Bridge Virtual Interface (BVI)

Each bridge group includes a Bridge Virtual Interface (BVI). The threat defense device uses the BVI IP address as the source address for packets originating from the bridge group. The BVI IP address must be on the same subnet as the bridge group member interfaces. The BVI does not support traffic on secondary networks; only traffic on the same network as the BVI IP address is supported.

In transparent mode: Only bridge group member interfaces are named and can be used with interface-based features.

In routed mode: The BVI acts as the gateway between the bridge group and other routed interfaces. To route between bridge groups/routed interfaces, you must name the BVI. For some interface-based features, you can use the BVI itself:

• DHCPv4 server—Only the BVI supports the DHCPv4 server configuration.

• Static routes—You can configure static routes for the BVI; you cannot configure static routes for the member interfaces.

• Syslog server and other traffic sourced from the threat defense device—When specifying a syslog server (or SNMP server, or other service where the traffic is sourced from the threat defense device), you can specify either the BVI or a member interface.

If you do not name the BVI in routed mode, then the threat defense device does not route bridge group traffic. This configuration replicates transparent firewall mode for the bridge group. If you do not need clustering or EtherChannel member interfaces, you might consider using routed mode instead. In routed mode, you can have one or more isolated bridge groups like in transparent mode, but also have normal routed interfaces as well for a mixed deployment.