BestHub
Sign in
Information Security 5 min read

Restricting Internet Access for Specific Hosts Using MAC‑Based ACL on a Router

This guide explains how to configure a router to block selected LAN hosts from accessing the Internet by applying source‑MAC‑address based ACLs while still permitting those hosts to reach the gateway, using VLAN, traffic classifiers, and traffic policies.

Practical DevOps Architecture
Practical DevOps Architecture
Practical DevOps Architecture
Restricting Internet Access for Specific Hosts Using MAC‑Based ACL on a Router

The network diagram (Figure 1) shows a router acting as the enterprise gateway; internal users access the Internet through this router. Because the target hosts may change IP addresses, restricting them by IP is ineffective, so the recommended solution is to limit access based on source MAC addresses, allowing the hosts to reach the gateway but not the external Internet.

Operation Steps

Router Configuration

sysname Router
vlan batch 10
acl number 3001  // create numbered ACL 3001
rule 1 permit ip destination 10.1.1.0 0.0.0.255  // allow traffic to gateway address 10.1.1.0/24
traffic classifier gate operator and
if-match acl 3001  // match ACL 3001
traffic classifier mac1 operator and
if-match source-mac 0015-c50d-0001  // match source MAC 0015-c50d-0001
traffic classifier mac2 operator and
if-match source-mac 0015-c50d-0002  // match source MAC 0015-c50d-0002
traffic classifier mac3 operator and
if-match source-mac 0015-c50d-0003  // match source MAC 0015-c50d-0003
traffic behavior p1
permit  // allow traffic
traffic behavior d1
deny  // deny and discard traffic
traffic policy myqos  // define traffic policy named myqos
classifier gate behavior p1  // bind classifier gate to behavior p1
classifier mac1 behavior d1  // bind classifier mac1 to deny behavior
classifier mac2 behavior d1  // bind classifier mac2 to deny behavior
classifier mac3 behavior d1  // bind classifier mac3 to deny behavior
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
traffic-policy myqos inbound  // apply myqos policy inbound on the interface
interface Ethernet2/0/0
port link-type trunk  // set interface as trunk
port trunk allow-pass vlan 10  // allow VLAN 10 on trunk

Verify Configuration

Execute display traffic policy user-defined to view the applied traffic policy details.

On a restricted host, you should be able to ping the gateway address but not any IP address outside the LAN.

Configuration Notes

Ensure the interface connecting the switch and router is configured as a trunk and includes VLAN 10.

Because packets are matched against traffic classifiers in order, when creating the myqos policy you must first configure the classifier and behavior that allow gateway access, then the classifier and behavior that block Internet access.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

Routernetwork securityACLMAC addressVLANTraffic Policy
Practical DevOps Architecture
Written by

Practical DevOps Architecture

Hands‑on DevOps operations using Docker, K8s, Jenkins, and Ansible—empowering ops professionals to grow together through sharing, discussion, knowledge consolidation, and continuous improvement.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment