How to Manage Overlapping Segments in Routed Firewall Mode with BVI Interfaces

You can deploy single threat defense between multiple overlapping networks transparently and/or deploy the firewall between the hosts of same network. To achieve this deployment, configure BVI per virtual router. The procedure to configure the BVIs in virtual router is explained here.

BVI is a virtual interface within a router that acts like a normal routed interface. It does not support bridging, but represents the comparable bridge group to routed interfaces within the router. All the packets coming in or going out of these bridged interfaces, pass through the BVI interface. The interface number of the BVI is the number of the bridge group that the virtual interface represents.

In the following example, BVI-G is configured in VRG and Bridge Group 1 is the routed interface for interfaces G0/1 and G0/2. Similarly, BVI-B is configured in VRB and Bridge Group 2 is the routed interface for interfaces G0/3 and G0/4. Consider that both BVIs have the same IP subnet address, say 10.10.10.5/24. Because of virtual routers, the network is isolated on the shared resources.

Procedure

Step 1

Choose Devices > Device Management. Edit the required device.

Step 2

In Interfaces, choose Add Interfaces > Bridge Group Interface.

  1. Enter the following details for BVI-G:

    • Name—For this example, BVI-G.

    • Bridge Group ID—For this example, 1.

    • Available Interface—Select the interfaces.

    • In IPV4, for IP Type, choose Use Static IP.

    • IP Address—Enter 10.10.10.5/24.

  2. Click Ok.

  3. Click Save.

  1. Enter the following details for BVI-B:

    • Name—For this example, BVI-B.

    • Bridge Group ID—For this example, 2.

    • Available Interface—Select the sub interfaces.

    • In IPV4, for IP Type, choose Use Static IP.

    • IP Address—Leave this field empty as the system does not allow two interfaces to have overlapping IP address. You can revisit the Bridge Group and provide the same IP address after aligning it under a virtual router.

  2. Click Ok.

  3. Click Save.

Step 3

Create virtual router, say VRG, and select BVI-G as its network:

  1. Choose Devices > Device Management.

  2. Edit the device, and choose Routing > Manage Virtual Routers.

  3. Click Add Virtual Router. Enter a name for the virtual router and click Ok.

  4. In Virtual Routing Properties, select BVI-G and click Add.

  5. Click Save.

Step 4

Create virtual router, say VRB, and select BVI-B as its network:

  1. Choose Devices > Device Management.

  2. Edit the device, and choose Routing > Manage Virtual Routers.

  3. Click Add Virtual Router. Enter a name for the virtual router and click Ok.

  4. In Virtual Routing Properties, select BVI-B and click Add.

  5. Click Save.

Step 5

Revisit the BVI-B configuration:

  1. Choose Devices > Device Management > Interfaces.

  2. Click Edit against BVI-B interface. Specify the IP Address as 10.10.10.5/24. The system now allows you to configure with same IP address of BVI-G, because the interfaces are seperately assigned to two different virtual routers.

  3. Click Ok.

  4. Click Save.

If you want to enable inter-BVI communication, use an external router as default gateway. In overlapping BVI scenarios, as in this example, use twice NAT external router as gateway to establish inter-BVI traffic. When configuring NAT for the members of a bridge group, you specify the member interface. You cannot configure NAT for the bridge group interface (BVI) itself. When doing NAT between bridge group member interfaces, you must specify the real and mapped addresses. You cannot specify “any” as the interface.