It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see for further information on our EoS policy.


  • Last updated on

A layer2 bridge checks the destination MAC address of each incoming frame. If the MAC address is assigned to the bridge computer, the frame is processed by it as the destination. If the MAC address is not assigned to the bridge computer, the Network Bridge notes the source address of the frame and the port on which the frame was received and either creates or refreshes an entry in a layer 2 bridge table. The port is a number that identifies the network adapter and its corresponding LAN segment. Each entry in the layer 2 bridge table consists of a MAC address, the port number corresponding to the LAN segment on which a frame from the MAC address was received, and a timeout value. Entries in the layer 2 bridge table persist for 5 minutes before being removed.

Bridging Type Feature Comparison

To help you decide which method to use, the following table compares the features that are available for each bridging method:


Transparent Layer 2 Bridging

Routed Layer 2 Bridging

Layer 3 Bridging

MAC Transparent

YesYes No



Local Firewall Traffic (Gateway)


Auto Learning of Network Nodes


Active Learning of Network Nodes


Next Hop Bridging


Broad-Multicast Propagation


High Availability


VLAN capable

IP and ARP Forwarding Yes Yes Yes
Non IP Protocols Forwarding No No No
Application Control 2.0
(Application Detection)
YesYes  Yes 
SSL InterceptionNoYes - default route required
Yes - default route required
URL FilterYes - default route requiredYes - default route requiredYes - default route required
Virus ScanningNoYes - default route requiredYes - default route required


NoYes - default route requiredYes - default route required
Safe SearchNoYes - default route requiredYes - default route required
YouTube for SchoolsNoYes - default route requiredYes - default route required

Bridging on VMware ESXi  

Before configuring a layer2 bridge on a virtual Barracuda NG Firewall running on a VMware ESXi hypervisor, you must enable promiscuous mode for all network interfaces and vSwitches that are used by the bridge.

Security Weaknesses and Solutions

Because bridging heavily depends on broadcasts for establishing connectivity, this results in a few weak points that you must carefully consider. Try to implement bridging in a trusted environment. Broadcasts in large environments also consumes a lot of bandwidth. The Barracuda NG Firewall offers different methods to help prevent the following common attacks.

Preventing IP or ARP Spoofing over Layer 2 Bridges

Network nodes may use the IP addresses of fake ARP responses in order to fake network traffic with arbitrary IP addresses. Because firewall security is enforced on Layer 3, the security policy is bypassed. These issues can be solved by taking the following measures: 

  • Segment Access Control Lists (Bridging Interface ACLs) – Specify which IP addresses are allowed on a segment.
  • Static Bridge ARP Entries – Statically specify IP addresses, MAC addresses, and segments to avoid learning via ARP.
  • MAC-based Firewall Rules – Define source MAC conditions for network objects.
  • ARP Change Reporting – Specify which types of the IP-MAC-Segment relationship changes must be reported in the access cache and log.
Prevent Destination MAC Spoofing

Another security issue in bridged environments is the possible exploitation of security enforcement on Layer 3 and traffic delivery on Layer 2. You can prevent these issues by enforcing Layer 2 when a Layer 3 session is granted. MAC addresses for a session are fixed when the session is created and remain enforced until the session ends.

In the figure below, a client from LAN 1 tries to force a connection grant to a client in LAN 3. To do so, it sends a packet to the client in LAN 2 using MAC-A as a destination MAC address and as the destination IP address. After the session has been granted through the bridge and communication has been allowed, it sends a second packet exchanging the MAC address for the client in LAN2 with the MAC address for the client in LAN3 leaving the IP address the same.If MAC enforcement is configured, the connection with the spoofed MAC address will not be allowed.


Last updated on