Nokia Network Voyager for IPSO 4.0 Reference Guide 133Transparent Mode Processing DetailsWhen you configure transparent mode, it is added to the IPSO kernel as a module situatedbetween the layer 2 and the upper protocol layers. When a logical interface is configured for thetransparent mode, transparent mode Address Resolution Protocols (ARP) and IP receivehandlers replace the common ARP and IP receive handlers. This enables the transparent modeoperation to essentially intercept all packets between the link layer (layer 2) and IPv4 and IPv6network layer (layer 3).Besides transmitting packets that are bridged from one interface to another based on MACaddresses, the transparent mode module also transmits packets that originate locally or areforwarded based on routing. Locally originated ARP packets are broadcast on all interfaces ofthe transparent mode group. Locally originated IP packets are also broadcast on all interfaces ofthe transparent mode group if the egress interface is not found in the forwarding table.If there are any VLAN interfaces among the interfaces in the transparent mode group, the linkheader of a bridged packet is modified to have the proper format for the egress interface.Neighbor learning is the process of associating a MAC address with an interface whenever apacket is received with an unknown source MAC address. This association is called a neighborcontrol block. The neighbor control block is deleted from the address table after a period ofinactivity (age time out). The age time-out is reset to this initial value for the neighbor controlblock on receiving any packet from that neighbor.Packet processing for a firewall consists of ingress and egress processing. This applies only to IPpackets; ARP packets are never delivered to the firewall. Egress processing occurs when apacket returns from the firewall’s ingress filtering, the packet is delivered to the firewall againfor egress filtering. The packet is delivered with the interface index of the egress interface. If it isa link multicast packet, a copy of the packet is made for each interface of the transparent modegroup, except the received interface. It is then delivered to the firewall with the associatedinterface index.NoteNetwork Address Translation (NAT) is not supported in transparent mode. Transparentmode does support implicit “NATing” of the packet’s destination IP address to a local IPaddress to deliver packets to the security server on the local protocol stack. It does this byperforming a route lookup for the packet’s destination IP address to determine whether thepacket destination is local after the packet returns from the firewall’s ingress filtering. If thepackets destination is local, the packet is delivered to the IP layer for local processing.
