Objective
This article provides instructions on how to configure MAC-Based groups on a switch.
Applicable Devices | Software Version
Introduction
A Virtual Local Area Network (VLAN) allows you to logically segment a Local Area Network (LAN) into different broadcast domains. In scenarios where sensitive data may be broadcast on a network, VLANs can be created to enhance security by designating a broadcast to a specific VLAN. Only users that belong to a VLAN are able to access and manipulate the data on that VLAN. VLANs can also be used to enhance performance by reducing the need to send broadcasts and multicasts to unnecessary destinations.
Networking devices on which multiple protocols are running cannot be grouped to a common VLAN. Non-standard devices are used to pass traffic between different VLANs in order to include the devices participating in a specific protocol. For this reason, the user cannot take advantage of the many features of VLAN.
VLAN groups are used to load balance the traffic on a Layer 2 network. The packets are distributed with respect to different classifications and are assigned to VLANs. Many different classifications exist, and if more than one classification scheme is defined, the packets are assigned to the VLAN in this order:
- Tag — The VLAN number is recognized from the tag.
- MAC-Based VLAN — The VLAN is recognized from the source Media Access Control (MAC)-to-VLAN mapping of the ingress interface.
- Subnet-Based VLAN — The VLAN is recognized from the source Subnet-to-VLAN mapping of the ingress interface. To learn how to configure this feature, click here for instructions.
- Protocol-Based VLAN — The VLAN is recognized from the Ethernet type Protocol-to-VLAN mapping of the ingress interface.
- PVID — VLAN is recognized from the port default VLAN ID.
The MAC-based VLAN classification enable packets to be classified according to their source MAC address. You can then define MAC-to-VLAN mapping per interface. You can also define several MAC-based VLAN groups, which each group containing different MAC addresses. These MAC-based groups can be assigned to specific ports or LAGs. MAC-based VLAN groups cannot contain overlapping ranges of MAC addresses on the same port.
Configure MAC-Based VLAN Groups on the Switch
Add MAC-Based VLAN Group
Step 1
Log in to the web-based utility and choose Advanced from the Display Mode drop-down list.
Step 2
Choose VLAN Management >VLAN Groups > MAC-Based Groups.
The available menu options may vary depending on the device model.
Step 3
In the MAC-Based Group Table, click the plus icon.
Step 4
Enter the MAC address to be assigned to a VLAN group. This MAC address cannot be assigned to any other VLAN group.
Click the radio button that corresponds to the method you want to use to define the Prefix Mask. The prefix mask looks at a certain number of bits and then assigns the MAC address to a VLAN group.
The options are:
- Host — The entire MAC address is looked at and put into a group. You can only group MAC addresses one at a time when you use host. If this option is chosen, skip to Step 5.
- Length — Only a section of the MAC address is looked at (from left to right) and then placed in a group. The lower the length number, the fewer bits are looked at. This means you can assign a large number of MAC addresses to a VLAN group at once. If this option is chosen, enter the length of the prefix mask in the Length field.
In the Group ID field, enter an ID to identify the MAC-Based VLAN group.
Step 5
Step 7. Click Apply then click Close.
Step 6
Click Save to save settings to the startup configuration file.
You should now have added a MAC-Based VLAN group on your switch.
Delete MAC-Based VLAN Group
Step 1
Click VLAN Management.
Step 2
Choose VLAN Groups > MAC-Based Groups.
Step 3
In the MAC-Based Group Table, check the box next to the MAC-Based VLAN group you would like to delete. Click the trash icon to delete.
Step 4
Click Save to save settings to the startup configuration file.
The MAC-Based VLAN group should now be deleted from your switch.
You should now have configured MAC-Based VLAN groups on your switch. To learn how to map MAC-Based groups to VLAN, click here for instructions.
Article Skeleton w/ Content
Objective
This article provides instructions on how to configure MAC-based groups on a Cisco Business 350 series switch through the Command Line Interface (CLI).
Applicable Devices | Software Version
Introduction
A Virtual Local Area Network (VLAN) allows you to logically segment a Local Area Network (LAN) into different broadcast domains. In scenarios where sensitive data may be broadcast on a network, VLANs can be created to enhance security by designating a broadcast to a specific VLAN. Only users that belong to a VLAN are able to access and manipulate the data on that VLAN. VLANs can also be used to enhance performance by reducing the need to send broadcasts and multicasts to unnecessary destinations.
To learn how to configure the VLAN settings on your switch through the web-based utility, click here. For CLI-based instructions, click here.
Networking devices on which multiple protocols are running cannot be grouped to a common VLAN. Non-standard devices are used to pass traffic between different VLANs in order to include the devices participating in a specific protocol. For this reason, you cannot take advantage of the many features of VLAN.
VLAN groups are used to load balance the traffic on a Layer 2 network. The packets are distributed with respect to different classifications and are assigned to VLANs. Many different classifications exist, and if more than one classification scheme is defined, the packets are assigned to the VLAN in this order:
- Tag - The VLAN number is recognized from the tag.
- MAC-based VLAN - The VLAN is recognized from the source Media Access Control (MAC)-to-VLAN mapping of the ingress interface.
- Subnet-based VLAN - The VLAN is recognized from the source Subnet-to-VLAN mapping of the ingress interface.
- Protocol-based VLAN - The VLAN is recognized from the Ethernet type Protocol-to-VLAN mapping of the ingress interface.
- PVID - VLAN is recognized from the port default VLAN ID.
The MAC-based VLAN classification enables packets to be classified according to their source MAC address. You can then define MAC-to-VLAN mapping per interface. You can also define several MAC-based VLAN groups, which each group containing different MAC addresses. These MAC-based groups can be assigned to specific ports or LAGs. MAC-based VLAN groups cannot contain overlapping ranges of MAC addresses on the same port.
Forwarding of packets based on the MAC addresses of the devices requires setting up groups of MAC addresses and then mapping these groups to VLANs. You can configure up to 256 MAC addresses, host or range, which can be mapped to one or many MAC-based VLAN groups.
To configure VLAN groups on your switch, follow these guidelines:
1. Create the VLANs. To learn how to configure the VLAN settings on your switch through the web-based utility, click here. For CLI-based instructions, click here.
2. Configure interfaces to VLANs. For instructions on how to assign interfaces to VLANs through the web-based utility of your switch, click here. For CLI-based instructions, click here.
If the interface does not belong to the VLAN, the MAC-based groups to VLAN configuration setting will not take effect.
3. Configure MAC-based VLAN groups on your switch. For instructions on how to configure MAC-based VLAN Groups through the web-based utility of your switch, click here.
4. (Optional) You can also configure the following:
- Subnet-based VLAN Groups Overview - For instructions on how to configure subnet-based VLAN Groups through the web-based utility of your switch, click here. For CLI-based instructions, click here.
- Protocol-based VLAN Groups Overview - For instructions on how to configure Protocol-based VLAN Groups through the web-based utility of your switch, click here. For CLI-based instructions, click here.
Configure MAC-based VLAN Groups on the Switch through the CLI
Create MAC-based VLAN Group
Step 1
Log in to the switch console. The default username and password is cisco/cisco. If you have configured a new username or password, enter the credentials instead.
The commands may vary depending on the exact model of your switch.
Step 2
From the Privileged EXEC mode of the switch, enter the Global Configuration mode by entering the following:
CBS350#configure
Step 3
In the Global Configuration mode, configure a MAC-based classification rule by entering the following:
CBS350(config)#vlan database
Step 4
To map a MAC address or range of MAC addresses to a group of MAC addresses, enter the following:
CBS350(config-vlan)#map mac[mac-address][prefic-mask|host]macs-group [group-id]
The options are:
- mac-address - Specifies the MAC address to be mapped to the VLAN group. This MAC address cannot be assigned to any other VLAN group.
- prefix-mask - Specifies the prefix of the MAC address. Only a section of the MAC address is looked at (from left to right) and then placed in a group. The lower the length number, the fewer bits are looked at. This means you can assign a large number of MAC addresses to a VLAN group at once.
- host - Specifies the source host of the MAC address. The entire 48-bit MAC address is looked at and put into a group.
- group-id - Specifies the group number to be created. Group ID can range from one up to 2147483647.
Step 5
To exit the Interface Configuration context, enter the following:
CBS350(config-vlan)#exit
You have now configured the MAC-based VLAN groups on your switch through the CLI.
Map MAC-based VLAN Group to VLAN
Step 1
In the Global Configuration mode, enter the Interface Configuration context by entering the following:
CBS350#interface [interface-id|range interface-range]
The options are:
- interface-id - Specifies an interface ID to be configured.
- range interface-range - Specifies a list of VLANs. Separate nonconsecutive VLANs with a comma and no spaces. Use a hyphen to designate a range of VLANs.
Step 2
In the Interface Configuration context, use the switchport mode command to configure the VLAN membership mode:
CBS350(config-if)#switchport mode general
- general - The interface can support all functions as defined in the IEEE 802.1q specification. The interface can be a tagged or untagged member of one or more VLANs.
Step 3 (Optional)
To return the port to the default VLAN, enter the following:
CBS350(config-if)#no switchport mode general
Step 4
To configure a MAC-based classification rule, enter the following:
CBS350(config-if)#switchport general map macs-group[group]vlan[vlan-id]
The options are:
- group - Specifies the MAC-based group ID to filter the traffic through the port. The range is from one up to 2147483647.
- vlan-id - Specifies the VLAN ID to which the traffic from the VLAN group is forwarded. The range is from one to 4094.
Step 5
To exit the Interface Configuration context, enter the following:
CBS350(config-if)#exit
Step 6 (Optional)
To remove the classification rule from the port or range of ports, enter the following:
CBS350(config-if)#no switchport general map mac-groups group
Step 7 (Optional)
Repeat steps 1 to 6 to configure more general ports and assign to the corresponding MAC-based VLAN groups.
Step 8
Enter the end command to go back to the Privileged EXEC mode:
CBS350(config-if-range)#end
You have now mapped MAC-based VLAN groups to the VLANs on your switch through the CLI.
Show MAC-based VLAN Groups
Step 1
Step 1. To display the MAC addresses that belong to the defined MAC-based classification rules, enter the following in the Privileged EXEC mode:
CBS350(config-if)#show vlan macs-groups
Step 2 (Optional)
To display the classification rules of a specific port on the VLAN, enter the following:
CBS350(config-if)#show interfaces switchport [interface-id]
- interface-id - Specifies an interface ID.
Each port mode has its own private configuration. The show interfaces switchport command displays all these configurations, but only the port mode configuration that corresponds to the current port mode displayed in Administrative Mode area is active.
Step 3 (Optional)
In the Privileged EXEC mode of the switch, save the configured settings to the startup configuration file, by entering the following:
CBS350#copy running-config startup-config
Step 4 (Optional)
Press Y for Yes or N for No on your keyboard once the Overwrite file [startup-config]… prompt appears.
You have now displayed the MAC-based VLAN group and port configuration settings on your switch.
To proceed with configuring the VLAN group settings on your switch, follow the guidelines above.