Layer 2 Interfaces with No VLANs
Table of Contents
Layer 2 Interfaces with No VLANs
Configure
a Layer 2 Interface on the firewall so it can act as a switch
in your layer 2 network (not at the edge of the network). The Layer
2 hosts are probably geographically close to each other and belong
to a single broadcast domain. The firewall provides security between
the Layer 2 hosts when you assign the interfaces to security zones
and apply security rules to the zones.
The hosts communicate with the firewall and each other at Layer
2 of the OSI model by exchanging frames. A frame contains an Ethernet
header that includes a source and destination Media Access Control
(MAC) address, which is a physical hardware address. MAC addresses
are 48-bit hexadecimal numbers formatted as six octets separated
by a colon or hyphen (for example, 00-85-7E-46-F1-B2).
The following figure has a firewall with three Layer 2 interfaces
that each connect to a Layer 2 host in a one-to-one mapping.
The firewall begins with an empty MAC table. When the host with
source address 0A-76-F2-60-EA-83 sends a frame to the firewall,
the firewall doesn’t have destination address 0B-68-2D-05-12-76
in its MAC table, so it doesn’t know which interface to forward
the frame to; it broadcasts the frame to all of its Layer 2 interfaces.
The firewall puts source address 0A-76-F2-60-EA-83 and associated
Eth1/1 into its MAC table.
The host at 0C-71-D4-E6-13-44 receives the broadcast, but the
destination MAC address is not its own MAC address, so it drops
the frame.
The receiving interface Ethernet 1/2 forwards the frame to its
host. When host 0B-68-2D-05-12-76 responds, it uses the destination
address 0A-76-F2-60-EA-83, and the firewall adds to its MAC table
Ethernet 1/2 as the interface to reach 0B-68-2D-05-12-76.