★ ACG global whitelist function does not take effect

ACG——Core SW——Access SW——PC

Customers have reported that they have configured the PC's MAC address in the following global whitelist, but the PC still cannot access some websites.

1.  First, analyze the priority of the policy. The global whitelist has the highest priority, higher than the traffic control policy, so the MAC address in the global whitelist should be allowed to pass.

2.  Enable the packet capture function on ACG and check whether the message from the PC MAC address is received:

3.  Check the captured packets. The IP address of the test PC used at this time is 10.10.101.159. It is found that the MAC address of the message with source IP address 10.10.101.159 received by ACG is the MAC address of the core switch, not the real IP address of the PC:

4.  The interface of the switch connected to ACG is a routing port. If ACG and PC are in the same Layer 2 network, they can directly learn the MAC address of PC. However, when passing through Layer 3 devices, the MAC address changes at each network forwarding node. The MAC address of the message to ACG is not the original MAC address. Therefore, if you want to perform access control on the source MAC address of PC, you need to obtain the real MAC address of PC. This can be achieved by configuring SNMP synchronization.

After configuring SNMP synchronization, it works normally. The specific configuration is as follows:

1.  Configure snmp synchronization on the ACG

2.  Configure the snmp configuration on the switch, the read community name is public, the write community name is private