08-16-2019 10:28 AM
Hi all, I am new here so sorry if this is in the wrong place. At my work place we have a new single PA-220 firewall router that I am configuring to be used as a router/gateway out for SIP traffic. The IP phones will use a interface on the PA-220 as their default gateway.
What I want to know is it possible (and if so how) to configure a source MAC address white-list filter on the PA-220 so only authorised devices will be able to use the PA-220 as their default gateway. Ideally using a wild card filter for MAC addresses beginning with a known value. That way only the IP phones based on their MAC address will be able to use the PA-220 as a default gateway out.
Also (and if so how) , can one create a failover/floating interface from the PA-220 that goes to separate core switch stacks, with one being active and the other being inactive unless the primary fails. As it is between different switch stacks, LACP/Trunking can not be used.
Essentialy I want the PA-220 to have a single link to our primary core switch stack and a single link our backup core switch stack, but only a single IP for the interface. If the link to the primary L3 core switch stack fails the link to the backup L3 core switch stack becomes active instead. Again LACP/trunking can not be used as it involves diffrent switch stacks. Basicly switch-independanmt teaming with a active/standby configuation.
Regards: Elliott.
08-19-2019 01:21 PM
Thanks, I have now sorted out the MAC address filtering on the core switches what the PA-220 connects to and have also gone with LACP between the PA-220 and the primary core switch stack. I will just physicaly swap the cables over to the backup stack with pre-configured ports if the primary core switch stack ever goes wrong.
Regards: Elliott.
08-19-2019 05:56 AM
hi @eveares
your first question is not possible, we don't filter on MAC addresses at the interface
The second question you could possibly tackle by setting two interfaces to layer2 mode and then create a (virtual) vlan interface to be the Layer3 interface for the layer2 physical interfaces
both interfaces will be active, however. For failover capabilities you'd need to set up a cluster
08-19-2019 01:21 PM
Thanks, I have now sorted out the MAC address filtering on the core switches what the PA-220 connects to and have also gone with LACP between the PA-220 and the primary core switch stack. I will just physicaly swap the cables over to the backup stack with pre-configured ports if the primary core switch stack ever goes wrong.
Regards: Elliott.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
