topic Re: Source MAC address white-list filtering on the PA-220? in General Topics

Source MAC address white-list filtering on the PA-220?

eveares — Fri, 16 Aug 2019 17:28:12 GMT

Hi all, I am new here so sorry if this is in the wrong place. At my work place we have a new single PA-220 firewall router that I am configuring to be used as a router/gateway out for SIP traffic. The IP phones will use a interface on the PA-220 as their default gateway.

What I want to know is it possible (and if so how) to configure a source MAC address white-list filter on the PA-220 so only authorised devices will be able to use the PA-220 as their default gateway. Ideally using a wild card filter for MAC addresses beginning with a known value. That way only the IP phones based on their MAC address will be able to use the PA-220 as a default gateway out.

Also (and if so how) , can one create a failover/floating interface from the PA-220 that goes to separate core switch stacks, with one being active and the other being inactive unless the primary fails. As it is between different switch stacks, LACP/Trunking can not be used.

Essentialy I want the PA-220 to have a single link to our primary core switch stack and a single link our backup core switch stack, but only a single IP for the interface. If the link to the primary L3 core switch stack fails the link to the backup L3 core switch stack becomes active instead. Again LACP/trunking can not be used as it involves diffrent switch stacks. Basicly switch-independanmt teaming with a active/standby configuation.

Regards: Elliott.

Re: Source MAC address white-list filtering on the PA-220?

reaper — Mon, 19 Aug 2019 12:56:15 GMT

hi @eveares

your first question is not possible, we don't filter on MAC addresses at the interface

The second question you could possibly tackle by setting two interfaces to layer2 mode and then create a (virtual) vlan interface to be the Layer3 interface for the layer2 physical interfaces

both interfaces will be active, however. For failover capabilities you'd need to set up a cluster

Re: Source MAC address white-list filtering on the PA-220?

eveares — Mon, 19 Aug 2019 20:21:53 GMT

Thanks, I have now sorted out the MAC address filtering on the core switches what the PA-220 connects to and have also gone with LACP between the PA-220 and the primary core switch stack. I will just physicaly swap the cables over to the backup stack with pre-configured ports if the primary core switch stack ever goes wrong.

Regards: Elliott.