× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Orbi WiFi 7 RBE973

MAC ACL for specific VLAN

Tom-P
Tutor

MAC ACL for specific VLAN

I have connected four WNAP320 Access Points to a GS724TPv2 smart managed switch. The Access Points all broadcast three different SSID's (trusted, guest & IoT) that are assigned to three different VLAN's (10, 20 & 30). The router gives different IP ranges to the different VLAN's and I have added firewall rules to manage traffic between the VLAN's and internet. That part works well.

 

I would like to add a MAC ACL (access control list) to white list all my known devices to the trusted SSID and that specific VLAN10 and block all unknown devices. Unkown devices should only connect to the IoT and/or Guest network. The reason is that iOS devices (and probably Android as well) have the opportunity to share a wifi key if the owner of the unkown devices is in the contact list of the phone that is connected to the trusted network. 

 

Although this sounds easy (and probably is if you know what to do), I was not succesful. I've tried setting it up in the AP, but this doesn't work since you only can setup a whitelist for the entire AP and not a specific SSID/VLAN.

There are examples to be found on the internet, but they only discuss port based MAC ACL's and i have trunked my three VLAN's from the switchports to the access ports.

 

I hope someone knows a usefull link or can give me a push in the right direction!

Model: GS724TPv2|24-Port Gigabit Ethernet PoE+ Smart Managed Pro Switch with 2 SFP Ports
Message 1 of 5

Accepted Solutions
Tom-P
Tutor

Re: MAC ACL for specific VLAN

Hi Everyone,

 

After Eric's last question we continued by e-mail and Eric found the solution;

 

Please just keep config as your first setting, with all zeros in MAC mask. Then add some new rules that with Destination MAC=white list.

This is because the MAC ACL binding to VLAN not specific physical port, so the packet include upstream(Client->Server) and downstream(Server->Client). It’s necessary to add bi-direction rule.

 

I guess I'm not the only one who wants to build a MAC ACL white list so here's the solution to your all;

You have to make two rules per device. One with the device MAC in the destination MAC field of that rule. The second rule with the same device MAC in the source MAC field. MAC mask should be all zero's for both rules.

IN the VLAN Binding Configuration you pick the VLAN ID the devices of the white list should connect to. ACL type is MAC ACL and the ACL ID is the name you gave to the set of rules you made for your devices on the white list.

View solution in original post

Message 5 of 5

All Replies
Retired_Member
Not applicable

Re: MAC ACL for specific VLAN

Hi @Tom-P 

 

 

Welcome to Community!

 

For your requirement, I suggest you config MAC ACL and binding to specific VLAN on switch GS724TPv2. On the MAC ACL rule, just permit all trust MAC list, for others MAC switch will deny by default. 

For MAC ACL configuration, please click here and follow up the User Manual.

 

Hope it helps!

 

Regards,

EricZ

Message 2 of 5
Tom-P
Tutor

Re: MAC ACL for specific VLAN

Thanks for you reply EricZ. Unfortunatly I was not succesful. What I've done;

 

I created a MAC ACL and added a rule for each device on my white list.

I gave every rule an unique sequence number, Action = Permit, Match Every = False, Source MAC = the device MAC, Source MAC Mask= 00:00:00:00:00:00. I was not sure about the VLAN field in the rule so I left it empty.

I skipped the MAC Binding Configuration to a specific switch port and went to the Advanced tab and selected the VLAN Binding Table. I added a VLAN Binding Configuration of the VLAN ID I want to allow my white list devices, ACL type = MAC ACL and the ACL ID the name of the MAC ACL i created in the first step.

 

After that every device was blocked on that VLAN. Even the ones i added in the rules.

The manual isn't all that clear to me. Guess you have to be smart to manage a smart managed switch 🙂

 

Message 3 of 5
Retired_Member
Not applicable

Re: MAC ACL for specific VLAN

@Tom-P 

 

Could you please change Source MAC MASK to FF:FF:FF:FF:FF:FF and try again?

It will be better if you can share the configuration file to us?

 

How do I send tech-support files from my Managed Switch to NETGEAR community moderators?

https://kb.netgear.com/31438/How-do-I-send-diagnostic-files-from-my-Smart-Switch-to-NETGEAR-communit...

 

Message 4 of 5
Tom-P
Tutor

Re: MAC ACL for specific VLAN

Hi Everyone,

 

After Eric's last question we continued by e-mail and Eric found the solution;

 

Please just keep config as your first setting, with all zeros in MAC mask. Then add some new rules that with Destination MAC=white list.

This is because the MAC ACL binding to VLAN not specific physical port, so the packet include upstream(Client->Server) and downstream(Server->Client). It’s necessary to add bi-direction rule.

 

I guess I'm not the only one who wants to build a MAC ACL white list so here's the solution to your all;

You have to make two rules per device. One with the device MAC in the destination MAC field of that rule. The second rule with the same device MAC in the source MAC field. MAC mask should be all zero's for both rules.

IN the VLAN Binding Configuration you pick the VLAN ID the devices of the white list should connect to. ACL type is MAC ACL and the ACL ID is the name you gave to the set of rules you made for your devices on the white list.

Message 5 of 5
Top Contributors
Discussion stats
  • 4 replies
  • 2567 views
  • 2 kudos
  • 2 in conversation
Announcements