Filter
Top Products
Network > Interfaces
200
SonicOS 5.8.1 Administrator Guide
L2 Bridge Path Determination
Packets received by the SonicWALL on Bridge-Pair interfaces must be forwarded along to the
appropriate and optimal path toward their destination, whether that path is the Bridge-Partner,
some other physical or sub interface, or a VPN tunnel. Similarly, packets arriving from other
paths (physical, virtual or VPN) bound for a host on a Bridge-Pair must be sent out over the
correct Bridge-Pair interface. The following summary describes, in order, the logic that is
applied to path determinations for these cases:
1. If present, the most specific non-default route to the destination is chosen. This would
cover, for example:
a. A packet arriving on X3 (non-L2 Bridge LAN) destined for host 15.1.1.100 subnet,
where a route to the 15.1.1.0/24 subnet exists through 192.168.0.254 via the X0
(Secondary Bridge Interface, LAN) interface. The packet would be forwarded via X0 to
the destination MAC address of 192.168.0.254, with the destination IP address
15.1.1.100.
b. A packet arriving on X4 (Primary Bridge Interface, LAN) destined for host 10.0.1.100,
where a route to the 10.0.1.0/24 exists through 192.168.10.50 via the X5 (DMZ)
interface. The packet would be forwarded via X5 to the destination MAC address of
192.168.10.50, with the destination IP address 10.0.1.100.
2. If no specific route to the destination exists, an ARP cache lookup is performed for the
destination IP address. A match will indicate the appropriate destination interface. This
would cover, for example:
a. A packet arriving on X3 (non-L2 Bridge LAN) destined for host 192.168.0.100 (residing
on L2 Primary Bridge Interface X2). The packet would be forwarded via X2 to the known
destination MAC and IP address of 192.168.0.100, as derived from the ARP cache.
b. A packet arriving on X4 (Primary Bridge Interface, LAN) destined for host 10.0.1.10
(residing on X5 – DMZ). The packet would be forwarded via X5 to the known destination
MAC and IP address of 10.0.1.10, as derived from the ARP cache.
3. If no ARP entry is found:
a. If the packet arrives on a Bridge-Pair interface, it is sent to the Bridge-Partner interface.
b. If the packet arrives from some other path, the SonicWALL will send an ARP request
out both interfaces of the Bridge-Pair to determine on which segment the destination IP
resides.
In this last case, since the destination is unknown
until after an ARP response is
received, the destination zone also remains unknown until that time. This precludes the
SonicWALL from being able to apply the appropriate Access Rule until after path
determination is completed. Upon completion, the correct Access Rule will be applied
to subsequent related traffic.
With regard to address translation (NAT) of traf
fic arriving on an L2 Bridge-Pair interface:
1. If it is determined to be bound for the Bridge-Partner interface, no IP translation (NAT) will
be performed.
2. If it is determined to be bound for a different path, appropriate NAT policies will apply:
a. If the path is another connected (local) interface, there will likely be no translation. That
is, it will effectively be routed as a result of hitting the last-resort Any->Original NAT
Policy.
b. IIf the path is determined to be via the WAN, then the default Auto-added [interface]
outbound NAT Policy for X1 WAN will apply, and the packet’s source will be translated
for delivery to the Internet. This is common in the case of Mixed-Mode topologies, such
as that depicted in the “Internal Security” section on page 208).