For connections where a router is present,the source MAC address might be from the router, if you configure a VPN tunnel for example between two routers with multiple routers in the path, the received frame will have the Mac address of the tunnel router at the remote site because the original frames are tunneled. However, the router will still change the source mac address when the data is sent to a user, unless you configure bridging and disabled routing to the bridged interface.
If you need this kind of security,I think it would be easier to configure dot1x authentication on the switch, and install the dot1x software on the client. This method is also used for wireless LANs because it is more secure than any authentication keys sent through the air.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...