLAN tag set manually to gain access to the telephony network or faking DHCP requests / MAC address, you will have to assess if this is a real issue or not for your use case.

Full 802.1X with user credentials or certificates is secure but involves managment of the client database and provisioning new devices with credentials or certificates.

pe1chl · February 1, 2023, 2:38pm

Usually when you use VoIP phones in a company, you will have several of them, they will use PoE, etc.
In that case it is easiest to buy a suitable switch that supports LLDP, configure the voice VLAN on it, and connect the switch to the 2004 using a trunk port.
This kind of “enterprise” functionality is a bit behind on MikroTik equipment, that is why I would never buy one of their switches for a corporate setting.

SaS · October 14, 2023, 5:55am

I’d like to say a late thanks for all answers.
Since the topic is much more complicated than I thought, it has been postponed.
Thanks anyway.