Configure the Bridge Virtual Interface (BVI)

Each bridge group requires a BVI for which you configure an IP address. The threat defense uses this IP address as the source address for packets originating from the bridge group. The BVI IP address must be on the same subnet as the connected network. For IPv4 traffic, the BVI IP address is required to pass any traffic. For IPv6 traffic, you must, at a minimum, configure the link-local addresses to pass traffic, but a global management address is recommended for full functionality, including remote management and other management operations.

For routed mode, if you provide a name for the BVI, then the BVI participates in routing. Without a name, the bridge group remains isolated as in transparent firewall mode.

Before you begin

You cannot add the BVI to a security zone; therefore, you cannot apply Access Control policies to the BVI. You must apply your policy to the bridge group member interfaces based on their zones.

Procedure

Step 1	Select Devices > Device Management and click Edit () for your threat defense device. The Interfaces page is selected by default.
Step 2	Choose Add Interfaces > Bridge Group Interface.
Step 3	(Routed Mode) In the Name field, enter a name up to 48 characters in length. You must name the BVI if you want to route traffic outside the bridge group members, for example, to the outside interface or to members of other bridge groups. The name is not case-sensitive.
Step 4	In the Bridge Group ID field, enter the bridge group ID between 1 and 250.
Step 5	In the Description field, enter a description for this bridge group.
Step 6	On the Interfaces tab, click an interface and then click Add to move it to the Selected Interfaces area. Repeat for all interfaces that you want to make members of the bridge group.
Step 7	(Transparent Mode) Click the IPv4 tab. In the IP Address field, enter the IPv4 address and subnet mask. Do not assign a host address (/32 or 255.255.255.255) to the BVI. Also, do not use other subnets that contain fewer than 3 host addresses (one each for the upstream router, downstream router, and transparent firewall) such as a /30 subnet (255.255.255.252). The threat defense device drops all ARP packets to or from the first and last addresses in a subnet. For example, if you use a /30 subnet and assign a reserved address from that subnet to the upstream router, then the threat defense device drops the ARP request from the downstream router to the upstream router. For High Availability, set the standby IP address on the Devices > Device Management > High Availability tab in the Monitored Interfaces area. If you do not set the standby IP address, the active unit cannot monitor the standby interface using network tests; it can only track the link state.
Step 8	(Routed Mode) Click the IPv4 tab. To set the IP address, use one of the following options from the IP Type drop-down list. High Availability and clustering interfaces only support static IP address configuration; DHCP is not supported. Use Static IP—Enter the IP address and subnet mask. For High Availability, you can only use a static IP address. Set the standby IP address on the Devices > Device Management > High Availability tab in the Monitored Interfaces area. If you do not set the standby IP address, the active unit cannot monitor the standby interface using network tests; it can only track the link state. Use DHCP—Configure the following optional parameters: Obtain default route using DHCP—Obtains the default route from the DHCP server. DHCP route metric—Assigns an administrative distance to the learned route, between 1 and 255. The default administrative distance for the learned routes is 1.
Step 9	(Optional) See Configure IPv6 Addressing to configure IPv6 addressing.
Step 10	(Optional) See Add a Static ARP Entry and Add a Static MAC Address and Disable MAC Learning for a Bridge Group (for transparent mode only) to configure the ARP and MAC settings.
Step 11	Click OK.
Step 12	Click Save. You can now go to Deploy > Deployment and deploy the policy to assigned devices. The changes are not active until you deploy them.