topic Re: VSX bridge interface monitoring in Firewall and Security Management

VSX bridge interface monitoring

Duane_Toler — Tue, 09 Aug 2022 13:20:03 GMT

I'm going through some VSX lab configurations and working with VSX Bridge Mode. Following along the VSX Admin Guide, I created a new VS, but on the interface configuration window there's no option to configure "L3 Bridge Interface Monitoring" to enable/configure the BVI.

My VSX Cluster properties are using the Active/Active bridge mode (STP), but that shouldn't matter, right?

I'm using Multi-Domain, so the VSX Cluster is in one domain and the VS itself is in another (which shouldn't matter either).

Interestingly, the "VSX Supported Features" SK (sk79700) says "VS with bridged interface" is only R81 and higher. However, I see this was an option in the R77 documentation as well as the R80.40 documentation. Is this a documentation error?

Thanks!

Re: VSX bridge interface monitoring

PhoneBoy — Tue, 09 Aug 2022 14:21:32 GMT

I believe prior to R81, if you used L2 in a VS, it could only be L2 mode.

Re: VSX bridge interface monitoring

Chris_Atkinson — Tue, 09 Aug 2022 14:52:15 GMT

@PhoneBoy is correct this came in with R81

Subsequently R80.40 JHF T53 is the minimum that allows a VS to have L2 bridge interfaces and L3 interfaces on the same VS per sk101371.

Re: VSX bridge interface monitoring

Duane_Toler — Tue, 09 Aug 2022 14:55:48 GMT

Hmm, interesting. This is R80.40 JHF 158. (VSX gateways are R80.40 JHF 161). I currently am using just two interfaces on the Bridge VS, but these are VLAN trunk interfaces (eth2 and eth3) and I have a VLAN selected on each interface (and I noticed multi-bridge is in use).

So regardless, apparently an L3 "monitoring" interface (aka: BVI) isn't really available until R81 now? So the R77 and R80.x documentation for that is an error? 🙂

Re: VSX bridge interface monitoring

Chris_Atkinson — Tue, 09 Aug 2022 15:02:46 GMT

Can you share a link to the documentation reference in question?

Re: VSX bridge interface monitoring

Duane_Toler — Tue, 09 Aug 2022 15:11:13 GMT

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_VSX_AdminGuide/Topics-VSXG/Bridge-Mode-Virtual-System.htm?tocpath=Bridge%20Mode%7C_____1

Also snippet screenshot attached.

Re: VSX bridge interface monitoring

Chris_Atkinson — Tue, 09 Aug 2022 15:25:21 GMT

The heading there is Active/Standby.

I'm not seeing the same option for Active/Active implying L2 only.

Re: VSX bridge interface monitoring

Duane_Toler — Tue, 09 Aug 2022 15:44:27 GMT

This is an area where SmartConsole could be more descriptive/helpful, and the documentation is unclear. I had to switch the VSX Cluster to "ClusterXL" for the VSX bridge configuration. That puts the VSX Cluster in Active/Standby bridge mode. By default it was STP, which I now know is Active/Active bridge mode. This is irrespective of the VSX *gateway* in cpconfig, which I also made sure was enabled for Bridge A/S mode.

Now I see L3 BVI configuration.

Sigh. Quite unclear all around.