Community discussions

MikroTik App
 
pureeofromage
just joined
Topic Author
Posts: 2
Joined: Thu May 06, 2021 12:22 pm

MAC based vlan and guests

Thu May 06, 2021 12:39 pm

Hello, I found the MAC-based vlans very usefull to let users connect everywhere they want. Is it a good practice to implement that, I mean on security point of view ?
What would be the solution to redirect unknown MAC to a specific vlan ? For exemple vlan 100 for known MAC and vlan 200 for unknown MAC (guest) ?
Is is possible to have a MAC on multiple VLAN ? I'm using CRS3XX to implement that.
Thanks for your contribution !
 
pureeofromage
just joined
Topic Author
Posts: 2
Joined: Thu May 06, 2021 12:22 pm

Re: MAC based vlan and guests

Mon May 10, 2021 7:24 pm

I found the switch rule can help, but what about multiple VLAN for a single MAC ?
Is it possible to implement vlan tuneling this way ?

Best regards
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: MAC based vlan and guests

Mon May 10, 2021 7:39 pm

Assuming clients are using untagged frames (or else MAC-based VLANs would not work anyway), they can bi-directionally directly communicate only inside single VLAN ... switch has to tag frames on ingress and mostly doesn't perform any frame analysis apart from frame headers. Which means it doesn't have any information that would allow it to decide between multiple VLAN IDs. And switch also doesn't multiplicate frames on ingress (so that it could pass one copy of frame in each VLAN).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: MAC based vlan and guests

Mon May 10, 2021 7:44 pm

mac addresses are easily spoofed and thus never a good starting point from security.
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: MAC based vlan and guests

Mon May 10, 2021 7:47 pm

MAC-based access control is inherently insecure - anyone can easily spoof a MAC and gain access. There are limitations using switch ACLs, only packets with the specified source MAC addresses are placed on the VLANs - packets with any other source MAC addresses, e.g. multicast, will not.

Using 802.1x allows ports to be dynamically configured to be placed on certain VLANs - this can still be done using MAC addresses, or more securely using certificates or credentials. I'm not sure why you would want multiple VLANs to be accessible to some devices, it is likely this would only be for some servers which would likely be trusted with statically configured untagged & tagged membership on the switch ports.

Who is online

Users browsing this forum: Google [Bot], hjf and 83 guests