What Happens If an Interface in Layer 2 Mode Receives a Packet with Unknown MAC Address?
Question
What happens if an interface in Layer-2 mode receives a packet with unknown destination MAC address?
Answer
If a packet with an unknown destination MAC address is received on a Layer 2 interface, the firewall floods the packet out of all interfaces in the VLAN on which it is received (except the incoming). This is similar to behavior of how a regular Layer 2 switch would behave.
When this happens, the firewall DOES NOT create a session and logs the packet as dropped. At the same time, the global counter “flow_fwd_l2_flood” is incremented. If the destination MAC is unknown, the first session to the unknown MAC address will always fail.
This is expected behavior because, at the time of the packet arrival, the firewall has no knowledge of the destination zone (no MAC address associated with an outgoing interface) and it cannot perform policy lookup. The firewall relies on a response from the destination in order to learn the MAC address and associate it with an interface.
On dataplane debugs (feature flow basic), the following can be seen in slowpath stage:
Session setup: dst mac not found MAC entry <AA:BB:CC:DD:EE:FF> not found on VLAN <X> ... Transmit packet on port <Y> Packet dropped, forwarding info unavailable for policy lookup Packet dropped, Session setup failed