Configuring MAC Firewall Rules

About this task

Access points can use MAC based firewalls like Access Control Lists (ACLs) to filter and mark packets based on the IP from which they arrive, as opposed to filtering packets on Layer 2 ports.

Optionally, filter Layer 2 traffic on a physical Layer 2 interface using MAC addresses. A MAC firewall rule uses source and destination MAC addresses for matching operations, where the result is a typical allow, deny or mark designation to packet traffic.

Note

Note

Once defined, a set of MAC firewall rules must be applied to an interface to be a functional filtering tool.

To add or edit a MAC based firewall rule policy:

Procedure

  1. Select ConfigurationSecurityWireless FirewallMAC Firewall Rules to display existing IP firewall rule policies.
    Click to expand in new window
    MAC Firewall Rules Screen
    GUID-6F4ACE88-9D6C-4D05-A213-29D85B9FFBF9-low.png
  2. Select Add to create a new MAC firewall rule.
    Select an existing policy and click Edit to modify the attributes of that rule‘s configuration.
  3. Select the added row to expand it into configurable parameters for defining the MAC-based firewall rule.
    Click to expand in new window
    MAC Firewall Rules Screen - Adding a New Rule
    GUID-FADF5180-E577-47BC-A225-0D87FD1AC2F0-low.png
  4. If you are adding a new MAC Firewall Rule, provide a name up to 32 characters to help describe its filtering configuration.
  5. Define the following parameters for the MAC firewall rule:
    Allow Every MAC firewall rule is made up of matching criteria rules. The action defines what to do with the packet if it matches the specified criteria. The following actions are supported:
    • Deny - Instructs the firewall to prevent a packet from proceeding to its destination.
    • Permit - Instructs the firewall to allow a packet to proceed to its destination.
    Source and Destination MAC Enter both source and destination MAC addresses. Access points use the source IP address, destination MAC address as basic matching criteria. Provide a subnet mask if using a mask.
    Action The following actions are supported:
    • Log - Events are logged for archive and analysis.
    • Mark - Modifies certain fields inside the packet and then permits them. Therefore, mark is an action with an implicit permit.
      • VLAN 802.1p priority.
      • DSCP bits in the IP header.
    • Mark, Log - Conducts both mark and log functions.
    Precedence Use the spinner control to specify a precedence for this MAC firewall rule between 1 - 1500. Rules with lower precedence are always applied first to packets.
    VLAN ID Enter a VLAN ID representative of the shared SSID each user employs to interoperate within the network (once authenticated by the local RADIUS server). The VLAN ID can be from 1 - 4094.
    Traffic Class Select this option to enable filtering using Traffic Class. Use the spinner control to specify a traffic class. Traffic class can be from 1 - 10.
    Match 802.1P Configures IP DSCP to 802.1p priority mapping for untagged frames. Use the spinner control to define a setting between 0 - 7.
    Ethertype Use the drop-down menu to specify an Ethertype of either other, ipv4, arp, rarp, appletalk, aarp, mint, wisp,ipx, 802.1q and ipv6. An Ethertype is a twooctet field within an Ethernet frame. It is used to indicate which protocol is encapsulated in the payload of an Ethernet frame.
    Description Provide a description (up to 64 characters) for the rule to help differentiate it from others with similar configurations.
  6. Select + Add Row as needed to add additional MAC firewall rule configurations.
    Select the - Delete Row icon as required to remove selected MAC firewall rules.
  7. Select OK when completed to update the MAC firewall rules.
    Select Reset to revert to its last saved configuration.