topic Re: Implementing vlan interfaces on a physical interface that doesnt have a physical IP. in Firewall and Security Management

Implementing vlan interfaces on a physical interface that doesnt have a physical IP.

kingdavid_akubu — Mon, 29 Jul 2019 10:42:42 GMT

Hello Experts,

I want to migrate from Cisco Router to a Checkpoint Device.

My challenge; how do i interpret the following config from Cisco Router on the Checkpoint Network Management Interface;

interface GigabitEthernet0/0
no ip address
ip flow ingress
duplex auto
speed auto
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip address 10.10.10.1 255.255.255.0
ip flow ingress
!
interface GigabitEthernet0/0.40
description ***-VOIP***
encapsulation dot1Q 40
ip address 172.31.125.1 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip policy route-map VOIPEXCH
!
interface GigabitEthernet0/0.100
description ***f-staff***
encapsulation dot1Q 100
ip address 192.168.100.1 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip policy route-map LAN
!
interface GigabitEthernet0/0.101
description ***staff-2***
encapsulation dot1Q 101
ip address 192.168.101.1 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip policy route-map LAN
!
interface GigabitEthernet0/0.102
description ***Guest***
encapsulation dot1Q 102
ip address 192.168.102.1 255.255.255.0
ip access-group GUEST in
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip policy route-map LAN

Please how can i implement this sort of vlan on Checkpoint??

Thank you.

Re: Implementing vlan interfaces on a physical interface that doesnt have a physical IP.

Norbert_Bohusch — Mon, 29 Jul 2019 11:34:14 GMT

This interface has IP addresses on VLANs and also on native VLAN 1 (without using VLAN tag).

This can be configured on Gaia by assigning native VLAN IP to the physical interface and configuring VLANs with the respective IP. But this is not supported on a ClusterXL cluster!
So if you are implementing a cluster, you should migrate VLAN 1 to either a separate interface using access port or by changing VLAN id.

Re: Implementing vlan interfaces on a physical interface that doesnt have a physical IP.

kingdavid_akubu — Mon, 29 Jul 2019 11:50:28 GMT

Hello Norbert,

Thank you for your input.

So in my case; The physical ip i assign to the interface (assume eth2) will be 10.10.10.1 (native vlan ip on the config file i posted), then i add the other vlans to eth2??

Please confirm that my assumption is correct.

Thank you for your swift response.

Best Regards.

Re: Implementing vlan interfaces on a physical interface that doesnt have a physical IP.

Norbert_Bohusch — Mon, 29 Jul 2019 12:00:05 GMT

that's correct

Re: Implementing vlan interfaces on a physical interface that doesnt have a physical IP.

Wolfgang — Mon, 29 Jul 2019 12:22:26 GMT

Please had a look at the discussion here:

https://community.checkpoint.com/t5/General-Topics/Combine-VLAN-and-physical-interface-which-already-has-an/m-p/53611#M10712

and Creating VLAN interfaces on physical interface, which already has an assigned IP address in SecurePlatform OS / Gaia OS

It is not supported having an IP configured on the native interface if tagged VLANs used on that interface.

I know, it will work but you have problems if you need support from the vendor.

And in your Cisco configuration VLAN 1 (native VLAN) is tagged with VLAN ID 1, it is not supported to have a tagged VLAN with ID 1 ( sk110096 )

As Norbert suggest, it would be the best to have VLAN 1 on another physical interface without VLAN tag, not the one with the tagged VLANs.

Wolfgang

Re: Implementing vlan interfaces on a physical interface that doesnt have a physical IP.

kingdavid_akubu — Mon, 29 Jul 2019 12:35:39 GMT

Thank you, Norbert and Wolfgang.

I will update you once I have implemented this.

Also, I assume that i will have to create static routes on the Firewall, informing the firewall that the nexthop to those vlans is the Switch!

Kind Regards.

Re: Implementing vlan interfaces on a physical interface that doesnt have a physical IP.

Norbert_Bohusch — Mon, 29 Jul 2019 12:37:01 GMT

No!