Configuring MAC‑Based Internet Access Restrictions on a Router Using Traffic Policies

The network diagram shows a router acting as the enterprise gateway; internal users access the Internet through it. Because the hosts may change IP addresses, limiting access by IP is ineffective, so the solution uses source MAC‑address based restrictions to block Internet access while still permitting gateway traffic.

Configuration steps on the router:

sysname Router

vlan batch 10

acl number 3001

rule 1 permit ip destination 10.1.1.0 0.0.0.255

traffic classifier gate operator and

if-match acl 3001

traffic classifier mac1 operator and

if-match source-mac 0015-c50d-0001

traffic classifier mac2 operator and

if-match source-mac 0015-c50d-0002

traffic classifier mac3 operator and

if-match source-mac 0015-c50d-0003

traffic behavior p1

permit

traffic behavior d1

deny

traffic policy myqos

classifier gate behavior p1

classifier mac1 behavior d1

classifier mac2 behavior d1

classifier mac3 behavior d1

interface Vlanif10

ip address 10.1.1.1 255.255.255.0

traffic-policy myqos inbound

interface Ethernet2/0/0

port link-type trunk

port trunk allow-pass vlan 10

Verification: run display traffic policy user-defined to view the policy; restricted hosts can ping the gateway but not external IPs.

Configuration notes: ensure the router‑switch link is a trunk port with VLAN 10, and configure the gateway‑allowing classifier and behavior before the deny classifier because packets are matched sequentially.