MAC Address Filtering

From Baranoski.ca
Jump to: navigation, search

Let's say you have a bunch of wifi access points connected to your EX series switch, and you want to limit which MAC addresses are allowed to connect to the network. Rather than managing a MAC filter on each of the access points, you can centrally manage them through the EX switch.

Here's a basic config, that has both an internal VLAN and a guest VLAN.

The interfaces to the access points would get configured like this:

ge-0/0/11 {
    description "Wireless access point 1";
    unit 0 {
        family ethernet-switching {
            port-mode trunk;
            vlan {
                members GUESTWIFI;
            }
            native-vlan-id INTERNAL;
            filter {
                input WIFI-MAC-FILTER;
            }
        }
    }
}

Then you just need to configure the firewall filter. Be sure to include the MAC addresses of the access points themselves, otherwise you won't be able to manage them. Note that the guest wifi VLAN allows any MAC address.

firewall {
    family ethernet-switching {
        filter WIFI-MAC-FILTER {
            term INTERNAL-ALLOW {
                from {
                    source-mac-address {
                        /* ACCESS POINT 1 */
                        00:22:aa:b2:9f:0b/48;
                        /* ACCESS POINT 2 */
                        00:22:aa:9a:fb:62/48;
                        /* HOST 1 */
                        00:55:bb:5f:ee:27/48;
                        /* HOST 2 */
                        00:55:bb:44:d4:d5/48;
                        /* HOST 3 */
                        00:55:bb:a3:ff:91/48;
                    }
                    vlan INTERNAL;
                }
                then accept;
            }
            term INTERNAL-DENY {
                from {
                    vlan INTERNAL;
                }
                then discard;
            }
            term GUESTWIFI-ALLOW {
                from {
                    vlan GUESTWIFI;
                }
                then accept;
            }
        }
    }
}