MAC Address vs. Route Lookups

For traffic within a bridge group, the outgoing interface of a packet is determined by performing a destination MAC address lookup instead of a route lookup.

Route lookups, however, are necessary for the following situations:

  • Traffic originating on the threat defense device—Add a default/static route on the threat defense device for traffic destined for a remote network where a syslog server, for example, is located.

  • Voice over IP (VoIP) and TFTP traffic, and the endpoint is at least one hop away—Add a static route on the threat defense device for traffic destined for the remote endpoint so that secondary connections are successful. The threat defense device creates a temporary "pinhole" in the access control policy to allow the secondary connection; and because the connection might use a different set of IP addresses than the primary connection, the threat defense device needs to perform a route lookup to install the pinhole on the correct interface.

    Affected applications include:

    • H.323

    • RTSP

    • SIP

    • Skinny (SCCP)

    • SQL*Net

    • SunRPC

    • TFTP

  • Traffic at least one hop away for which the threat defense device performs NAT—Configure a static route on the threat defense device for traffic destined for the remote network. You also need a static route on the upstream router for traffic destined for the mapped addresses to be sent to the threat defense device.

    This routing requirement is also true for embedded IP addresses for VoIP and DNS with NAT enabled, and the embedded IP addresses are at least one hop away. The threat defense device needs to identify the correct egress interface so it can perform the translation.

    NAT Example: NAT within a Bridge Group

    NAT in Threat Defense transparent mode.