Traffic processing by L2 interfaces

An interface belongs to the L2 level if it is part of an L2 network bridge. Traffic passing through an L2 interface is treated as traffic within the L2 network bridge.

The BVI interface is part of an L2 network bridge, however, it is an L3 interface.

Rules for processing traffic arriving at L2 interfaces

A packet arriving at an L2 interface of Kaspersky NGFW is processed in one of the following ways:

• If MAC learning is disabled for the network bridge or the sender's MAC address is not found in the table of MAC addresses, the received packet is copied to all L2 interfaces in this network bridge, except for the ingress interface (flooding).
• If MAC learning is enabled for the network bridge and the MAC address of the sender is present in the table of MAC addresses, the received packet is copied to the L2 interface at the matching MAC address.

The following limitations apply when L2 interfaces process traffic:

• The Native VLAN parameter is not supported.
• Traffic cannot be sent from the access port to the trunk port and vice versa.
• The network address translation (NAT) technology is not supported.

If traffic is transmitted to the L2 interface via IPv6 and ARP protocols or using the Multicast technology, Kaspersky NGFW automatically allows it without performing security checks.

Assigning a security zone type for traffic passing through L2 interfaces

Proper functioning of Kaspersky NGFW security features (for example, correct configuration of security rules) requires correctly setting the type of security zone that is assigned to traffic that arrives at the device. The table below describes the rules for assigning the type of security zone to traffic if it passes through multiple interfaces and at least one of these interfaces is an L2 interface.

Security zone type assignment rules

Interfaces traversed by the traffic	Source security zone type	Destination security zone type
L2 interface 1 → L2 interface 2 (within one L2 bridge)	L2 (in accordance with the security zone type of L2 interface 1)	L2 (in accordance with the security zone type of L2 interface 2)
L2 interface → BVI interface → L3 interface	L3 (in accordance with the security zone type of the BVI interface)	L3 (in accordance with the security zone type of the outbound L3 interface)
L3 interface → BVI interface → L2 interface	L3 (in accordance with the security zone type of the inbound L3 interface)	L3 (in accordance with the security zone type of the BVI interface)
L2 interface 1 → BVI interface 1 → BVI interface 2 → L2 interface 2	L3 (in accordance with the security zone type of BVI interface 1)	L3 (in accordance with the security zone type of BVI interface 2)

After a certain security zone type has been assigned to the traffic, Kaspersky NGFW looks up a security rule in which the assigned zone is specified and, if a matching security rule is found, applies it to the traffic.

Page top