I'm guessing from your post that the machine squid is running on is also acting as a router?
Would source based routing solve your issue?
have a default route that is for the staff and add the second route that is for management.
Add IPTables marking and IP rule.
iptables -A INPUT -m mac --mac-source AA:BB:CC
D:EE:FF -m mark --mark 2
ip rule add fwmark 2 table 2
Make sure you deny the packets if they don't come from the correct MAC.