I need to associate a MAC address with a specific VLAN ID.

My config is a bridge (with DHCP server) where some Unifi access points connect along with a variety of devices that plug into a switch (the switch can forward VLAN tags but can't tag ports). There are three VLANs associated with this bridge and this bridge spans multiple ethernet ports (each VLAN has its own DHCP server too).

The Unifi APs are working smoothly with the VLANs but I need to force a couple of MAC addresses that are wired to the switch and not through the Unifi to be associated with the VLAN and not the bridge. I tried making the IP address associated with the MAC address static and using an address from the VLAN pool. Problem is, the device almost always ignores this and pulls a DHCP address from the bridge rather than using the statically allocated address from the VLAN DHCP pool.

Looking at the docs and winbox, a switch rule should solve my problem and let me force the destination VLAN id, but these rules don't work on the RB2011 series.

If in fact switch rules don't work on this model of router, is there a way to tag packets from a specific MAC address(es) with a VLAN id?

I would like to know the same:
is there a way to tag packets from a specific MAC address(es) with a VLAN id?

I think you need static dhcp lease more that mac binded with vlan.

For MAC based VLAN's, you will need a CRS3xx

If switch can forward VLAN frames, you will have to tag the frames on the client device. If you cant tag on client device, make the uplink port on RB2011 from the switch as an "Access Port" member of the VLAN, then all ports on switch should be part of VLAN and DHCP should work fine.

Maybe change the current switch to a Mikrotik switch then you can create port based VLAN's where wired clients are connected, does not need to be a CRS3xx

Then again, it might be too much of a "zoo diverse" solution, and @sindy might have a better one

I tried making the IP address associated with the MAC address static and using an address from the VLAN pool.

This shows a total lack of understanding how it really works. The dhcp server is attached to an L3 interface, so it serves only requests coming via that L3 interface. It may be able to assign an address which doesn't belong into any of the subnets associated to that L3 interface, but it won't work anyway as the packets coming from the assignee of that IP address will still be coming to the L3 interface to which the original DHCP request came. An exception would be devices which can receive a VLAN ID as a DHCP option (like some VoIP phones do) - such devices can then send the frames tagged with that VID and if the rest of the infrastructure can handle tagged frames, they get to the proper L3 interface via the VLAN.

Looking at the docs and winbox, a switch rule should solve my problem and let me force the destination VLAN id, but these rules don't work on the RB2011 series.
If in fact switch rules don't work on this model of router, is there a way to tag packets from a specific MAC address(es) with a VLAN id?

On 2011, switch rules with very few actions work only on the ports server by the 8327 switch chip, but that doesn't help in your case as this chip doesn't support assignment of new-vlan-id. And in /interface bridge nat, no action supports change or assignment of VLAN ID.

If you have several devices which send access mode frames (no VLAN tags) and you only need to put some of them one IP subnet and some in another; this can be done without VLANs, several subnets may share the same L2 environment. However, it seems that you need devices connected in trunk mode (sending and receiving tagged frames) to share the same IP subnet with some devices in access mode connected to the same port of the Mikrotik (via the switch), and there is no way to do that unless you make use of some side effects.

The side effects which you could use are

• most Windows network drivers remove VLAN tags, so if they receive a frame tagged with any VLAN ID, they handle it as if it was tagless
• the 8227 chip can be configured to add a tag with a VID of the default VLAN to tagless packets on ingress but not strip it selectively on egress

So connecting the switch to one of 2011's ports ether6 to ether10 and configuring that port this way using /interface ethernet switch port settings could be an ugly way to achieve your goal provided that it is enough that those devices talk to Mikrotik's L3 interface in that VLAN.

But if the tagged devices with the access devices should talk to each other directly at L2, it won't work even this way as the dumb switch will forward the frames between those devices directly so the frames will never reach the 2011 to get twisted the way you need.

See what I mean, sindy will be able to tell you what colour / color the vlan tag was when it passed through the switch / bridge at a specific date and time.

Amazing amount of knowledge there