Manage overlapping segments in routed firewall mode with BVI interfaces

This task allows you to deploy single Firewall Threat Defense between multiple overlapping networks transparently and/or deploy the firewall between the hosts of same network by configuring BVI per virtual router.

BVI is a virtual interface within a router that acts like a normal routed interface. It does not support bridging, but represents the comparable bridge group to routed interfaces within the router. All the packets coming in or going out of these bridged interfaces, pass through the BVI interface. The interface number of the BVI is the number of the bridge group that the virtual interface represents.

In the following example, BVI-G is configured in VRG and Bridge Group 1 is the routed interface for interfaces G0/1 and G0/2. Similarly, BVI-B is configured in VRB and Bridge Group 2 is the routed interface for interfaces G0/3 and G0/4. Consider that both BVIs have the same IP subnet address, say 10.10.10.5/24. Because of virtual routers, the network is isolated on the shared resources.

BVI interfaces are configured in routed firewall mode, illustrating the relationship between BVI-G and BVI-B with their respective bridge groups and interfaces. The diagram highlights the isolation of the network due to the use of virtual routers.

Procedure

Step 1

Choose Devices > Device Management. Edit the required device.

Step 2

In Interfaces, choose Add Interfaces > Bridge Group Interface.

  1. Enter the following details for BVI-G:

    • Name—For this example, BVI-G.

    • Bridge Group ID—For this example, 1.

    • Available Interface—Select the interfaces.

    • In IPV4, for IP Type, choose Use Static IP.

    • IP Address—Enter 10.10.10.5/24.

    The diagram illustrates the configuration of BVI interfaces in a routed firewall mode, highlighting the settings for Bridge Group ID, available interfaces, and static IP address assignment.

  2. Click Ok.

  3. Click Save.

  1. Enter the following details for BVI-B:

    • Name—For this example, BVI-B.

    • Bridge Group ID—For this example, 2.

    • Available Interface—Select the sub interfaces.

    • In IPV4, for IP Type, choose Use Static IP.

    • IP Address—Leave this field empty as the system does not allow two interfaces to have overlapping IP address. You can revisit the Bridge Group and provide the same IP address after aligning it under a virtual router.

    The diagram illustrates the configuration of overlapping segments in routed firewall mode using Bridge Virtual Interfaces (BVI), highlighting the importance of unique IP addresses for sub-interfaces within a bridge group.

  2. Click Ok.

  3. Click Save.

Step 3

Create virtual router, say VRG, and select BVI-G as its network:

  1. Choose Devices > Device Management.

  2. Edit the device, and choose Routing > Manage Virtual Routers.

  3. Click Add Virtual Router. Enter a name for the virtual router and click Ok.

  4. In Virtual Routing Properties, select BVI-G and click Add.

    The diagram illustrates the configuration of overlapping segments in routed firewall mode using Bridge Virtual Interface (BVI) interfaces, highlighting the relationships and data flow between different network components.

  5. Click Save.

Step 4

Create virtual router, say VRB, and select BVI-B as its network:

  1. Choose Devices > Device Management.

  2. Edit the device, and choose Routing > Manage Virtual Routers.

  3. Click Add Virtual Router. Enter a name for the virtual router and click Ok.

  4. In Virtual Routing Properties, select BVI-B and click Add.

    The diagram illustrates the configuration of overlapping segments in routed firewall mode using Bridge Virtual Interfaces (BVI). It highlights the relationships between different network segments and their respective BVI settings.

  5. Click Save.

Step 5

Revisit the BVI-B configuration:

  1. Choose Devices > Device Management, edit the device and click Interfaces.

  2. Click Edit against BVI-B interface. Specify the IP Address as 10.10.10.5/24. The system now allows you to configure with same IP address of BVI-G, because the interfaces are seperately assigned to two different virtual routers.

  3. Click Ok.

  4. Click Save.

If you want to enable inter-BVI communication, use an external router as default gateway. In overlapping BVI scenarios, as in this example, use twice NAT external router as gateway to establish inter-BVI traffic. When configuring NAT for the members of a bridge group, you specify the member interface. You cannot configure NAT for the bridge group interface (BVI) itself. When doing NAT between bridge group member interfaces, you must specify the real and mapped addresses. You cannot specify "any" as the interface.

You have successfully configured BVI interfaces per virtual router to manage overlapping segments in routed firewall mode. The virtual routers isolate the network on shared resources, allowing the use of same IP subnet addresses for both BVIs.