Packet Forwarding - Bridging And Routing - Alcatel-Lucent Security Management Server (SMS) Release 9.4 Technical Overview

Alcatel-Lucent VPN Firewall Brick

Packet Forwarding - Bridging and Routing

...................................................................................................................................................................................................................................
Overview
Internally, the Brick device is set up much like a classic Layer-2 Ethernet switch. Each
packet inbound to a physical port is assigned to a VLAN, and that packet can bridge to
any physical port with membership in that VLAN (or VLAN bridge group). Physical
ports are associated with a single default VLAN, which is used to associate inbound
untagged Ethernet frames, and a list of VLAN memberships.
The Brick device contains a list of static routes used when Layer-2 forwarding is
unable to forward a packet. This occurs in one of the following cases:
• A Brick device address has been used as a next-hop gateway by a router or a host
• A packet has come out of a VPN tunnel
• A packet header has been changed via address translation
• A packet is initiated by the Brick device (such as Brick device management traffic)
• A routing entry has become invalid due to, for example, a link failure
In any of these cases, the Brick device has no Layer-2 (MAC) information to use for
packet forwarding, so it must resort to making a Layer-3 (IP) decision, via a static
route lookup.
As a Layer-2 bridge, the Brick device maintains a cache of connected MAC addresses
and the physical ports with which they are associated. The Brick can optionally be
configured to require that MAC addresses be bound to the physical port where they
were first learned, requiring a manual reset to unlatch and rebind. In addition, the
Brick actively verifies the existence of IP/MAC bindings before timing them out of the
cache, to discover and proactively respond to changes in L2 architecture. The Brick
device also supports the ability to administratively fix IP/MAC/VLAN/interface
bindings in highly sensitive environments.
The Brick device can support Jumbo Frames, to achieve higher speed throughput on
high-demand networks.
The Brick device will also properly support Broadcast and Multicast packets (although
multicast is not supported through IPSec tunnels, since the IPSec standard does not
allow it currently). The Brick will also support Microsoft Cluster servers (although this
may sometimes require special configuration).
The Brick device can be provisioned to bridge—but not firewall—non-IP Ethernet
frames by configuring a list of Ethertypes or DSAP IDs to allow.
...................................................................................................................................................................................................................................
1-2
™
Security Appliance
260-100-022R9.4
Issue 1, June 2009