Bridge Interfaces

Configure interfaces as a bridge to deploy security devices in a topology without reconfiguration of the IP routing scheme. This is an important advantage for large-scale, complex environments.

Bridge interfaces connect two different interfaces (bridge ports). Bridging two interfaces causes every Ethernet frame that is received on one bridge port to be transmitted to the other port. Thus, the two bridge ports participate in the same Broadcast domain (different from router port behavior). The security policy inspects every Ethernet frame that passes through the bridge.

Important - Only two interfaces can be connected by one Bridge interface, creating a virtual two-port switch. Each port can be a physical, VLAN, or bond device.

It is possible to configure bridge mode with one Security Gateway, a Cluster, or a Scalable Platform Security Group. The bridge functions without an assigned IP address. Bridged Ethernet interfaces (including aggregated interfaces) to work like ports on a physical bridge. It is possible to configure the topology for the bridge ports in SmartConsole. A separate network or group object represents the networks or subnets that connect to each port.

Notes:

  • The name of a Bridge interface in Gaia is "br<Bridge Group ID>".

    For example, the name of a bridge interface with a Bridge Group ID of 5 is "br5".

  • Gaia OS supports bridge interfaces that implement native, Layer 2 bridging.

  • Gaia OS does not support Spanning Tree Protocol (STP) bridges.

  • A subordinate interface that is a part of a bond interface cannot be a part of a bridge interface.

  • For UserCheck to work properly, bridge group must use an IP address on the same subnet as clients or routers that connect to a Security Gateway, Cluster, or Security Group.

  • Scalable Chassis 60000 / 40000 do not generate BPDU (STP) frames.

  • Scalable Chassis 60000 / 40000 forward BPDU (STP) packets between subordinate interfaces of the bridge.

  • To configure MTU on a Bridge subordinate interface, you must configure MTU on the Bridge interface.

    This MTU applies to all subordinate interfaces assigned to this Bridge interface.

The bridge interfaces send traffic with Layer 2 addressing. On the same device, you can configure some interfaces as bridge interfaces, while other interfaces work as Layer 3 interfaces. Traffic between bridge interfaces is inspected at Layer 2. Traffic between two Layer 3 interfaces, or between a bridge interface and a Layer 3 interface is inspected at Layer 3.