Configuring MAC Filtering

MAC Filtering lets you manage an allowlist of MAC addresses that can access the LAN. All others are blocked. The list is global for all interfaces defined on physical LAN ports. Starting in R81.10.00, this feature is also supported in 1600 and 1800 appliances.

Note - There is separate MAC filtering on WiFi networks and on LAN ports, with DMZ and WAN excluded.

To enable MAC filtering:

  1. Add a MAC address to the LAN MAC Filter allowlist.

  2. Move the slider to ON.

After MAC filtering is enabled, you can disable the feature for specified networks.

To edit the LAN MAC Filter allowlist:

  1. Go to Device > MAC Filtering > LAN MAC Filter.

  2. To add a new MAC Address, click Add > New.

  3. To select MAC addresses from the list of Active Devices, click Add > Select.

  4. To edit a MAC address, select it from the list and click Edit.

  5. To delete a MAC address, select it from the list and click Delete.

To disable MAC filtering for a specific interface:

  1. Go to Device > Local Network.

  2. Select a LAN interface and click Edit.

    The Edit LAN window opens.

  3. Click Advanced.

  4. Select Disable MAC filtering.

    To enable, clear this option.

  5. Click Apply

Note - MAC filtering is not supported on external, DMZ, and port bonding interfaces.

802.1x Authentication Protocol

IEEE 802.1x is a port-based network access protocol that provides an authentication mechanism for devices that are physically attached to the network.

802.1x authentication can be enabled on LAN ports that are not part of port bonding, internet connections, or port mirroring.

Workflow:

  1. Install and configure a RADIUS Server in your environment.

  2. Configure the RADIUS Server object on the appliance. See Managing Authentication Servers.

  3. Activate 802.1x authentication on a LAN switch, separate LAN interface or a tag-based VLAN interface defined on one of the LAN physical ports.

  4. If 802.1x is turned on for a tag-based VLAN (because 802.1x is port-based), activate it on both the VLAN and the associated port (for example, LAN5 and LAN5.1).

To enable 802.1x authentication on a LAN switch or interface:

  1. Go to Device > Local Network.

  2. Select the LAN interface and click Edit.

    The Edit window opens in the Configuration tab.

  3. In the Advanced tab, select Activate 802.1x authentication.

  4. Enter a time for Re-authentication frequency (in seconds).

  5. Click Apply

To enable 802.1x authentication on a tag based VLAN interface:

  1. Go to Device > Local Network.

  2. Select the LAN and click New > VLAN.

    The New VLAN window opens in the Configuration tab.

  3. For Assigned to: select the LAN ID.

  4. In the Advanced tab, select Activate 802.1x authentication.

  5. Enter a time for Re-authentication frequency (in seconds).

  6. Click Apply

To disable 802.1x authentication on an interface:

  1. Go to Device > Local Network.

    Select the LAN interface and click Edit.

  2. The Edit window opens in the Configuration tab.

  3. Click the Advanced tab.

  4. Clear Activate 802.1x authentication.

  5. Click Apply

To configure logging for MAC filtering and 802.1x authentication:

  1. Go to Device > Advanced Settings.

  2. Set the value of the MAC Filtering settings - Log blocked MAC addresses attribute to

    • Enabled - To enable logging

    • Disabled - To disable logging.

    Note - This attribute is available only in Locally Managed mode. In Centrally Managed mode, configure logging with CLI.

  3. Optional -

    • To reduce the number of logs, specify the value of the MAC Filtering settings - Log suspension attribute in seconds.

    • To show all logs, set the value to "0".

Note - Traffic dropped in the WiFi driver is not logged.