Layer 2 ACL configuration on ZD and mapping it to a specific SSID


This article explains how to configure a MAC ACL and assig it to a specific SSID.


How to allow and deny services for clients according to their MAC addresses (L2 ACL) and mapping to WLAN .

Customer Environment

ZoneDirector managed wireless network.

Root Cause

Want to allow only certain clients to access the wireless network.

Troubleshooting Steps





Layer 2 Access Control Lists (MAC ACLs) filter incoming traffic based on Layer 2 MAC header fields in the Ethernet/IEEE 802.3 frame.

Below are the steps to configure L2 ACL on ZD:

1) Navigate to ZD GUI>>Configure >>Access control.  For 10.1 and above release Go to Services & Profiles > Access Control

2) Under L2/MAC Access control, create a new ACL and give it a name.

3) Choose between "Only allow all stations listed below' versus "Only deny all stations listed below" based on your requirement. And then type in all MAC addresses.

Please note that there is a 128 MAC address limitation per ACL.

Mapping the ACL to WLAN :

ZD GUI --> Configure -->WLANs --> Edit the WLAN --> Advanced Options --> Access control --> Choose the L2/MAC ACL from the dropdown (created as per the above procedure).

For 10.1 and above release

ZD GUI -->Wireless LANs > Edit > Advanced Options > Access Control > L2/MAC >Choose the L2/MAC ACL from the dropdown (created as per the above procedure).

Important Note:  Make sure that the MAC addresses are correct and be consistent with the mac nomenclature.  In other words, chaging all of the mac addresses to lower case for a customer alleviated the issue.  He had some mac address of clients and some with all caps, changing all to lower case fixed the issue with allowing the whitelist to work.

Article Number:

August 14, 2020 12:01 PM (almost 2 years ago)

Configuration, Security, ZoneDirector


This article is:
not helpful

Working...Please wait

This is here to prevent you from accidentally submitting twice.

The page will automatically refresh.