Knowledge Search


[Archive] Can I manage network or Internet access by MAC address?

  [KB5170] Show Article Properties

Operator wants to manage or restrict user access to network resources by MAC address.  Is this possible?
  • Can I manage or restrict user access to network resources by MAC address?
  • Filter based on a layer 2 MAC address?
  • Block by MAC address?

Juniper NetScreen firewalls are layer 3 (Network Layer) devices. MAC addresses operate at layer 2. Juniper has no plans to support this.

Additionally, it is relatively easy to "spoof" a MAC address which would render this type of filtering ineffective for rigorous enforcement.

If the firewall also provides the DHCP support to the network a very weak protection could be accomplished by restricting the target MAC address to a specific IP address, then blocking that IP address. This would only work for non-malicious or intentional attempts to over-ride the control (for example the user could simply give themselves a fixed IP address which is in the permitted range).

The most effective method for managing access is a formal Network Access Control (NAC) methodology.

Modification History:
2019-08-26: Article reviewed for accuracy.  Minor format changes.
Related Links: