Configuring MAC Firewall Rules

Access points can use MAC based firewalls like Access Control Lists (ACLs) to filter and mark packets based on the IP from which they arrive, as opposed to filtering packets on Layer 2 ports.

Optionally, filter Layer 2 traffic on a physical Layer 2 interface using MAC addresses. A MAC firewall rule uses source and destination MAC addresses for matching operations, where the result is a typical allow, deny or mark designation to packet traffic.

Note

Note

Once defined, a set of MAC firewall rules must be applied to an interface to be a functional filtering tool.

To add or edit a MAC based Firewall Rule policy:

  1. Select Configuration > Security > Wireless Firewall > MAC Firewall Rules to display existing IP Firewall Rule policies.
  2. Select + Add Row to create a new MAC firewall rule.
    Select an existing policy and click Edit to modify the attributes of that rule‘s configuration.
  3. Select the added row to expand it into configurable parameters for defining the MAC based firewall rule.
  4. If adding a new MAC Firewall Rule, provide a name up to 32 characters to help describe its filtering configuration.
  5. Select a rule to modify it.
    Set the following parameters for the MAC firewall rule:
    Allow Every MAC firewall rule is made up of matching criteria rules. The action defines what to do with the packet if it matches the specified criteria. The following actions are supported:
    • Deny - Instructs the firewall to prevent a packet from proceeding to its destination when filter conditions are met.
    • Permit - Instructs the firewall to allow a packet to proceed to its destination when filter conditions are met.
    VLAN ID Enter a VLAN ID representative of the shared SSID each user employs to interoperate within the network (once authenticated by the local RADIUS server). The VLAN ID can be between 1 and 4094.
    Match 802.1P Configures IP DSCP to 802.1p priority mapping for untagged frames. Use the spinner control to define a setting between 0 - 7.
    Source and Destination MAC Enter both source and destination MAC addresses. The source MAC address and destination MAC address are used as basic matching criteria. Provide a subnet mask if using a mask.
    Action The following actions are supported:
    • Log - Events are logged for archive and analysis.
    • Mark - Modifies certain fields inside the packet and then permits them. Therefore, mark is an action with an implicit permit.
      • VLAN 802.1p priority.
      • DSCP bits in the IP header.
      • TOS bits in the IP header.
    • Mark, Log - Conducts both mark and log functions.
    Traffic Class Select this option to enable a spinner control for traffic class prioritization. Devices that originate a packet must identify a class or priority for packets. Devices use the traffic class field in the MAC header to set this priority.
    Ethertype Use the drop-down menu to specify an Ethertype of either ipv6, arp, wisp, or monitor 8021q. An EtherType is a two-octet field within an Ethernet frame. It is used to indicate which protocol is encapsulated in the payload of an Ethernet frame.
    Precedence Use the spinner control to specify a precedence for this MAC firewall rule between 1 - 1500. Rules with lower precedence are always applied first to packets.
    Description Provide a description (up to 64 characters) for the rule to help differentiate it from others with similar configurations.
  6. Select + Add Row as needed to add additional MAC firewall rule configurations.
    Select the - Delete Row icon as required to remove selected MAC firewall rules.
  7. Select the EX3500 MAC ACL tab to define MAC firewall rules specific to the EX3500 switch.
    Select the added row to expand it into configurable parameters for defining the MAC based firewall rule for this model switch.
  8. Select a rule to modify it.
    Define the following parameters for the MAC firewall rule:
    Allow Every MAC firewall rule is made up of matching criteria rules. The action defines what to do with the packet if it matches the specified criteria. The following actions are supported:
    • Deny - Instructs the firewall to prevent a packet from proceeding to its destination.
    • Permit - Instructs the firewall to allow a packet to proceed to its destination.
    VLAN ID Enter a VLAN ID representative of the shared SSID each user employs to interoperate within the network (once authenticated by the local RADIUS server). The VLAN ID can be between 1 and 4094.
    VLAN Mask Enter a VLAN ID bit mask value.
    Source and Destination MAC Enter both source and destination MAC addresses. The source MAC address and destination MAC address are used as basic matching criteria. Provide a subnet mask if using a mask.
    Ethertype Use the spinner control to specify an Ethertype. An EtherType is a two-octet field within an Ethernet frame. It is used to indicate which protocol is encapsulated in the payload of an Ethernet frame. Select a value in the range 0 - 65535. This field is enabled by default. The default value is 1.
    Ethertype Mask Use the spinner control to specify the Ethertype Mask. Select a value in the range 0 - 65535. This field is enabled by default. The default value is 1.
    Packet Type Use the drop-down menu to select the packet type. Packet type can be one of all, tagged-eth2, or untagged-eth2.
    Time Range Use this field to select a time range when this ACL will be enabled. For more information, see EX3500 Time Range.
    Precedence Use the spinner control to specify a precedence for this MAC firewall rule between 1 - 1500. Rules with lower precedence are always applied first to packets.
  9. Select OK when completed to update the MAC firewall Rules.
    Select Reset to revert the screen to its last saved configuration.