Configuring MAC Firewall Rules

About this task

Access points can use MAC based firewalls like Access Control Lists (ACLs) to filter and mark packets based on the IP from which they arrive, as opposed to filtering packets on Layer 2 ports.

Optionally, filter Layer 2 traffic on a physical Layer 2 interface using MAC addresses. A MAC firewall rule uses source and destination MAC addresses for matching operations, where the result is a typical allow, deny or mark designation to packet traffic.

Note

Once defined, a set of MAC firewall rules must be applied to an interface to be a functional filtering tool.

To add or edit a MAC based Firewall Rule policy:

Procedure

Select Configuration → Security → Wireless Firewall → MAC ACL to display existing MAC Firewall Rule policies.

MAC Firewall Rules Screen
Select + Add Row to create a new MAC firewall rule.
Select an existing policy and click Edit to modify the attributes of that rule‘s configuration.
Select the added row to expand it into configurable parameters for defining the MAC based firewall rule.

MAC Firewall Rules - Add/Edit screen
If adding a new MAC Firewall Rule, provide a name up to 32 characters to help describe its filtering configuration.

Select a rule to modify it.

Set the following parameters for the MAC firewall rule:


Allow	Every MAC firewall rule is made up of matching criteria rules. The action defines what to do with the packet if it matches the specified criteria. The following actions are supported: Deny - Instructs the firewall to prevent a packet from proceeding to its destination when filter conditions are met. Permit - Instructs the firewall to allow a packet to proceed to its destination when filter conditions are met.
VLAN ID	Enter a VLAN ID representative of the shared SSID each user employs to interoperate within the network (once authenticated by the local RADIUS server). The VLAN ID can be between 1 and 4094.
Match 802.1P	Configures IP DSCP to 802.1p priority mapping for untagged frames. Use the spinner control to define a setting between 0 - 7.
Source and Destination MAC	Enter both source and destination MAC addresses. The source MAC address and destination MAC address are used as basic matching criteria. Provide a subnet mask if using a mask.
Action	The following actions are supported: Log - Events are logged for archive and analysis. Mark - Modifies certain fields inside the packet and then permits them. Therefore, mark is an action with an implicit permit. VLAN 802.1p priority. DSCP bits in the IP header. TOS bits in the IP header. Mark, Log - Conducts both mark and log functions.
Traffic Class	Select this option to enable a spinner control for traffic class prioritization. Devices that originate a packet must identify a class or priority for packets. Devices use the traffic class field in the MAC header to set this priority.
Ethertype	Use the drop-down menu to specify an Ethertype of either ipv6, arp, wisp, or monitor 8021q. An EtherType is a two-octet field within an Ethernet frame. It is used to indicate which protocol is encapsulated in the payload of an Ethernet frame.
Precedence	Use the spinner control to specify a precedence for this MAC firewall rule between 1 - 1500. Rules with lower precedence are always applied first to packets.
Description	Provide a description (up to 64 characters) for the rule to help differentiate it from others with similar configurations.

Select + Add Row as needed to add additional MAC firewall rule configurations.
Select the - Delete Row icon as required to remove selected MAC firewall rules.
Select OK when completed to update the MAC firewall Rules.

Select Reset to revert the screen to its last saved configuration.