Management General Management Topics Logging and Reporting Multi-Domain Management Policy Management
- Local User Groups
Customer has 730 appliance as a firewall and stack of LAN switches. All servers and network devices are connected to the stack redundantly and we want to connect 730 appliance same way as well. There was requirement for just one VLAN till now - my colleague who is ChP specialist configured it using "switch" or so called port-based VLAN - not a smart way from what I know now, but it seems to work well.
But now we need to transport more than one VLAN to the switches - you can imagine it like one VLAN is to the internal LAN and the other one is for wireless guests. When I thought ChP switch is true virtual switch (I'm not ChP specialist 😉 I wanted to assign VLANs to it, but it didn't offer such option. I tried to search documentation and found there is bond interface on Gaia based appliances - I expect 802.1q VLANs could be assigned to the bond interface just like to physical port. But there is no option to create bond interface...
Is there any way how to connect firewall redundantly to the stack of switches with more VLAN, except dumb one by creating one port based-VLAN for each VLAN and connecting each by separate pair of physical links...? Best way by using 802.1q tags...
I quite optimist/naive because I'm Cisco specialist and features like etherchannel is supported from the smallest devices by the Cisco and bonding is feature is available even on many embedded Linux based platforms because it’s Linux feature not ChP so I really don't see any reason why not to support redundant connection on LAN ports on ChP SMB products.
Thank you for help.
You can assign multiple VLANs to a single port as described here: Working with VLANs on 600 / 700/1100 / 1200R appliances and Edge / Safe@Office devices
However, SMB appliances do not support bond or link aggregation interfaces (other Check Point appliances do): Bond / Link aggregated interfaces on SMB appliances
802.1q tagged VLAN assigned to single port doesn't allow redundant connection - there is no support for shared virtual IP between ports like VRRP/GLBP. It's even not possible to create overlapping segments on two ports for case I implement intelligent switching of next hop IP address on Cisco switches based on reachability of either first or second IP.
Yes, I already understood there is no bonding port, but it's disproportionate restriction by my opinion.
On the other hand there are switch and bridge, which are both bridges in fact, except one check box necessary for turning off inspection to bridge support what switch does. If it would really be virtual switch I can assign to it multiple SVI (interface VLAN) and problem would be easily solved as well, but virtual switch is much more complex concept than just support bonding which is already available in Linux under the ChP sw.
You can cluster multiple devices and have a shared IP that persists on the active node.
But that's not exactly what you're after, I understand.
You are correct, to achieve what you want you need a real GAIA box, not an SMB. This unit does not support port bonding at all, you can only create multiple switches with 1 IP based on 1 VLAN per switch.
Once you create a switch you cannot assign a VLAN to it.
The simple way to achieve this is to remove one port from the Switch and configure the VLANS on the physical port.
It seems that you want to connect a bond interface to 2 separate Hardware switches. I m not quite sure how it works on stacked devices but normally this would be a VPC (virtual port channel) and this is again different from a regular lacp bond and There are some limitations to this, regular bonds (PO on same hardware) however work quite well on Gaia appliances (unfortunately not on SMB appliances as already stated).
You may want to consider clustering the Checkpoint Appliance, this way you can connect each member to a separate switch and provide the redundancy, having just 1 appliance makes it the Single point of failure and would also not be really redundant.