Skip to content

VMAC Usage Guide

Generating a VMAC

From the Admin Panel

VMACs are generated through the Virtual MACs embed (accessible from the server detail page in Tenantos or directly at /embed/virtual-macs).

  1. Open the server's IP list
  2. Click Generate next to the IP that needs a VMAC
  3. The system generates a unique MAC, creates a DB record, and pushes the binding to all connected switches
  4. Status updates to active on success

Via API

POST /api/virtual-macs
Content-Type: application/json
Authorization: Bearer <token>

{
  "serverId": 123,
  "ip": "10.0.48.7",
  "mac": "02:ab:cd:ef:12:34",
  "vlanName": "VLAN.13",
  "context": "modal"
}

Batch Apply

Multiple generate/revoke actions can be batched into a single switch session:

POST /api/virtual-macs/{serverId}/apply
Content-Type: application/json

{
  "changes": [
    { "ip_id": 1, "ip_address": "10.0.48.7", "action": "generate" },
    { "ip_id": 2, "ip_address": "10.0.48.8", "action": "generate" },
    { "ip_id": 3, "ip_address": "10.0.48.9", "action": "revoke" }
  ]
}

This performs all DB writes first, then does a single applyBatch() -- one SSH session, one commit.

Revoking a VMAC

Revoking a VMAC removes the generated MAC from the switch and restores the server's PXE MAC for that IP.

  1. Open the server's IP list in the VMAC embed
  2. Click Revoke next to the active VMAC
  3. The system swaps the VMAC back to the PXE MAC on the switch

Migrating a VMAC

When a customer moves an IP from one server to another (e.g., failover), the VMAC can be migrated:

  1. The binding is revoked on the source server's switch port (PXE MAC restored)
  2. The binding is applied on the target server's switch port
  3. If the target fails, the source is automatically restored (rollback)
POST /api/virtual-macs/{serverId}/migrate-vmac
{
  "targetServerId": 456,
  "ip": "10.0.48.7",
  "vmac": "02:ab:cd:ef:12:34"
}

Apply All Bindings

The Apply All Bindings button on the Switches admin page (/admin/switches) re-pushes every MAC/IP binding to every switch port across the entire network:

  • Dedicated servers -- fetches all IPs from Tenantos, checks for active VMACs, does a full replace on the switch port (PXE MAC for primary IP, VMACs where active)
  • Proxmox nodes -- collects all VM MACs + IPs from the Proxmox API, resolves VLANs, full replaces the configured uplink port

This is useful after:

  • Bulk VLAN allowlist changes
  • Switch firmware upgrades that may have reset config
  • Recovering from a failed automated push
  • Verifying that switch state matches the database

Warning

Apply All touches every switch port. It takes a backup of each switch before making changes, but use it deliberately -- not as a routine action.

Provisioning

When Tenantos provisions a new dedicated server, it calls the provisioning API:

POST /api/virtual-macs/provision/{serverId}
Authorization: Bearer <VMAC_PROVISION_API_BEARER_TOKEN>

This sets up the initial secure-access-port bindings on the server's switch port, binding all IPs to the server's PXE MAC. VMACs can then be generated on top of this baseline.