Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1299
Views
9
Helpful
17
Replies

Client MAC required after switching VLAN data

Amit K
Level 1
Level 1

‎08-06-2023 12:37 AM

Hi!

I have a network with 3850 switch as core and 2960 switches on edge. VLANs are defined on 3850, VLAN 2 being the management vlan and 10-25 as other user vlans. A firewall is also connected to the core at access port configured at vlan 2.

On the core, I can view the MAC of the user machine in the arp table. However, at the firewall when the packet is received, the client MAC is replaced with VLAN interface MAC address. I googled a bit and understand that layer 2 switching at 3850 replaces mac address in the packet with the vlan interface mac. Hope I understood correctly!

Now, I need to get the machine mac at the firewall for mac filtering. How can it be achieved? Can the physical address of the machine be retained while forwarding the packet to firewall at the core switch?

Please help. I have been struggling for some time.

@Richard BurtsI have gone through quite a few posts of yours. Any advice on this?

Labels:
17 Replies 17

Kasun Bandara
VIP
VIP

‎08-06-2023 01:13 AM - edited ‎08-06-2023 01:20 AM

@Amit K hi, you will not see end user MAC if you are doing routing. as per your explanation, it seems like you are doing routing at 3850 between VLANs. in that case firewall see only Switch MAC address. 
MAC address only using in same layer 2 network. if you go beyond layer 2 its using gateway/routing interface MAC address related to new L3 network. 

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Amit K
Level 1
Level 1
In response to Kasun Bandara

‎08-06-2023 02:47 AM

Yes, inter-vlan routing has been configured as there are certain services in management vlan which are required by systems in all other vlans.

Will disabling routing provide the client mac at the firewall port?

Is there a way where we can provide access of management vlan services to other vlan users?

0 Helpful

Kasun Bandara
VIP
VIP
In response to Amit K

‎08-06-2023 03:02 AM - edited ‎08-06-2023 03:02 AM

@Amit K  if you disable routing, intervlan routing will not work. if you need to see all MACs in all users at firewall, you can configure routing in firewall (configure default gateways in firewall and use trunk between firewall and switch). if you need only for few VLANs, you can configure firewall as gateway for only those VLANs.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

M02@rt37
VIP
VIP

‎08-06-2023 03:07 AM

Hello @Amit K,

The behavior you described is expected. When a packet traverses the L3 VLAN interface (SVI) on the Cisco 3850 core switch, the source MAC address in the packet is rewritten with the MAC address of the VLAN interface. This is a standard behavior in L3 routing where the MAC address of the router's interface becomes the source MAC for packets going out of that interface.

Instead of use your 3850 has L3, configure Trunk port between this 3850 and your Firewall. This 3850 acting as L2 and your Firewall acting as "Gateway" for your VLANs, this Fw will see end user MAC Adresses and you will perform MAC filtering. 

 

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Amit K
Level 1
Level 1

‎08-06-2023 03:28 AM

Thank you guys!! I shall try to work it as suggested by @Kasun Bandara and M02@rt37  and come back.

0 Helpful

M02@rt37
VIP
VIP
In response to Amit K

‎08-06-2023 05:05 AM

You're so welcome @Amit K.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame

‎08-06-2023 11:41 AM

I appreciate being mentioned and glad that others have replied before my response. They have said much of what I would have said. The especially important thing is that with routing enabled on the 3850 the firewall will not see client mac addresses. The architecture that you have described with 2960 switches as edge, 3850 as core, and firewall for outside access is a very common architecture and appropriate to have routing done on the core. Shifting routing to the firewall would be a significant change in the architecture.

One aspect of the description is not clear to me. You mention wanting to do mac filtering. What kind of mac filtering is this and where do you want to do the filtering? @Kasun Bandara makes an important point that mac filtering only works for devices in the same layer 2 network. Can you tell us more about this filtering and what you want to accomplish with it?

One small detail: in the original post you say " I googled a bit and understand that layer 2 switching at 3850 replaces mac address" I think you meant to say that layer 3 routing replaces the mac address.

HTH

Rick

Amit K
Level 1
Level 1
In response to Richard Burts

‎08-06-2023 09:58 PM

Thanks for the reply.

The user authentication for outside access is taken care at the firewall. However, the users from higher management need to be provided with mac authentication of their devices. Hence, MAC filtering is desired so that these devices may be excluded from authentication. Hope I am clear!!

0 Helpful

Amit K
Level 1
Level 1

‎08-07-2023 05:13 AM

Hello all!

I tried doing the stuff as suggested by @Kasun Bandara and M02@rt37 by following:

1. Disabled ip routing

2. Changed the firewall port from access to trunk mode

3. Changed the default GW of the clients in other vlans to the firewall IP.

4. Connected 02 systems, one in management vlan (same as firewall and core) and other in user vlan.

But unfortunately, it did not worked. The user vlan system couldn't ping to the firewall, though it is able to ping the core (I believe due to virtual interface). Although the system in same management vlan could connect and I could see its mac at the firewall.

I think I missed something. Kindly guide.

0 Helpful

Kasun Bandara
VIP
VIP
In response to Amit K

‎08-07-2023 05:24 AM

@Amit K how you configured firewall? what is the model? you need to configure firewall interface with vlans and IP addresses respectively. 

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB
0 Helpful

Amit K
Level 1
Level 1

‎08-07-2023 05:47 AM

Well, that is Sophos XGS 3300

0 Helpful

Amit K
Level 1
Level 1

‎08-07-2023 07:42 AM

Will I need to move all VLAN declaration, DHCP and routing from core to firewall?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Amit K

‎08-08-2023 09:20 AM

If you are going to have IP routing on the firewall and not on the 3850 then you will need vlan declarations on both devices. The 3850 needs the vlan declarations so that it can identify the vlan membership and do appropriate layer 2 forwarding. The firewall needs the vlan declarations so that it can correctly associate vlan membership with subnet membership and do appropriate layer 3 forwarding.

If the 3850 does not have layer 3 information about the vlans then I think it would not be able to process DHCP and I believe that DHCP would need to be moved to the firewall.

HTH

Rick

Amit K
Level 1
Level 1
In response to Richard Burts

‎08-08-2023 10:03 PM

OK....just to sum up what I need to do:

1. Disable ip routing on 3850.

2. Change the firewall port on 3850 from access to trunk mode

3. Change the default GW of the clients in vlans to the firewall IP.

4. Declare vlans on firewall and create rules for inter-vlan traffic.

A small query here. Currently, 3850 runs DHCP and has VLAN interfaces which are the gateways of vlans. Now, since the gateway of vlans will be the firewall IP, what will be the role of the vlan interfaces? Is there any need to create these vlan interfaces in firewall?

Please rectify me if I missed or put something wrong above. I shall try to do the things after that.

Many thanks.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card