First, while ACLs are not terribly secure (it is easy enough to spoof a MAC address), they do offer at least a speed bump to access to your wireless network. To spoof a MAC address you first have to know one that is on the ACL in order to gain access. Given the large number of addresses, guessing one that's on my private list might be difficult or take a long time. Also, most people will shrug and give up as soon as the network denies them access. Every little bit helps.

Of course, combining an ACL with one of the WPA variants is even better security. Hiding the SSID so that your network is mostly invisible is about as secure as you're going to get with off-the-shelf commercial/consumer equipment. Or, you can use a RADIUS server and 802.11x authentication for each client. How many of those layers you choose to implement is entirely up to you.

Second, the file format. The basic format is a tab delimited list in plain text:

00:aa:bb:33:99:11 device name

With the colon-separated wireless MAC address of each allowed device (computer, iPhone, printer, etc.) followed by a tab then the whatever name you want to assign to the device on the ACL. Terminate each line with a return and start over for the next device. You can create the list using TextEdit or any other plain text editor on your Mac.

Apple has not really documented much about using ACLs, other than you can do it and can enter the devices on-by-one in Airport Utility. That method does not work well when you manage a list of 100+ devices on multiple bases stations. When I bought my first Extreme-N base station it took a call to Apple Support to find out how to get the ACL import to work.

In the old Airport utility, the ACL import was obvious and included on the drop down menu next to the list. In the Utility v5.x it requires holding down the Option key while clicking on the file menu.

In the old version the MAC addresses could be a string of hex digits. In v5.x it must be colon-separated.

Tom