Re: CBS350-48P-4G disable mac address learn

Savinien · ‎05-16-2025

I have an IDS and an IPS between my router and Cisco switch. However, it's picking traffic from the switch rather than the source, given that the switch changes the source MAC address. Is there a way to disable the MAC address learned on the switch or per VLAN?

Jens Albrecht · ‎05-16-2025

Reading your post a few things appear to be mixed up. You talk about multiple Vlans on your switch so the key questions is whether you use your switch to route between your Vlans or use a router-on-a-stick configuration.
So let's take a look one by one.

If your switch is only used as a Layer 2 device to switch all Vlans, then the switch will not change the MAC address of any client traffic. The switch will learn the MAC addresses of connected clients but not change them, neither source nor destination MAC addresses.

Therefore, you seem to use your switch as a Layer 3 device to route the traffic between your Vlans and every Vlan uses a dedicated subnet. Since MAC addresses are only significant within a given subnet, the switch must change the source MAC address in this case. MAC addresses do change with every routing hop and this has also nothing to do with MAC address learning.

So everything appears to be working as expected based on your network design.

If you want to see the MAC addresses of the client stations at your IDS/IPS, then you could either move the routing from the switch to the router (router-on-a-stick) or configure SPAN or mirror ports on your switch.

However, you did not mention what exactly you want to achieve.
We definitely need more information about your network setup and configuration to answer further questions.

HTH!

Savinien · ‎05-26-2025

Hi Jens,

Thank you for responding. I'm sorry it took a while to reply. Yes, I use my switch to route between the VLANS, and from my router, it is routed to my switch and vice versa. Basically, right now, my IDS sits between my switch and my router on a trunk port. I want to ensure the original Mac address is maintained without having to change once it reaches the switch, goes up to the IDS, and finally, the router. I hope this gives a clearer picture.

Regards,

Paul

Jens Albrecht · ‎05-26-2025

Hi Paul,

So do you all the inter-Vlan routing on the switch? Then there should be only one dedicated vlan on the trunk between your switch and your router. Or do you just do some inter-Vlan routing on the switch and terminate other Vlans at the router? So where is the gateway for all your clients?

If the switch is doing all the inter-Vlan routing, then the only MAC addresses you will see on your IDS will be the MAC addresses of your router and your switch.

We need to know exactly what your routing looks like to give a clear answer because every routing hop does change the MAC addresses.

HTH!

Savinien · ‎05-27-2025

Hi Jens,

Hey, yes, all the intervals on my switch and my LAN are set to 0.0.0.0. The switch does all the routing, and then for the internet, it is routed to the switch using 0.0.0.0 to my router. In my setup, all gateways from the DHCP server are set to my last Cisco switch before going to my router. please see the picture below

Jens Albrecht · ‎05-27-2025

Hi Paul,

so based on your setup the IDS will get the following traffic:

For all client traffic to the ISP you only see the Mac addresses of your switch and router but not the clients Mac addresses.
For all traffic within your local vlans you only see broadcast and unknown unicast frames with the clients Mac addresses.
You do not see the inter-Vlan unicast frames sent between your devices like pc or laptop to the server.

In case you want to see the clients Mac addresses at your IDS device for all traffic, then you need to change your setup.
You need to configure a so-called SPAN or mirror port on your switch and connect the IDS to this SPAN port to get copies of all the traffic from your clients with the originating Mac addresses.

HTH!