Did you try with arptables? Or the idea is to have it in the web interface?
This is from the man page:
-z, --source-hw [!] hwaddr[mask]
Specify the source hardware (MAC) address of the packet. hwaddr (and mask, if specified) must consist of one or more 8-bit hexidecimal numbers, separated by ':' characters. If the mask is not specified, it defaults to a number of 0xff octets equal to the length of the hwaddr specified, then 0s. The flags --source-mac , --src-hw , and --src-mac are aliases for this option.
Since you specifically mentioned blocking by OUI though, are you are looking for a NAC type solution such as what Cisco / ISE offers? ( ability to profile based on OUI and categorize as "Nortel Device, etc. ). If you are looking actually looking for a NAC-type solution PacketFence is a free / open source option you could integrate on a separate system.
If all you want do is block a a few OUI ranges though, maybe another option would be to request this as an enhancement to the existing BanIP package. BanIP (maintained by dibdot) is already designed to block ranges of IPs and has ability to block a manual list of specific MAC addresses. Perhaps it could be modified to use MAC ranges also.
For more info: