MAC address learning through a Layer 3 device configuration examples

 

The following information provides configuration examples for MAC address learning through a Layer 3 device.

 

This document is not restricted to specific software or hardware versions. Procedures and information in the examples might be slightly different depending on the software or hardware version of the device.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of the feature of MAC address learning through a Layer 3 device.

Network configuration

As shown in Figure 1, hosts in an internal network are connected to the device through a Layer 3 gateway and the device is connected to the Internet. Configure MAC address learning through a Layer 3 device to ensure that the device can learn the MAC addresses of the hosts. Configure security policies to allow only Host A and Host B in the internal network to access the network.

Figure 1 Network diagram

 

Software versions used

This configuration example was created and verified on F9345 of the F1060 device.

Procedure

Configuring the gateway

1.     Assign IP addresses to interfaces and configure routing features to ensure network reachability. (Details not shown.)

2.     Specify SNMPv2 and create a read-only community with the plaintext form name public.

Configuring the device

1.     Assign IP addresses to interfaces and add the interfaces to security zones.

# On the top navigation bar, click the Network tab.

# From the navigation pane, select Interface Configuration > Interfaces.

# Click the Edit icon for GE 1/0/3.

# In the dialog box that opens, configure the interface:

a.     Select the Trust security zone.

b.     On the IPv4 Address tab, enter the IP address and mask of the interface. In this example, enter 2.2.2.2/24.

Retain the default configuration for the remaining parameters.

c.     Click OK.

# Add GE 1/0/4 to the Untrust security zone and set its IP address/mask to 3.3.3.3/24 in the same way you configure GE 1/0/3.

2.     Configure routing settings.

This example configures a static route. To use dynamic routing, configure dynamic routing protocols as required.

# On the top navigation bar, click Network.

# From the navigation pane, select Routing > Static Routing.

# Click Create.

# In the dialog box that opens, configure a static route.

a.     Enter destination IP address 1.1.1.0.

b.     Enter mask length 24.

c.     Enter next hop address 2.2.2.1.

d.     Retain the default setting for the other parameters.

# Click OK.

3.     Create a Layer 3 device.

# On the top navigation bar, click System.

# From the navigation pane, select Maintenance > MAC Leaning Through L3 Device > L3 Device Access Setting.

# Enable MAC learning through a L3 device and configure the polling interval and idle timeout for SNMP requests.

# Click Apply.

# In the L3 Devices area, click Add.

# In the dialogue box that opens, enter the Layer 3 device's IP address 2.2.2.1 and community name public.

# Click OK.

Figure 2 Creating a Layer 3 device

 

4.     Create a MAC address object group groupmac and add MAC addresses of Host A and Host B to the object group.

# On the top navigation bar, click Objects.

# From the navigation pane, select Object Groups > MAC Address Object Groups.

# Click Create.

# In the dialog box that opens, configure the MAC address object group:

a.     Enter group name groupmac.

b.     Click Add.

c.     In the dialog box that opens, select the MAC address type, and then enter Host A's MAC address 5c-07-1c-cd-02-06.

d.     Click OK.

e.     Repeat steps b to d to add Host B's MAC address 5c-07-22-3b-03-06 to the object group.

5.     Create a security policy from zone Local to zone Trust to allow the device to access the gateway.

# On the top navigation bar, click Policies.

# From the navigation pane, select Security Policies > Security Policies.

# Click Create.

# In the dialog box that opens, configure a security policy:

¡     Enter policy name policy1.

¡     Select source zone Local.

¡     Select destination zone Trust.

¡     Select action Permit.

¡     Select source IPv4 address 2.2.2.0/24.

¡     Select destination IPv4 address 2.2.2.0/24.

# Click OK.

6.     Create a security policy from zone Trust to zone Untrust to allow Host A and Host B to access the Internet.

# On the top navigation bar, click Policies.

# From the navigation pane, select Security Policies > Security Policies.

# Click Create.

# In the dialog box that opens, configure a security policy:

¡     Enter policy name policy2.

¡     Select source zone Trust.

¡     Select destination zone Untrust.

¡     Select action Permit.

¡     Select Source IP/MAC address groupmac.

# Click OK.

Verifying the configuration

1.     View the APR entries learned by the device.

# On the top navigation bar, click System.

# From the navigation pane, select Maintenance > MAC Leaning Through L3 Device > Learned ARP entries.

Figure 3 Learned ARP entries

 

2.     Verify that Host A and Host B can access the Internet but Host C cannot.