topic Re: Native VLAN in Firewall and Security Management

Native VLAN

Sanjay_S — Mon, 16 May 2022 14:19:56 GMT

Hi All,

Is there any way we can define Native VLAN on Checkpoint SMB firewalls? We are using different VLAN other than VLAN 1 as native VLAN and is it possible to define it somewhere on the firewalls?

Regards,

Sanjay S

Re: Native VLAN

CE_SE — Mon, 16 May 2022 14:40:29 GMT

Please, review this previous CheckMate discussion.

https://community.checkpoint.com/t5/Security-Gateways/Gaia-r80-10-tag-vlan-1-and-native-vlan/td-p/57040

Re: Native VLAN

Tobias_Moritz — Mon, 16 May 2022 14:52:02 GMT

I'm note sure if I do not understand your question or you have a little misunderstanding what native vlan means 🙂

Native VLAN means how to handle untagged traffic.

When you say "We are using different VLAN other than VLAN 1 as native VLAN" you mean, that the switchport, your Check Point gateway is connected to, is set up as trunk and has a native vlan configured other than 1, right?

In Cisco Syntax, this would look like this:

switchport mode trunk
switchport trunk allowed vlan 10,25,35,999
switchport trunk native vlan 999

If this is what you meant:

This means that every Ethernet frame, this switchport receives from your gateway and which is not tagged (IEEE 802.1q) by the Gateway (Gaia) is handled as VLAN 999 traffic by the switch. Your SMB gateway is not tagging ethernet frames for interfaces which you define as normal (and not VLAN) interfaces.

Staying in this example, your traffic send by SMB gateway will also be assigned to VLAN 999 by the switch if you configure your gateway interface als VLAN 999 Subinterface (traffic is send tagged). But take care: The switch will send the traffic to your gateway without the VLAN tag, because the native vlan is set to that VLAN ID. So this will not work.

If your switchport is not configured as trunk but as access port:

switchport mode access
switchport access vlan 999

it will also only work if you configure the SMB gateway with a normal interface (without tagging).

This is because the (Cisco) switch with this configuration will only accept untagged packets and send untagged packets (if no voice vlan is configured).

To summarize:

If you need to send/receive traffic to/from the native vlan, then configure the gateway interface as normal (not VLAN/tagged). If you do not need to send/receive traffic to/from the native vlan, than just ignore that number and configure VLAN interfaces for the VLANs you need.

Re: Native VLAN

the_rock — Mon, 16 May 2022 14:53:28 GMT

You can get an official TAC answer, but Im 99.99% sure its not supported as of yet.

Re: Native VLAN

K_montalvo — Mon, 16 May 2022 15:16:28 GMT

This is the way!

Re: Native VLAN

Timothy_Hall — Thu, 19 May 2022 14:54:10 GMT

Mixing of untagged and tagged traffic on the same interface is not supported as the_rock said. However in my experience it does seem to work fine on a non-clustered firewall but could suddenly break at any point.

However trying to do this on a firewall that is part of a ClusterXL cluster will cause some nasty problems involving performance which was called out in my Max Power 2020 book:

Question: Our HA firewall cluster is using 802.1q trunked interfaces with a mixture
of tagged and untagged traffic on the same physical interface, and the network
performance is terrible. Why?

Answer: Don’t do this as it is not supported. If you have an interface processing
VLAN-tagged traffic, all traffic inbound to the interface should be tagged. There should
not be any untagged (sometimes called native) traffic arriving at the interface. See
sk101428: Poor performance on Unicast Load Sharing ClusterXL when using native/untagged VLANs