Source MAC address white-list filtering on the PA-220?

L1 Bithead

Source MAC address white-list filtering on the PA-220?

Hi all, I am new here so sorry  if this is in the wrong place.  At my work place we  have a new single   PA-220 firewall router that I am configuring to be used  as a router/gateway out for SIP traffic. The IP phones will use a interface on the PA-220 as their default gateway. 


What I want to know is it possible (and if so how) to configure  a source  MAC address  white-list    filter on the PA-220  so only authorised devices will be able to use the PA-220 as their default  gateway. Ideally using a wild card filter for MAC addresses beginning with a known  value.  That way only the  IP phones based on their MAC address will be able to use the PA-220 as a default gateway  out.


Also (and if so how) , can one create a failover/floating interface from the PA-220 that goes to separate    core switch stacks, with one being active and the other being inactive unless the primary fails. As   it is between different switch stacks, LACP/Trunking can not be used.


Essentialy I want the PA-220 to  have a single link to our primary core switch stack and a single link our backup core switch stack, but only  a single  IP for the interface. If the link to the   primary L3 core switch stack fails the link to the  backup   L3 core switch stack becomes active instead. Again LACP/trunking  can not be used as  it  involves diffrent switch stacks. Basicly   switch-independanmt teaming with a active/standby configuation.


Regards: Elliott.

L7 Applicator

Re: Source MAC address white-list filtering on the PA-220?

hi @eveares 

your first question is not possible, we don't filter on MAC addresses at the interface

The second question you could possibly tackle by setting two interfaces to layer2 mode and then create a (virtual) vlan interface to be the Layer3 interface for the layer2 physical interfaces


both interfaces will be active, however. For failover capabilities you'd need to set up a cluster

L1 Bithead

Re: Source MAC address white-list filtering on the PA-220?

Thanks,   I have  now sorted out the MAC address filtering on the core switches what the PA-220 connects to and have also gone with LACP between the PA-220  and the primary core switch stack. I will just  physicaly swap the cables over to the  backup stack with pre-configured ports if the  primary core switch stack ever goes wrong.


Regards: Elliott.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!