MAC address exclusion
MAC address Exclusion allows you to create a list of MAC addresses that will be ignored when they connect to the network. If a device or host with one of these MAC addresses connects to the network, FortiNAC ignores the connection and allows the host or device onto the production network.
An event, "Found Ignored MAC address", is generated each time a host or device connects with a MAC address in this list. Configure an alarm for the event with email notification to alert Administrators. The event can also be disabled if notification is unnecessary.
Default settings
This feature is set by default to ignore Microsoft LLTD and Multicast MAC addresses indefinitely. When any MAC address connects that falls within either the Microsoft LLTD or Multicast address range FortiNAC does the following:
- Creates a "Found Microsoft LLTD or Multicast Address" event and an alarm alerting the administrator that FortiNAC has seen a Microsoft LLTD or Multicast address on the network for the first time. This critical alarm warns administrators that if these addresses should continue to be ignored, they must configure the MAC address Exclusions list or the MAC addresses will be treated as rogues.
- A timer is set that expires in 48 hours.
- While that timer is active, FortiNAC continues to ignore Microsoft LLTD and Multicast MAC addresses. Events and alarms continue to be created for each connection from one of these MAC addresses.
- If the administrator has not configured the MAC address Exclusions, when the 48 hour timer expires FortiNAC no longer ignores Microsoft LLTD and Multicast MAC addresses. FortiNAC creates rogues for each MAC address that connects, just as it would any other MAC address.
Administrators can configure MAC address Exclusion at any time to include or exclude Microsoft LLTD and Multicast MAC addresses. As soon as settings have been modified, the default behavior described above stops and the new settings take effect. |
Configure exclusion list
- Click System > Settings.
- Expand the User/Host Management folder.
- Select MAC address Exclusion from the tree.
- Use the Exclude Microsoft LLTD Addresses and Exclude Multicast Addresses check boxes to add or remove those ranges from the Address Range table.
- To Add Other Ranges, click Add and enter a name, starting MAC address and ending MAC address.
- To Modify A Range, select it from the list and click Modify.
- To Delete A Range, select it from the list and click Delete.
- Changes are saved immediately.
Settings
Field |
Definition |
Exclude Microsoft LLTD Addresses |
If enabled, adds the complete range of Microsoft LLTD MAC addresses to the Excluded MAC address Ranges table ensuring that the correct range has been entered. |
Exclude Multicast Addresses |
If enabled, adds the complete range of Multicast MAC addresses to the Excluded MAC address Ranges table ensuring that the correct range has been entered. |
Name |
User specified name of the MAC address range. |
Start MAC |
First MAC address in the range. |
End MAC |
Last MAC address in the range. |