Create a MAC Filtering in speciefied port
edited April 2021 in Nebula
Hi! We want to create a MAC Filtering rule for specied fort of a switch (GS1920-24P). The target is to permit only one MAC address to be connected en each port.
P1 -> Allow only MAC AXXXXXX
P2 -> Allow only MAC BBXXXXX
P3 -> Allow only MAC CCXXXXX
Well, y tried with ACL-> "Customization Rules" , but not sure how to create the rule as we can,t select the affected port (it,s greyed).
What are we doing wrong?
Zyxel_Jason Posts: 381Hi @Infotecnika,
As you known that we already have MAC filtering feature in our idea section.
Here are the steps to configure Radius policy and apply the policy to needed port.
(1) Go to Switch > Configure > RADIUS policies
(2) Add your radius server information(Host, Port and Secret)
(3) Add a Radius policy, fill out the required column, choose Radius policy type as MAC-base and configure password for MAC-Base
(4) Go to Switch > Configure > Switch ports, configure Type as Access, select the Radius policy profile and click "Update" to apply
Then Switch will do MAC-auth on configured port by sending authentication request to your radius server.(You will need to configure those allowed MAC addresses on your radius server.)
If you don't have radius server, there is an another workaround:
Configure Vendor ID based VLAN and Management VLAN control.
Move IPTVs with same vendor to another VLAN and remove those ports from management VLAN(Default VLAN1)
(1) Go to Switch > Configure > Switch settings
(2) Enable and configure Vendor OUI, VLAN, Priority and Description
(3) Configure Management VLAN control by removing those needed ports from management VLAN1
=>EX: There are 28 ports, port 1-3 are IPTVs, then you need to configure 4-28 for management VLAN control
(4) Go to Switch > Configure > Switch ports, configure Type as Access, select VLAN type as Vendor ID based VLAN and click "Update" to apply
Hope it helps.Jason5
Hi!Much thanks for yor explanation. I,ll see the option to install radius server or your workaround proposal.Regards.0
Keep in mind that MAC Address can be easily spoofed.
Several ports could need to use the same MAC Address (for example multicast, VRRP, ...)
I suggest that your security is not based solely in the MAC Address filters.
Much thanks for your infor Alfonso, but we,re making it for IP TVs and does not have any additional authetication protocols (...just macaddress or vendor_id etc)Best regards.0
- 8.5K All Categories
- 1.6K Nebula
- 71 Nebula Ideas
- 57 Nebula Status and Incidents
- 4.5K Security
- 226 Security Ideas
- 981 Switch
- 46 Switch Ideas
- 874 WirelessLAN
- 22 WLAN Ideas
- 5.1K Consumer Product
- 157 Service & License
- 280 News and Release
- 98 Success Stories
- 59 Security Advisories
- 13 Education Center
- 580 FAQ
- 263 Nebula FAQ
- 160 Security FAQ
- 76 Switch FAQ
- 74 WirelessLAN FAQ
- 7 Consumer Product FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 69 About Community
- 46 Security Highlight