Irule to block users based on mac address

Hello,

You sure can do it using iRules. Use

LINK::lasthop

to return the value of source MAC address. Once you have the value, you can then use a basic comparison against a list of entries in LTM data-group and decide theher the packet will be dropped, rejected or accepted. https://devcentral.f5.com/wiki/iRules.LINK__lasthop.ashx

Note: if your clients are not in the same VLAN, the value returned by LINK::lasthop command will always be the MAC address of your router interface (or another L3 device you're using to implement cross-VLAN routing).

Hi Hannes,

Thanks for the reply and the link can you pls help me in building the irule for this....

when CLIENT_ACCEPTED { 
 if {[LINK::lasthop] == datagroup} {
 Allow
  }else
  drop
} 

LTM iRule config

ltm rule /Common/irule_l2_mac_whitelist {
  when CLIENT_ACCEPTED {

    if {[class match [LINK::lasthop] equals "data_l2_mac_whitelist"]}{
      log local0. "Client: <[IP::client_addr]:[TCP::client_port]> MAC <[LINK::lasthop]>. Permitted"
      return
    } else {
      log local0. "Client: <[IP::client_addr]:[TCP::client_port]> MAC <[LINK::lasthop]>. Dropped"
      drop
    }
  }
}

LTM data-group config

ltm data-group internal /Common/data_l2_mac_whitelist {
    records {
        ff:ff:ff:ff:ff:ff { data dummy-mac }
    }
    type string
}

Connecting to service and checking logs (/var/log/ltm)

Sep 14 06:47:11 ccwdlqa-lb01 info tmm[15097]: Rule /Common/irule_l2_mac_whitelist : Client: <172.31.8.11:43470> MAC <00:1b:21:b1:f1:91>. Dropped

Adding my MAC to whitelist data-group

hannesr@ccwdlqa-lb01(cfg-sync Changes Pending)(Active)(/Common)(tmos) modify ltm data-group internal data_l2_mac_whitelist records add { 00:1b:21:b1:f1:91 }

Connecting to service and checking logs (/var/log/ltm)

Sep 14 06:48:22 ccwdlqa-lb01 info tmm1[15097]: Rule /Common/irule_l2_mac_whitelist : Client: <172.31.8.11:43471> MAC <00:1b:21:b1:f1:91>. Permitted