Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2086
Views
9
Helpful
17
Replies

Client MAC required after switching VLAN data

Amit K
Level 1
Level 1

‎08-06-2023 12:37 AM

Hi!

I have a network with 3850 switch as core and 2960 switches on edge. VLANs are defined on 3850, VLAN 2 being the management vlan and 10-25 as other user vlans. A firewall is also connected to the core at access port configured at vlan 2.

On the core, I can view the MAC of the user machine in the arp table. However, at the firewall when the packet is received, the client MAC is replaced with VLAN interface MAC address. I googled a bit and understand that layer 2 switching at 3850 replaces mac address in the packet with the vlan interface mac. Hope I understood correctly!

Now, I need to get the machine mac at the firewall for mac filtering. How can it be achieved? Can the physical address of the machine be retained while forwarding the packet to firewall at the core switch?

Please help. I have been struggling for some time.

@Richard BurtsI have gone through quite a few posts of yours. Any advice on this?

Labels:
17 Replies 17

Richard Burts
Hall of Fame
Hall of Fame
In response to Amit K

‎08-09-2023 07:26 AM

Certainly moving routing from the 3850 to the firewall is one option. I am not sure that it is the only option. If you are going to do that your understanding of the steps is good.

1) yes disable routing on the 3850. As you do this you probably want to configure ip default-gateway on the 3850. This would allow sending of management traffic to remote destinations.

2) yes change ports on both the 3850 and firewall from access to trunk and allow all vlans on the trunk.

3) instead of changing client default GW I would suggest simply moving the IPs from the 3850 vlan interfaces to interfaces configured on the firewall. If the 3850 is not routing then you want only one vlan interface on the 3850 with an IP address. There is no benefit to have multiple vlan interfaces on 3850 if it is not routing and there is some possible negative impact in having multiple vlan interfaces. 

4) yes configure vlans, vlan interfaces, and IP addresses for each vlan interface. Configure appropriate rules for the various vlans, including configuring DHCP for the vlans.

HTH

Rick
0 Helpful

Amit K
Level 1
Level 1

‎08-23-2023 11:01 PM

Sorry for posting late. Thanks to @Richard Burts , @Kasun Bandara and M02@rt37 .

I could manage and see MAC of machines on firewall following the above procedure.

Many thanks to all !!!

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Amit K

‎08-24-2023 02:06 AM

Thanks for the update. Glad that you were able to resolve the issue.

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents