If you need to inspect traffic passing through L2 interfaces in a corporate network infrastructure that is already in place, you can combine several L2 interfaces of Kaspersky NGFW at the data link layer into a single broadcast domain (network bridge). All security functions available in Kaspersky NGFW are applied to traffic passing through the L2 network bridge. For example, you can configure TLS/SSL decryption using MITM to inspect encrypted L2 traffic and, if necessary, filter this traffic without having to make changes to the corporate network infrastructure. This makes the L2 transparency mode possible.
L2 bridges are displayed in the table of network interfaces with the Bridge type.
You can manage L2 bridges and the table of MAC addresses in the OSMP console or on the command line using the bridge family of commands. For a description of command families and a link to the complete list of Kaspersky NGFW configuration commands, see the Managing Kaspersky NGFW using the command line document.
By default, one Bridge Group Virtual Interface (BVI) is added to the bridge to act as a gateway for routing with L3 interfaces. Its ID is the same as the ID of the bridge. You can change the L3 MTU size for a BVI only if the network bridge contains just that BVI and no other interfaces.
A BVI has the following limitations: