Port Based MAC Address Filtering on a Zyxel GS1900 Switch

Posted on 07/02/2017 by Brian Carey

In this post we'll show how to lock down a port on a Zyxel GS1900 network switch to only allow traffic for specific MAC address.  The Zyxel documentation is very lacking when it comes to the port security features so we figured we'd share these details in hopes that others could benefit from the time we put into getting this working.  Here at the office we have one of these switches and a recent need arose to ensure that only some owned devices could plug into a port and get on the private network.  Thus far the switch has been a great piece of equipment for the price, performs well, and met our minimal needs.  I knew that it supported port security such as this but once logged into the web interface the options didn't make much sense at first.  But after a little trial and error I figured it out and we now have a port secured to only allow two specific MAC addresses to connect to it.


For this example we'll assume that we have the following two devices/MAC addresses that we want to grant access for them to connect to port 8.  In our scenario we have one physical device which is running a Virtual Box VM in Bridged Networking mode so the VM access the port just like any other  device would.  So we specify both the physical MAC and the MAC for the virtual machine's network card.

72:BE:E0:07:23:95
72:BE:E0:07:23:96

1. First, login to the web administration tool for your switch and navigate to the Configuration section in the left hand navigation as shown here:


2. Next, click on the MAC Table navigation item.  Then add your two MAC addresses to the MAC Table as Static MAC entries on port 8.  For example:

3. Next, expand the Security tree in the navigation and click on the Port Security navigation item.  On the Global tab, select the Enable radio button and click Apply.  For example:


4. Next, click on the Port tab on the same page.  Check the box next to port 8 and click the Edit button.  On the subsequent page, select the Enable radio button and change the Max MAC Entry Number field to 0 and click the Apply button.  This is important and the part that would really have been nice to have been better documented by Zyxel.  When finished it should look similar to this:

5.  You should now be able to plug in either of the devices to port 8 and they can access the network.  On the flip side, you should be able to plug in a device with a different MAC address and it not be able to access the network. In our case, both the physical computer and the Virtual Box VM can now access the network.

In conclusion, we hope someone finds this post helpful.  As always, please contact us with any questions or inquiries about this post.