Restricting Internet Access for Specific Hosts Using MAC‑Based ACL on a Router

The network diagram (Figure 1) shows a router acting as the enterprise gateway; internal users access the Internet through this router. Because the target hosts may change IP addresses, restricting them by IP is ineffective, so the recommended solution is to limit access based on source MAC addresses, allowing the hosts to reach the gateway but not the external Internet.

Operation Steps

Router Configuration

sysname Router

vlan batch 10

acl number 3001 // create numbered ACL 3001

rule 1 permit ip destination 10.1.1.0 0.0.0.255 // allow traffic to gateway address 10.1.1.0/24

traffic classifier gate operator and

if-match acl 3001 // match ACL 3001

traffic classifier mac1 operator and

if-match source-mac 0015-c50d-0001 // match source MAC 0015-c50d-0001

traffic classifier mac2 operator and

if-match source-mac 0015-c50d-0002 // match source MAC 0015-c50d-0002

traffic classifier mac3 operator and

if-match source-mac 0015-c50d-0003 // match source MAC 0015-c50d-0003

traffic behavior p1

permit // allow traffic

traffic behavior d1

deny // deny and discard traffic

traffic policy myqos // define traffic policy named myqos

classifier gate behavior p1 // bind classifier gate to behavior p1

classifier mac1 behavior d1 // bind classifier mac1 to deny behavior

classifier mac2 behavior d1 // bind classifier mac2 to deny behavior

classifier mac3 behavior d1 // bind classifier mac3 to deny behavior

interface Vlanif10

ip address 10.1.1.1 255.255.255.0

traffic-policy myqos inbound // apply myqos policy inbound on the interface

interface Ethernet2/0/0

port link-type trunk // set interface as trunk

port trunk allow-pass vlan 10 // allow VLAN 10 on trunk

Verify Configuration

Execute display traffic policy user-defined to view the applied traffic policy details.

On a restricted host, you should be able to ping the gateway address but not any IP address outside the LAN.

Configuration Notes

Ensure the interface connecting the switch and router is configured as a trunk and includes VLAN 10.

Because packets are matched against traffic classifiers in order, when creating the myqos policy you must first configure the classifier and behavior that allow gateway access, then the classifier and behavior that block Internet access.