03-14-2017 04:30 AM - edited 03-05-2019 08:11 AM
Hi,
I am using Cisco 3560 switch as my core switch. Internet is terminating on the firewall (Cyberoam make). Firewall (LAN Port) is connected to 3560 switch and from here to edge switches.
Now I need to MAC bind certain computers in the firewall. But as the L3 switch is coming in between the firewall is not recognizing the computer MAC address.
Is there any way i can do this.
Regards,
Alex George
03-14-2017 05:46 AM
Hi
Please correct me if Im wrong, you want only allow certain computers to have internet access?
I think you could use an extended ACL on the interface vlan used to connect with the firewall in order to allow just desired IP address to get Internet, as the firewall is connected to the LAN port (layer 2 port). Other way is to configure the port as layer 3, it will be your point to point and the ACL will be applied on the port directly.
The layer 3 switch has a default route pointing to the firewall, right?
Hope it is useful
:-)
03-14-2017 06:49 AM
For your FW to "see" host MACs, it and they would need to have an interface on the same VLAN. A 3560 can do this, as L3 switches generally support all L2 switch features.
03-14-2017 07:03 AM
Assuming you have multiple vlans and you route them on the 3560 then the short answer is no you cannot do it as you have it setup currently.
You would need the firewall in the same vlan as the clients as Joe says but then your 3560 is no longer routing between the clients and the firewall. Difficult to give full options without more details.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide