Layer 2 and Layer 3 Packets over a Virtual
Virtual wire interfaces don’t participate in switching or routing; you can control Layer 2 tagged and untagged traffic; you can control Layer 3 traffic using security policy rules, IPv6 firewalling and multicast firewalling.
A virtual wire interface will allow Layer 2 and Layer 3 packets from connected devices to pass transparently as long as the policies applied to the zone or interface allow the traffic. The virtual wire interfaces themselves don’t participate in routing or switching.
For example, the firewall doesn’t decrement the TTL in a traceroute packet going over the virtual link because the link is transparent and doesn’t count as a hop. Packets such as Operations, Administration and Maintenance (OAM) protocol data units (PDUs), for example, don’t terminate at the firewall. Thus, the virtual wire allows the firewall to maintain a transparent presence acting as a pass-through link, while still providing security, NAT, and QoS services.
In order for bridge protocol data units (BPDUs) and other Layer 2 control packets (which are typically untagged) to pass through a virtual wire, the interfaces must be attached to a virtual wire object that allows untagged traffic, and that is the default. If the virtual wire object
Tag Allowedfield is empty, the virtual wire allows untagged traffic. (Security policy rules don’t apply to Layer 2 packets.)
In order for routing (Layer 3) control packets to pass through a virtual wire, you must apply a security policy rule that allows the traffic to pass through. For example, apply a security policy rule that allows an application such as BGP or OSPF.
If you want to be able to apply security policy rules to a zone for IPv6 traffic arriving at a virtual wire interface on the firewall, enable IPv6 firewalling. Otherwise, IPv6 traffic is forwarded transparently across the wire.
If you enable multicast firewalling for a virtual wire object and apply it to a virtual wire interface, the firewall inspects multicast traffic and forwards it or not, based on security policy rules. If you don’t enable multicast firewalling, the firewall simply forwards multicast traffic transparently.
Fragmentation on a virtual wire occurs the same as in other interface deployment modes.
Virtual Wire Interfaces
Virtual wires bind two interfaces within a firewall, allowing you to easily install a firewall into a topology that requires no switching or routing by ...
Configure Virtual Wires
Configuring a virtual wire includes configuring two Ethernet ports that use the same link speed as virtual wire interfaces, enabling link state pass through, and ...
Network > Virtual Wires
Network > Virtual Wires Select Network Virtual Wires to define virtual wires after you have specified two virtual wire interfaces on the firewall ( Network ...
A virtual router supports IP multicast so that it can participate in multicast protocols (IGMP and PIM) and forward multicast traffic from a source to ...
Use VLAN tags to control traffic over a virtual wire. For more granular control, create subinterfaces and classify traffic with a VLAN tag or IP ...
Zone Protection for a Virtual Wire Interface
You can provide virtual wire interfaces with zone protection; a few packet-based attack protections that are based on IP addresses don’t apply to virtual wire ...
Aggregated Interfaces for a Virtual Wire
A virtual wire supports aggregate interface groups; if LACP is configured on devices connected to the firewall, the virtual wire passes LACP packets transparently. ...
Virtual Wire Subinterfaces
You can create subinterfaces on a virtual wire and then apply different policies to different traffic zones based on VLAN tags. You can further separate ...
Port Speeds of Virtual Wire Interfaces
Configure a virtual wire using two ports that operate at the same speed, whether they are both copper, both fiber optic, or one copper and ...