Configure MAC-based VLAN Groups on a Switch through the CLI

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

• Tag - The VLAN number is recognized from the tag.
• MAC-based VLAN - The VLAN is recognized from the source Media Access Control (MAC)-to-VLAN mapping of the ingress interface.
• Subnet-based VLAN - The VLAN is recognized from the source Subnet-to-VLAN mapping of the ingress interface.
• Protocol-based VLAN - The VLAN is recognized from the Ethernet type Protocol-to-VLAN mapping of the ingress interface.
• PVID - VLAN is recognized from the port default VLAN ID.

1. Create the VLANs. To learn how to configure the VLAN settings on your switch through the web-based utility, click here. For CLI-based instructions, click here.

2. Configure interfaces to VLANs. For instructions on how to assign interfaces to VLANs through the web-based utility of your switch, click here. For CLI-based instructions, click here.

Note: If the interface does not belong to the VLAN, the MAC-based groups to VLAN configuration setting will not take effect.

3. Configure MAC-based VLAN groups on your switch. For instructions on how to configure MAC-based VLAN Groups through the web-based utility of your switch, click here.

4. (Optional) You can also configure the following:

• Subnet-based VLAN Groups Overview — For instructions on how to configure subnet-based VLAN Groups through the web-based utility of your switch, click here. For CLI-based instructions, click here.
• Protocol-based VLAN Groups Overview — For instructions on how to configure Protocol-based VLAN Groups through the web-based utility of your switch, click here. For CLI-based instructions, click here.

Objective

The MAC-based VLAN classification enables packets to be classified according to their source MAC address. You can then define MAC-to-VLAN mapping per interface. You can also define several MAC-based VLAN groups, which each group containing different MAC addresses. These MAC-based groups can be assigned to specific ports or LAGs. MAC-based VLAN groups cannot contain overlapping ranges of MAC addresses on the same port.

Forwarding of packets based on the MAC addresses of the devices requires setting up groups of MAC addresses and then mapping these groups to VLANs. You can configure up to 256 MAC addresses, host or range, which can be mapped to one or many MAC-based VLAN groups.

This article provides instructions on how to configure MAC-based groups on a switch through the CLI.

Applicable Devices | Software Version

• CBS250 (Data Sheet) | 3.0.0
• CBS350 (Data Sheet) | 3.0.0
• CBS350-2X (Data Sheet) | 3.0.0
• CBS350-4X (Data Sheet) | 3.0.0

Configure MAC-based VLAN Groups on the Switch through the CLI

Create MAC-based VLAN Group

Step 1. Log in to the switch console. The default username and password is cisco/cisco. If you have configured a new username or password, enter the credentials instead.

Note: The commands may vary depending on the exact model of your switch. In this example, the CBS350 switch is accessed through Telnet.

Step 2. From the Privileged EXEC mode of the switch, enter the Global Configuration mode by entering the following:

CBS350# configure

Step 3. In the Global Configuration mode, configure a MAC-based classification rule by entering the following:

CBS350(config)# vlan database

Step 4. To map a MAC address or range of MAC addresses to a group of MAC addresses, enter the following:

CBS350(config-vlan)# map mac [mac-address][prefix-mask | host]macs-group [group-id]

The options are:

• mac-address - Specifies the MAC address to be mapped to the VLAN group. This MAC address cannot be assigned to any other VLAN group.
• prefix-mask - Specifies the prefix of the MAC address. Only a section of the MAC address is looked at (from left to right) and then placed in a group. The lower the length number, the fewer bits are looked at. This means you can assign a large number of MAC addresses to a VLAN group at once.
• host - Specifies the source host of the MAC address. The entire 48-bit MAC address is looked at and put into a group.
• group-id - Specifies the group number to be created. Group ID can range from one up to 2147483647.

Step 5. To exit the Interface Configuration context, enter the following:

CBS350(config-vlan)# exit

You should now have configured the MAC-based VLAN groups on your switch through the CLI.

Map MAC-based VLAN Group to VLAN

Step 1. In the Global Configuration mode, enter the Interface Configuration context by entering the following:

CBS350# interface [interface-id | range interface-range]

The options are:

• interface-id - Specifies an interface ID to be configured.
• range interface-range - Specifies a list of VLANs. Separate nonconsecutive VLANs with a comma and no spaces. Use a hyphen to designate a range of VLANs.

Step 2. In the Interface Configuration context, use the switchport mode command to configure the VLAN membership mode:

• general - The interface can support all functions as defined in the IEEE 802.1q specification. The interface can be a tagged or untagged member of one or more VLANs.

Step 3. (Optional) To return the port to the default VLAN, enter the following:

CBS350(config-if)# no switchport mode general

Step 4. To configure a MAC-based classification rule, enter the following:

CBS350(config-if)# switchport general map macs-group [group] vlan [vlan-id]

The options are:

• group - Specifies the MAC-based group ID to filter the traffic through the port. The range is from one up to 2147483647.
• vlan-id - Specifies the VLAN ID to which the traffic from the VLAN group is forwarded. The range is from one to 4094.

Step 5. To exit the Interface Configuration context, enter the following:

CBS350(config-if)# exit

Step 6. (Optional) To remove the classification rule from the port or range of ports, enter the following:

CBS350(config-if)# no switchport general map mac-groups group

Step 7. (Optional) Repeat steps 1 to 6 to configure more general ports and assign to the corresponding MAC-based VLAN groups.

Step 8. Enter the end command to go back to the Privileged EXEC mode:

CBS350(config-if-range)# end

You should now have mapped MAC-based VLAN groups to the VLANs on your switch through the CLI.

Show MAC-based VLAN Groups

Step 1. To display the MAC addresses that belong to the defined MAC-based classification rules, enter the following in the Privileged EXEC mode:

CBS350# show vlan macs-groups

Step 2. (Optional) To display the classification rules of a specific port on the VLAN, enter the following:

• interface-id - Specifies an interface ID.

Note: Each port mode has its own private configuration. The show interfaces switchport command displays all these configurations, but only the port mode configuration that corresponds to the current port mode displayed in Administrative Mode area is active.

Step 3. (Optional) In the Privileged EXEC mode of the switch, save the configured settings to the startup configuration file, by entering the following:

CBS350# copy running-config startup-config

Step 4. (Optional) Press Y for Yes or N for No on your keyboard once the Overwrite file [startup-config]… prompt appears.

You should now have displayed the MAC-based VLAN group and port configuration settings on your switch.

Important: To proceed with configuring the VLAN group settings on your switch, follow the guidelines above.