Layer 2 and Layer 3 Packets over a Virtual Wire
Table of Contents
Expand all | Collapse all
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
Layer 2 and Layer 3 Packets over a Virtual
Wire
Virtual wire interfaces don’t participate in switching
or routing; you can control Layer 2 tagged and untagged traffic; you
can control Layer 3 traffic using security policy rules, IPv6 firewalling
and multicast firewalling.
A virtual wire interface will allow Layer 2 and Layer
3 packets from connected devices to pass transparently as long as the
policies applied to the zone or interface allow the traffic. The
virtual wire interfaces themselves don’t participate in routing
or switching.
For example, the firewall doesn’t decrement the TTL in a traceroute
packet going over the virtual link because the link is transparent
and doesn’t count as a hop. Packets such as Operations, Administration
and Maintenance (OAM) protocol data units (PDUs), for example, don’t
terminate at the firewall. Thus, the virtual wire allows the firewall
to maintain a transparent presence acting as a pass-through link,
while still providing security, NAT, and QoS services.
In order for bridge protocol data units (BPDUs) and other Layer
2 control packets (which are typically untagged) to pass through
a virtual wire, the interfaces must be attached to a virtual wire
object that allows untagged traffic, and that is the default. If
the virtual wire object
Tag Allowed
field
is empty, the virtual wire allows untagged traffic. (Security policy
rules don’t apply to Layer 2 packets.)In order for routing (Layer 3) control packets to pass through
a virtual wire, you must apply a security policy rule that allows
the traffic to pass through. For example, apply a security policy
rule that allows an application such as BGP or OSPF.
If you want to be able to apply security policy rules to a zone
for IPv6 traffic arriving at a virtual wire interface on the firewall,
enable IPv6 firewalling. Otherwise, IPv6 traffic is forwarded transparently
across the wire.
If you enable multicast firewalling for a virtual wire object
and apply it to a virtual wire interface, the firewall inspects multicast
traffic and forwards it or not, based on security policy rules.
If you don’t enable multicast firewalling, the firewall simply forwards
multicast traffic transparently.
Fragmentation on a virtual wire occurs the same as in other interface
deployment modes.