Community discussions

MikroTik App
 
SaS
just joined
Topic Author
Posts: 15
Joined: Thu Aug 04, 2022 9:17 pm

VLAN by MAC on CCR2004?

Fri Jan 27, 2023 7:00 pm

Hi,

I'm doing port-based VLAN at the moment.
This is pretty work-intensive - e.g. a SIP-devices who have to be put in their own VLAN may only be plugged into network-ports with a "voip"-VLAN.
Question: can RouterOS on CCR2004 do VLAN-assignment based on the MAC-Address of a device?
(like DHCP can do it with static leases and IP-Addresses)
If yes, how can this be made possible?

Thanks for any help!
Sascha
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: VLAN by MAC on CCR2004?

Fri Jan 27, 2023 7:54 pm

 
ConradPino
Member
Member
Posts: 337
Joined: Sat Jan 21, 2023 12:44 pm
Contact:

Re: VLAN by MAC on CCR2004?

Fri Jan 27, 2023 8:16 pm

That page cover CRS3xx series switches which makes me wonder ...
 
ConradPino
Member
Member
Posts: 337
Joined: Sat Jan 21, 2023 12:44 pm
Contact:

Re: VLAN by MAC on CCR2004?

Fri Jan 27, 2023 8:37 pm

TL;DR - only if CCR2004 model has 88E6191X switch chip; models with 98PX1012 don't support VLAN

This forum post is highly relevant:
CCR2004-1G-12S+2XS - Hardware switching features
viewtopic.php?t=186766

That topic points to this page:
Switch Chip Features
https://help.mikrotik.com/docs/display/ ... p+Features
 
SaS
just joined
Topic Author
Posts: 15
Joined: Thu Aug 04, 2022 9:17 pm

Re: VLAN by MAC on CCR2004?

Sat Jan 28, 2023 9:24 am

Unfortunately, it has a Marvell-98PX1012 switch chip.
Is it possible to make VLAN by MAC done using CPU?
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: VLAN by MAC on CCR2004?

Sun Jan 29, 2023 3:13 am

I don't think the bridge firewall rules have the necessary functionality.

Using MAC addresses to control access is very dated and easily spoofed, there are more modern approaches it may be worth considering. e.g. 802.1X, LLDP voice VLAN or vendor specific DHCP options.
 
SaS
just joined
Topic Author
Posts: 15
Joined: Thu Aug 04, 2022 9:17 pm

Re: VLAN by MAC on CCR2004?

Wed Feb 01, 2023 10:36 am

I don't think the bridge firewall rules have the necessary functionality.

Using MAC addresses to control access is very dated and easily spoofed, there are more modern approaches it may be worth considering. e.g. 802.1X, LLDP voice VLAN or vendor specific DHCP options.
Okay, thats a point.
What's the best approach when using RouterOS? (which one is supported best / maintained easily?)
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: VLAN by MAC on CCR2004?

Wed Feb 01, 2023 4:21 pm

Certainly the DHCP option method works with Yealink phones - they initially make a DHCP request untagged, then release the address provided and make a second DHCP request tagged on the VLAN specified in the options from the first DHCP reply.

At the time (prior to RouterOS V6.48) there was no support for LLDP-MED network policy VLAN, this is probably the most straightforward method.

The DHCP vendor-class-id matcher was replaced with a generic matcher as of RouterOS 7.4 so any implementations on older versions will require some rework when their RouterOS is upgraded.

802.1X requires support by every edge switch port, and a RADIUS server with a database of MAC addresses, user credentials or certificates, the new RouterOS 7 user manager may be sufficient for some setups rather than a separate RADIUS server.

LLDP-MED, DHCP vendor and 802.1X MAC authorisation can all still be spoofed by non-telephony client devices having a VLAN tag set manually to gain access to the telephony network or faking DHCP requests / MAC address, you will have to assess if this is a real issue or not for your use case.

Full 802.1X with user credentials or certificates is secure but involves managment of the client database and provisioning new devices with credentials or certificates.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: VLAN by MAC on CCR2004?

Wed Feb 01, 2023 4:38 pm

Usually when you use VoIP phones in a company, you will have several of them, they will use PoE, etc.
In that case it is easiest to buy a suitable switch that supports LLDP, configure the voice VLAN on it, and connect the switch to the 2004 using a trunk port.
This kind of "enterprise" functionality is a bit behind on MikroTik equipment, that is why I would never buy one of their switches for a corporate setting.
 
SaS
just joined
Topic Author
Posts: 15
Joined: Thu Aug 04, 2022 9:17 pm

Re: VLAN by MAC on CCR2004?

Sat Oct 14, 2023 8:55 am

I'd like to say a late thanks for all answers.
Since the topic is much more complicated than I thought, it has been postponed.
Thanks anyway.

Who is online

Users browsing this forum: Bing [Bot], GoogleOther [Bot], tangent and 46 guests