For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Techgeeeg_28888's avatar
Techgeeeg_28888
Icon for Nimbostratus rankNimbostratus
Sep 10, 2015

Irule to block users based on mac address

Hi Everyone,   I would like to know from experts that is there a way irule can be used to block the users access to the application based on their mac address. Will this be achievable using irule ...
Hannes_Rapp's avatar
Hannes_Rapp
Icon for Nimbostratus rankNimbostratus
Sep 14, 2015

LTM iRule config

ltm rule /Common/irule_l2_mac_whitelist {
  when CLIENT_ACCEPTED {

    if {[class match [LINK::lasthop] equals "data_l2_mac_whitelist"]}{
      log local0. "Client: <[IP::client_addr]:[TCP::client_port]> MAC <[LINK::lasthop]>. Permitted"
      return
    } else {
      log local0. "Client: <[IP::client_addr]:[TCP::client_port]> MAC <[LINK::lasthop]>. Dropped"
      drop
    }
  }
}

LTM data-group config

ltm data-group internal /Common/data_l2_mac_whitelist {
    records {
        ff:ff:ff:ff:ff:ff { data dummy-mac }
    }
    type string
}

Connecting to service and checking logs (/var/log/ltm)

Sep 14 06:47:11 ccwdlqa-lb01 info tmm[15097]: Rule /Common/irule_l2_mac_whitelist : Client: <172.31.8.11:43470> MAC <00:1b:21:b1:f1:91>. Dropped

Adding my MAC to whitelist data-group

hannesr@ccwdlqa-lb01(cfg-sync Changes Pending)(Active)(/Common)(tmos) modify ltm data-group internal data_l2_mac_whitelist records add { 00:1b:21:b1:f1:91 }

Connecting to service and checking logs (/var/log/ltm)

Sep 14 06:48:22 ccwdlqa-lb01 info tmm1[15097]: Rule /Common/irule_l2_mac_whitelist : Client: <172.31.8.11:43471> MAC <00:1b:21:b1:f1:91>. Permitted