Assign a device to a specific VLAN based on its MAC Address


#1

I opened a support ticket on this, but got back an terse & unintelligible reply. (Ticket #761833) But based on what I think that reply was trying to say, it would appear that at present, one cannot have the Pepwave’s DHCP server assign a device to a specific VLAN based solely on the device MAC Address.

I would like to see such a feature added.

In my case, I have devices on the wired network which cannot be physically isolated on the network, so putting them on a VLAN based on LAN port number isn’t an option. Yet I want to logically isolate them to a different VLAN. My old Cisco router allowed me to assign devices to various VLANS based on their MAC Addresses, so I was surprised that when I put the devices on a VLAN’s DHCP Reservation List on my Pepwave, that didn’t cause the device to be assigned to that VLAN. Instead, they were still assigned IP addresses on the default VLAN. (And I’ll add for completeness, the devices are not listed in the default VLAN’s DHCP Reservation List.)

I am running firmware 6.3.1.


Is it possible to VLAN tag devices by MAC address or some other way?
#2

Hi,

After verified the support ticket & the forum post, assume that you may looking at the network design below to logically isolate the guest network:


Base on the network design numbering:

  1. VLAN trunking between SOHO & Switch
  • You need to make sure the switch is L2 manage switch
  • VLANs trunk is defined for the switch port that connected to SOHO LAN (Untagged, VLAN1)
  1. For Guest devices that connected to the switch ports, Port access VLAN1 need to be defined for the switch ports.
  • Guest PC should get the VLAN1 reserved IP address
  1. For Staff devices that connected to the switch ports, Native VLAN/Untagged vlan need to be defined for the switch ports
  • Staff PC should get the native/untagged vlan reserved IP address

Do let me know whether the above is what you are looking at ? Else, we can further discuss on this again.

Thank You


#3

Hi, It would be of interest to know how your old CISCO was able to manage VLAN allocation by MAC address in the manner you describe as that’s something I’ve not seen used before. I know of only two typical approaches to this kind of dynamic vlan assignment CISCO VLAN Management Policy Server (VMPS) which is a proprietary CISCO technology (so not something you would expect to find in another vendors hardware) and the provision for port based Network Access Control in 802.11x.

We have had a number of requests recently for 802.11x support and so its on the engineering teams radar for review for potential future inclusion on our firmware.

So for the time being there is no way to achieve what you are looking to do dynamically. INstead you would need to either set a VLAN ID on the client device to tag all traffic between it and the Peplink device (across a switch infrastructure that supports VLAN tagging), or use VLAN port based isolation of traffic on the switch / peplink your end device is connected to if your remote device can not tag its own traffic.

Martin


#4

Yes, as you noted, the CISCO VLAN Management Policy Server (VMPS) allows this. And as sitloongs noted, a number of managed switches allow this as well (e.g. Netgear, etc.)

Since I’ve never written a DHCP server myself, I don’t know what is required to avoid opening up a security vulnerability if the DHCP server on the untagged (default) VLAN also checks the DHCP Reservation Lists of the other VLANS and makes assignments accordingly.

But I’d still like to suggest that you consider adding MAC based Dynamic VLAN Assignments to your product roadmap.