MAC OUI-Based VLAN Assignment
Overview
MAC OUI-based VLAN assignment allows network administrators to automatically place devices into specific VLANs based on their MAC address prefix (OUI).
This method enables automatic network segmentation without requiring manual VLAN configuration on each port of switch.
Example use case:
Device Type | VLAN |
Authorized devices | VLAN 1 (Production VLAN) |
Unknown devices | VLAN 20 (Guest VLAN) |
Purpose
The purpose of this configuration is to automatically identify devices using their MAC OUI and assign them to the appropriate VLAN.
This helps ensure:
Production devices connect to the correct network
Unauthorized or unknown devices remain isolated
Network segmentation is maintained automatically
Prerequisites
Before configuring MAC OUI-based VLAN policies, ensure the following:
Administrative access to the Pronto Cloud Portal
Access to the switch configuration interface
VLANs already created on the network
Access to the wireless controller or management portal
A list of approved device MAC OUI prefixes
Step 1 – Configure VLAN Policy on the Switch
Create VLANs
Create VLANs according to the network design.
Example:
VLAN | Purpose |
VLAN 1 | Production VLAN |
VLAN 20 | Guest VLAN |
Configure Router–Switch Uplink
The uplink port between the router and switch must allow multiple VLANs.
Configuration example:
VLAN | Mode |
VLAN 1 | Native |
VLAN 20 | Tagged |
Additional VLANs can be added if required.
Configure Access Point Ports
Ports connected to access points should allow the same VLAN configuration:
VLAN | Mode |
VLAN 1 | Native |
VLAN 20 | Tagged |
This ensures wireless clients can access the appropriate VLAN.
Configure Client Ports
Switch ports connected to end devices can be assigned to the Guest VLAN (VLAN 20) or any other Vlan.
This ensures:
Unknown devices (NON-Customer-OUI) remain in the guest network or any other Vlan configured over port
Approved devices can be automatically moved to the production VLAN using MAC OUI rules
Step 2 – Configure MAC VLAN Group
Navigate to the MAC VLAN Group configuration section in the Pronto portal.
Create a new MAC VLAN group and select the target scope:
Network
Tag
Specific device
Add MAC OUI Entries
Add MAC OUI prefixes for approved devices.
Example:
MAC: 00:0C:66:00:00:00
Mask: FF:FF:FF:00:00:00
VLAN ID: 1
Priority: 1
MAC: 11:22:33:00:00:00
Mask: FF:FF:FF:00:00:00
VLAN ID: 300
Priority: 1
This configuration ensures that any device with this MAC prefix will automatically be assigned to VLAN 1.
Additional OUI entries can be added using the Add MAC OUI option.
Step 3 – Validation
Test with a Non-Approved Device
Connect a device that does not match the configured MAC OUI.
Verify that it remains in the Guest VLAN (VLAN 20) or in the vlan allocated to Switchport.
Test with an Approved Device
Connect a device that matches the configured MAC OUI.
Verify that it is automatically assigned to VLAN 1 or 300 based on MAC OUI.
Optional: Wireless OUI Filtering
OUI-based filtering can also be applied to wireless networks.
Steps:
Log in to the wireless controller.
Select the target SSID.
Enable Wireless OUI filtering.
Add allowed MAC OUI prefixes.
Save the configuration.
This ensures only approved devices can connect to the wireless network.
Optional: Restrict Guest Traffic on LTE
Guest VLAN traffic can be restricted when the network is using a cellular uplink.
This can be achieved by creating a Layer 3 ACL rule that blocks guest VLAN traffic over the LTE interface.
Example:
VLAN | Network |
VLAN 20 | 10.20.20.0/24 |
Behavior:
Condition | Result |
Wired uplink active | Guest traffic allowed |
LTE fallback active | Guest traffic blocked |
✅ Conclusion
MAC OUI-based VLAN assignment provides:
Automatic device classification
Improved network segmentation
Better security and traffic isolation
This feature works through the MAC VLAN Group configuration in Pronto, where MAC prefixes are mapped to VLAN IDs.