Configuring MAC‑Based Internet Access Restrictions on a Router Using Traffic Policies

The network diagram shows a router acting as the enterprise gateway; internal users access the Internet through it. Because the hosts may change IP addresses, limiting access by IP is ineffective, so the solution uses source MAC‑address based restrictions to block Internet access while still permitting gateway traffic.

Configuration steps on the router: sysname Router vlan batch 10 acl number 3001 rule 1 permit ip destination 10.1.1.0 0.0.0.255 traffic classifier gate operator and if-match acl 3001 traffic classifier mac1 operator and if-match source-mac 0015-c50d-0001 traffic classifier mac2 operator and if-match source-mac 0015-c50d-0002 traffic classifier mac3 operator and if-match source-mac 0015-c50d-0003 traffic behavior p1 permit traffic behavior d1 deny traffic policy myqos classifier gate behavior p1 classifier mac1 behavior d1 classifier mac2 behavior d1 classifier mac3 behavior d1 interface Vlanif10 ip address 10.1.1.1 255.255.255.0 traffic-policy myqos inbound interface Ethernet2/0/0 port link-type trunk port trunk allow-pass vlan 10

Verification: run display traffic policy user-defined to view the policy; restricted hosts can ping the gateway but not external IPs.

Configuration notes: ensure the router‑switch link is a trunk port with VLAN 10, and configure the gateway‑allowing classifier and behavior before the deny classifier because packets are matched sequentially.