Table of Contents
Advertisement
Overview
Transparent roaming
In a routed network, if a host is physically moved from one network area to another, then the host must
be configured with a new IP address. However, in a bridged network, there is no need to reconfigure
the host, and work can continue with minimal interruption.
The IP60 appliance allows you to configure anti-spoofing for bridged network segments. When anti-
spoofing is configured for a segment, only IP addresses within a specific IP address range can be sent from
that network segment. For example, if you configure anti-spoofing for the ―Marketing‖ network segment,
the following things happens:
If a host with an IP address outside of the allowed IP address range tries to connect from a port
or VLAN that belongs to the ―Marketing‖ network segment, the connection will be blocked and
logged as ―Spoofed IP‖.
If a host with an IP address within the bridge IP address range tries to connect from a port or
VLAN that belongs to a network segment other than the "Marketing" segment, the connection
will be blocked and logged as ―Spoofed IP‖.
Note: The following Nokia IP60 models do not support using bridge mode with port-
based VLAN:
SBX166-LHGE-2
SBX166-LHGE-3
How Does Bridge Mode Work?
Bridges operate at layer 2 of the OSI model, therefore adding a bridge to an existing network is completely
transparent and does not require any changes to the network's structure.
Each bridge maintains a forwarding table, which consists of <MAC Address, Port> associations.
When a packet is received on one of the bridge ports, the forwarding table is automatically updated to map
the source MAC address to the network port from which the packet originated, and the gateway processes
the received packet according to the packet's type.
When a bridge receives an IP packet, the gateway processes the packet as follows:
1. The destination MAC address is looked up in the bridge's forwarding table.
2. If the destination MAC address is found in the forwarding table, the packet is forwarded to the
corresponding port.
3. If the destination MAC address is not found in the forwarding table, the destination IP address
is searched for in all the defined bridge IP address ranges.
4. If the destination IP address is found in the bridge IP address range of exactly one port, the IP
address is transmitted to that port.
5. If the IP address is found in the bridge IP address range of more than one port, the packet is
dropped. The gateway then sends an ARP query to each of the relevant ports.
6. If a host responds to the ARP request packet with an ARP reply, the forwarding table is
updated with the correct <MAC Address, Port> association. Subsequent packets will be
forwarded using the forwarding table.
If a bridge receives a non-IP packet, and the bridge is configured to forward non-IP protocol Layer-2
traffic, the gateway processes the packet as follows:
160
Nokia IP60 Security Appliance User Guide
Advertisement
Table of Contents
Troubleshooting
