Re: 3850: How to stop replacing Machine MAC address with VLAN MAC addr

Amit K · ‎04-21-2023

Hi all!

I have a CISCO 3850 switch as core switch in my network with VLANs configured. In the MAC address table, I can see the MAC address of the machines of users connecting to the switch. The traffic then passes out from the switch to the firewall. However, at the firewall, I could see only the MAC address of VLAN interface that the switch replaces with in place of machine address in the packet.

How can I disable this and keep the machine address? I have dhcp snooping and spanning tree enabled.

Thanks

MHM Cisco World · ‎04-21-2023

why you want the MAC address keep same ? are you use static DHCP using Client ID ?

Amit K · ‎04-21-2023

Need to do MAC filter at firewall

MHM Cisco World · ‎04-21-2023

MAC filter meaning the FW is transparent mode.
then the MAC of Host will not change, the traffic will follow to FW in FW the VLAN ID will change and then return to GW (SVI of SW) then the MAC will change
so you can use MAC filter for Host MAC

Amit K · ‎04-21-2023

The traffic from different VLANs (say 10,11,12) is routed from core to FW (vlan 2). So the MAC shown on FW in the packet is of vlan 2 interface. Users have login Ids to access but few machines need to be provided access based on MAC address of machines. How to achieve this.

MHM Cisco World · ‎04-21-2023

Ohh, it hard to achieve but I have idea
config DHCP with static IP-MAC (host MAC) and in this case the DHCP server always use same IP for same MAC
then in FW use ACL filter the IP, the IP will preserve same (thanks to DHCP).
if any other Host get IP from DHCP , the DHCP will assign different IP and the FW will deny it

Amit K · ‎04-21-2023

OK. Thanks!! I believe there something to retain the machine mac.

3850: How to stop replacing Machine MAC address with VLAN MAC address