SonicOS 7.0 Objects

Controlling a Dynamic Host’s Network Access by MAC Address

Since DHCP is far more common than static addressing in most networks, it is sometimes difficult to predict the IP address of dynamically configured hosts, particularly in the absence of dynamic DNS updates or reliable hostnames. In these situations, it is possible to use MAC address objects to control a host’s access by its relatively immutable MAC (hardware) address.

Like most other methods of access control, this can be employed either inclusively, for example, to deny access to/for a specific host or group of hosts, or exclusively, where only a specific host or group of hosts are granted access, and all other are denied. In this example, we will illustrate the latter.

Example

Assuming you had a set of DHCP-enabled wireless clients running a proprietary operating system which precluded any type of user-level authentication, and that you wanted to only allow these clients to access an application-specific server (for example, 10.50.165.2) on your LAN. The WLAN segment is using WPA-PSK for security, and this set of clients should only have access to the 10.50.165.2 server, but to no other LAN resources. All other wireless clients should not be able to access the 10.50.165.2 server, but should have unrestricted access everywhere else.

To control a Dynamic Host’s network access by MAC address for above example

  1. Create MAC Address Objects.

    1. Navigate to OBJECT | Match Objects > Addresses > Address Objects.
    2. Click the Add icon and create the following MAC address objects (multi-homing is optional).

      Once created, if the hosts are present in the firewall’s ARP cache, they will be resolved immediately, otherwise they will appear in an unresolved state in the Address Objects table until they are activated and are discovered through ARP.

    3. Create an address group for the handheld devices according to Adding Address Groups.
  2. Create an Access Rule or a Security Policy.

    Classic Mode: Create an access rule on the POLICY | Rules and Policies > Access Rules page. For more information, refer to Configuring Access Rules section in SonicOS 7.0 Rules and Policies Administration Guide for Classic Mode.

    Policy Mode: Create a security policy on the POLICY | Rules and Policies > Security Policy page. For more information, refer to Security Policy section in SonicOS 7.0 Rules and Policies Administration Guide for Policy Mode.

    Sample access rules
    Setting Access Rule 1 Access Rule 2 Access Rule 3 Access Rule 4
    Allow / Deny Allow Deny Allow Deny
    From Zone WLAN WLAN WLAN WLAN
    To Zone LAN LAN LAN LAN
    Service MediaMoose Services MediaMoose Services Any Any
    Source Handheld Devices Any Handheld Devices Any
    Destination 10.50.165.2 10.50.165.2 Any Any
    Users allowed All All All All
    Schedule Always on Always on Always on Always on

    The MediaMoose Services service is used to represent the specific application used by the handheld devices. The declaration of a specific service is optional, as needed.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

  • Hidden
  • Hidden

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.
  • Hidden
  • Hidden