I have a requirement to redirect traffic to an address on the far side of a tunnel between two controllers. My question is regarding the fundamental operation at layer 2. If a client wants to send a frame to a device in another subnet it will ARP for and use the MAC address of the default gateway - in this a case a normal branch site router. If a policy says that the IP traffic must be pushed down a tunnel what will be the destination MAC address of the frame?. Does the the controller rewrite the MAC header to push it down the tunnel?
I have attached a simple diagram explaining what I'm trying to do.