Dynamic VLAN Assignment --> possible?
Posted: Sun Dec 31, 2023 2:50 pm
Hi,
This is a bit of a hypothetical question at the moment, and while typing this out even, I started to come up with possible reasons in my mind why this can't work... we've already got a RB4011 as our router and we're starting to replace the switches here with MikroTik switches.
We have a couple of VLANs on our system (we have the phone system on it's own VLAN, the access control and CCTV on it's own VLAN, one for visitor WIFI etc).
Is it possible to have the switches dynamically set a port to a particular VLAN, based on what is plugged into it?
All the devices that we have on our network have static IPs assigned by the DHCP Server (we're using the RB4011 as the DHCP for all VLANs). Therefore, I could (for example) create a list of all the devices that are "allowed" to be on the phone system VLAN. If I then plug a phone into a network socket somewhere, the port would be assigned to that VLAN.
The fall-back would always be the visitor WiFi VLAN - you have to authenticate whether you're connected via WiFi or plugged in to a socket. Therefore, all ports with nothing plugged in would be in this VLAN (in my head, there's a timeout on the switch that if a port has nothing plugged in for so long, then the port is assigned to this VLAN) AND if a device that isn't in our DHCP list is plugged in, then the VLAN assignment stays as the visitor WiFi VLAN (or goes back to the visitor VLAN if previously something that was in the list was plugged in and the timeout hasn't elapsed) so that the person has to authenticate to be able to do anything.
I can imagine that if this is possible, the switches would need to run RouterOS not switchOS so that we can use the API maybe, and that this would need to be done from scripts that are run from the router when a device grabs an IP Address from the DHCP? What I can't work out in my head is how the router would be able to do anything with the device if the port on the switch wasn't in the correct VLAN to start with so that the relevant DHCP/Address pool etc was accessible.
If this is a stupid idea and not possible, then please just ignore me
This is a bit of a hypothetical question at the moment, and while typing this out even, I started to come up with possible reasons in my mind why this can't work... we've already got a RB4011 as our router and we're starting to replace the switches here with MikroTik switches.
We have a couple of VLANs on our system (we have the phone system on it's own VLAN, the access control and CCTV on it's own VLAN, one for visitor WIFI etc).
Is it possible to have the switches dynamically set a port to a particular VLAN, based on what is plugged into it?
All the devices that we have on our network have static IPs assigned by the DHCP Server (we're using the RB4011 as the DHCP for all VLANs). Therefore, I could (for example) create a list of all the devices that are "allowed" to be on the phone system VLAN. If I then plug a phone into a network socket somewhere, the port would be assigned to that VLAN.
The fall-back would always be the visitor WiFi VLAN - you have to authenticate whether you're connected via WiFi or plugged in to a socket. Therefore, all ports with nothing plugged in would be in this VLAN (in my head, there's a timeout on the switch that if a port has nothing plugged in for so long, then the port is assigned to this VLAN) AND if a device that isn't in our DHCP list is plugged in, then the VLAN assignment stays as the visitor WiFi VLAN (or goes back to the visitor VLAN if previously something that was in the list was plugged in and the timeout hasn't elapsed) so that the person has to authenticate to be able to do anything.
I can imagine that if this is possible, the switches would need to run RouterOS not switchOS so that we can use the API maybe, and that this would need to be done from scripts that are run from the router when a device grabs an IP Address from the DHCP? What I can't work out in my head is how the router would be able to do anything with the device if the port on the switch wasn't in the correct VLAN to start with so that the relevant DHCP/Address pool etc was accessible.
If this is a stupid idea and not possible, then please just ignore me