Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Explorer

LAB DEPLOYMENT - VSX VMWARE

Jump to solution

Hi All,

I am interested in building a VSX VSLS Lab in VMware as part of ongoing studying/leaning of the technology. Appreciate checkpoint dont officially support this production but this is strictly a LAB enviroment. Currently got 2x R80.30 GWs and an R80.30 Manager spun up but not doing anything. 

I've deployed VSX before on a pair of 5600s with a virtual switch in order to utilise one interconnect vlan for multiple virtual systems and would ideally like to do something similar in this scenario but just trying to understand how i'd go about setting up the corrosponding VMware vSwitches and port groups with any specific settings ie promiscuous mode. 

Roughly i'd be looking for for something like bond0 (or eth interface) as uplink to rest of the network and bond1 (or eth interface) where I can build sub-interfaces for servers/clients.

Any help on this would be most appreciated. Use to work on Checkpoint a fair amount but been out of that area of Networking for nearly a year so looking to brush up again 🙂

Thanks in Advance

0 Kudos
Reply
1 Solution

Accepted Solutions
Highlighted
Contributor

If you need to keep just a working lab you can create a dedicated vmware vswitch (uplink is not necessary if you use a smartconsole client in the same env), and for each port-group you'll define and attach on it, use the following setting

immagine.png

About vlan trunk, on vmware you need to "trunk all" the vlan, setting 4095 as vlan id, and on the guest machine you have to set the desidered vlan only.

And before you get crazy with heavy troubleshooting session , standard vswitch, doesn't support LACP

View solution in original post

3 Replies
Highlighted
Contributor

If you need to keep just a working lab you can create a dedicated vmware vswitch (uplink is not necessary if you use a smartconsole client in the same env), and for each port-group you'll define and attach on it, use the following setting

immagine.png

About vlan trunk, on vmware you need to "trunk all" the vlan, setting 4095 as vlan id, and on the guest machine you have to set the desidered vlan only.

And before you get crazy with heavy troubleshooting session , standard vswitch, doesn't support LACP

View solution in original post

Highlighted
Explorer

Thanks for the response on above. Just comparing deployment to what Checkpoint reference as a Virtual Systems with Internal VLAN Interfaces deployment: (https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_VSX_AdminGuide/html_frameset...)

Would like to be in a position where I can get traffic going through it hence having an uplink to the main network and hosting some servers behind it to simulate traffic. In this case, if I wanted to share an uplink, would that just be a virtual switch deployed and then present a vlan to that virtual switch and give each of the Virtual systems an IP in that vlan?

Southbound of the firewalls for Clients, I guess that could either be a virtual switch again with a trunk down to a VMware switch or assigning a eth interface corresponding to an appropriate VMware switch with the port groups created for each vlan?#

Thanks

 

 

 

0 Kudos
Reply
Highlighted
Contributor

For your first question, yes! I suppose that your goal match the "Shared Interface template" with the portgroup of main network attached to the vsx gateway.

About the second, it's depend on your deployment...
If you define inside an esxi host a port group for specifc vlan, you'll have just an untagged port with the limit of 10 vnic for vm leading to the vmware vswitch.
I prefer to have one interface on vsx gateway configured as tagged interface (working as default gateway) leading to the vmware vswitch.

 

 

 

 

0 Kudos
Reply