The Views Expressed Below Do not in any way reflect Internal Doctorine or Official Statements of Netgear Inc. These are just my notes – Use at your own Risk.
 
This site is intended to be for educational purposes. I’m not here to plagiarizer or copy any one.
 

The proper way to set up MAC ACLs with NETGEAR is the way CISCO does it. Use Reverse Masks.

So in other words.

A NOTE ON MAC ADDRESS MASKS:

Its similar to the Reverse Subnet mask used in IP ACLs. So basically in IP ACL the inverse masks of 0, means that the value associated with the 0 bit can not vary and a 1 bit can vary. So with an Inverse Mac Masks its the same a 0 cannot vary and and an F can vary.

(I will mention octet of a MAC address alot, here is what it is, if we have mac address: aa:bb:cc:11:22:33. Then aa is an octet, bb is an octet, cc is an octet, 11 is an octet, 22 is an octet, 33 is an octet)

So for example:

Lets say you have 4 phones from a company called abc, we all know the first three octets will be the same.

They will be the same because that is the standard in MAC addresses each vendor has a unique OUI associated with it, and an OUI simply being the first 3 octets. So any equipment made by this company will have the same first 3 octets in this case aa:bb:cc. So if you buy a networked TV from them, its MAC address will be aa:bb:cc:something:something:something.

Take a look at these made up MAC Addresses for the company abc

 Phone 1 is aa:bb:cc:11:22:33 

Phone 2 is aa:bb:cc:00:33:22 

Phone 3 is aa:bb:cc:54:43:32

Notice how the MAC address only varies on the last 3 octets. So if we wanted to say any phone from company abc is allowed to access the network. I would simply write it as this:

 Type of Rule: Permit

MAC Address: aa:bb:cc:00:00:00

MAC Mask: 00:00:00:ff:ff:ff

The mask will be 00:00:00 for the 3 octets that dont vary and ff:ff:ff for the 3 octets that do vary. In the MAC address portion though you have to tell the algorithm what the first 3 octets should be since they dont vary. Now the last 3 octets since they vary dont really matter so its better to leave them off as zero so that in the end you get aa:bb:cc:00:00:00. However since the algorithm know the last 3 can vary then technically speaking you can put anything there besides zeros, so for example aa:bb:cc:anything:anything:anything should work. HOWEVER just to be safe the stuff that varies in the MAC address field needs to be 0. Now I hope thats now confusing.

 So to summarize. On the MAC address part the stuff that does not vary write it in as it shows, for the stuff that varies write in 0s. For the MAC address mask write in 0s for the stuff that does not vary and Fs for the stuff that does vary.

GENERAL – 3 COMMON CASES:

To Select a single host such as a pc or a phone:

MAC: aa:bb:cc:dd:ee:ff MASK: 00:00:00:00:00:00

To Select any:

MAC: 00:00:00:00:00:00 MASK: ff:ff:ff:ff:ff:ff

To Select a set of hosts that belong to the same OUI (first 3 octets of MAC address are the same):

MAC: aa:bb:cc:dd:ee:ff MASK: 00:00:00:ff:ff:ff

 

GENERAL- SUMMARY:

THE IDEA IS IN THE MASK

0 = what cannot change and MUST MATCH

f = what can differ and does NOT HAVE TO MATCH

 

GENERAL – RULE OF THUMB:

As a rule of thumb its best to do all permits at the top then do  a deny rule at the bottom (by default there should be an implicit deny all rule, but just incase there isnt one we can put our own in – it wont hurt)

DENY RULE AT BOTTOM- MAC: 00:00:00:00:00:00 with MASK: ff:ff:ff:ff:ff:ff.

 

For example-1:

Customer wants to set up 3 computers to only be able to access  the internet or anything in the network

The computers mac addresses are aa:bb:cc:dd:ee:f1 and then on the last digit 2 for pc2 and 3 for pc3

TECH STEPS:

1. Make mac ACL1

2. Make the rules in ACL1 like this:

S – meaning Source

D – meaning Destination

-rule-1-

permit = S.MAC: aa:bb:cc:dd:ee:f1 = S.MASK: 00:00:00:00:00:00 =D.MAC: 00:00:00:00:00:00  = D.MASK: ff:ff:ff:ff:ff:ff

 -rule-2-

permit = S.MAC: aa:bb:cc:dd:ee:f2 = S.MASK: 00:00:00:00:00:00 = D.MAC: 00:00:00:00:00:00  = D.MASK: ff:ff:ff:ff:ff:ff
 

-rule-3-

permit = S.MAC: aa:bb:cc:dd:ee:f3 = S.MASK: 00:00:00:00:00:00 = D.MAC: 00:00:00:00:00:00  = D.MASK: ff:ff:ff:ff:ff:ff
 

-rule-4-

deny   = S.MAC: 00:00:00:00:00:00 = S.MASK: ff:ff:ff:ff:ff:ff         = D.MAC: 00:00:00:00:00:00  = D.MASK: ff:ff:ff:ff:ff:ff

 

3. Apply it to all ports that will have these computers, exclude(do not include) the port that uplinks to the firewall or next switch

 

For example-2:

Customer wants to set up 3 Dell computers to only be able to access  the internet or anything in the network

The dell computers all have the same 3 first octets in the mac address – the form of this dd:ee:11:##:##:##. the ## part will be unique to each different dell computer.

NOTE2: Everything from the same vendor have the same uniquie OUI (OUI are the first 3 octects of a mac address)

NOTE1: The last 3 octets start off at 0 and then increment by one with manufacturer date. So newer devices have bigger MAC addresses

PC1: dd:ee:11:00:00:1

PC2: dd:ee:11:02:30:2

PC3: dd:ee:11:04:10:3

NOTE THAT the first 3 octets are the same

TECH STEPS:

1. Make mac ACL1

2. Make the rules in ACL1 like this:

S – meaning Source

D – meaning Destination

rule-1-

permit = S.MAC: dd:ee:ll:00:00:00 = S.MASK: 00:00:00:ff:ff:ff =D.MAC: 00:00:00:00:00:00  = D.MASK: ff:ff:ff:ff:ff:ff

 rule-2-

deny   = S.MAC: 00:00:00:00:00:00 = S.MASK: ff:ff:ff:ff:ff:ff         = D.MAC: 00:00:00:00:00:00  = D.MASK: ff:ff:ff:ff:ff:ff

3. Apply it to all ports that will have these computers, exclude(do not include) the port that uplinks to the firewall or next switch

Leave a Reply

Your email address will not be published. Required fields are marked *