Overview of Across-Layer-3 MAC Identification
This section describes the definition and service flow of across-Layer-3 MAC identification.
Definition and Objective
With Across-Layer-3 MAC address identification, when a Layer-3 network device is between the FW and intranet PCs, the FW can still learn the MAC address of the intranet PCs.
If an intranet PC uses a dynamic IP address to access the Internet, IP address cannot be used to match the traffic to or from the PC. In this case, you need to use the MAC address as the matching condition of policies.
However, in the across-layer-3 networking as shown in Figure 1 and Figure 2, the FW cannot directly obtain MAC addresses of intranet PCs. You must enable across-Layer-3 MAC address identification on the FW.
The FW across-Layer-3 MAC address identification supports the following two networking scenarios:
Service Flow
Phase 1
- The SNMP agent on the Layer-3 network device is enabled, and the network device obtains IP-MAC mapping of intranet PCs and generate or update ARP entries.
- The FW periodically sends SNMP requests to the specified Layer-3 network device for ARP entries.
- The Layer-3 network device replies and returns the ARP entries.
- The FW learns MAC addresses of intranet PCs and saves the ARP entries to the memory.
Phase 2
An administrator can use the learned MAC addresses on the FW as conditions in policies.
The MAC addresses are obtained from ARP entries in the memory, not from packet header.
- Phase 3
- An intranet PC accesses the Internet through the Layer-3 network device and FW.
The FW permits or blocks intranet packets based on configured policies.
After receiving intranet PC packets, the FW compares the IP and MAC address of the PC with the obtained ARP entries to verify whether the MAC address is the real MAC address. The FW uses the actual MAC address to match policies and process intranet packets based on matching results.