This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Seth_Jestus
Participant
‎2018-09-11 05:14 AM

[730 Appliance] Set up 2 VLANs for VOIP/Data Segregation

I've inherited a Check Point 730 Appliance at a small business office that is using it in a pretty basic setup from what I can tell. This is the first time using a device like this for me.

I want to segregate the network's VOIP devices and PCs by going down to 1 port off the appliance which is then split into 2 VLANs.

When I separate one of LAN ports and then create 2 separate VLANs (with DHCP enabled) none of the devices (1 VOIP phone and my PC) get an IP address (even after resetting their network settings).

I also tried to give them static IPs in network objects.

None of them get an IP until I turn on port based VLAN on the physical port, but then I can't split them apart, they'll still all end up under the same VLAN.

Here's what it looks like:

Check Point "Switch1" (LAN1, LAN2, LAN3, LAN4, LAN5, WiFi):

      Unmanaged Switch 1, Unmanaged Switch 2

            Every office device connected through the switches

LAN6:

      VLAN1,VLAN2

This is the guide I followed: Working with VLANs on 600 / 700/1100 / 1200R appliances and Edge / Safe@Office devices 

Any guidance would be appreciated,

Thanks

10 Replies
G_W_Albrecht
Legend Legend
Legend
‎2018-09-11 06:41 AM

With only two devices in the internal net, why is VLAN needed at all ? I do see no immediate advantage...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Seth_Jestus
Participant
‎2018-09-11 06:50 AM
In response to G_W_Albrecht

2 devices for testing purposes.

There's 29 VOIP devices and about 40 PCs

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-09-12 12:09 AM
In response to Seth_Jestus

You should better involve TAC into this....

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Seth_Jestus
Participant
‎2018-09-12 03:21 AM
In response to G_W_Albrecht

I'm not familiar with this acronym. Is it this? Technical assistance center - Wikipedia ?

If so, I'm the only "technical" person here at this office. There's no support above or below me other than reaching out to a forum every now and then when I get stumped. Unless you're referring to me calling CheckPoint support?

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-09-11 06:42 AM

And as this is a 7x0 question it should be moved to SMB & SMP!

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-09-12 12:47 AM

After looking more into this issue, it looks like an issue with DHCP. If you do set the IP addresses manually, is the VLAN working then ? After configuring DHCP for the two VLANs, waht happened to the DHCP requests and replies according to the logs ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Seth_Jestus
Participant
‎2018-09-12 03:20 AM
In response to G_W_Albrecht

Thanks for the reply

Here's what I've tried:

   Isolated LAN6 on a separate network.

      Create VLAN1 / VLAN2

         DHCP enabled on both VLAN1 192.168.200.1 / VLAN2 192.168.201.1

            Connected a direct line from LAN6 port to my VOIP phone.

                Connect line from passthrough port on VOIP phone to computer.

                   Network Objects were pre-created w/ static IPs for the MACs of the VOIP and computer. I've also tried                    without this.

                        Restarted phone (there's no manual settings I can set on the phone) phone gets self-assigned IP.

                        Reset network adapter on computer. Computer gets self-assigned IP.

   If I turn DHCP on for LAN6 192.168.202.1 (which already has VLAN1 / VLAN2 set) the phone will grab the IP under LAN6's DHCP settings and completely ignore anything from VLAN1/2 and also ignore anything set in network objects. This is the only time anything will get an IP.

It's pretty much the same set up from what I can tell as the example given in the support article I linked, except I can't figure out why the devices are only getting self-assigned IPs.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-09-12 04:34 AM
In response to Seth_Jestus

So a DHCP request from a device to the VLAN1 192.168.200.1 / VLAN2 192.168.201.1 GWs is not answered ?

And yes, TAC means CP tech support.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Seth_Jestus
Participant
‎2018-09-12 04:48 AM
In response to G_W_Albrecht

Correct.

If I leave Windows to set things up automatically, I get a self-assigned address. (This is also after resetting the adapter and also restarting Windows).

I tried to set up Windows as static IP, but if I set it to 192.168.200.150 (the address I set in network objects), netmask 255.255.255.0 and GW as 192.168.200.1, I get no internet access. This is with and without the VOIP phone in the middle.

Since it didn't make any sense to me why it wasn't working, I tried to change the gateway to 192.168.1.1 in Windows (which is the SWITCH1 gateway), I get no internet access.

0 Kudos
Pedro_Espindola
Advisor
‎2018-09-17 09:39 AM

So you want to connect the phone to the switch and the PC to the phone?

If your setup is anything like mine, you need to set the ports (switch or gateway) that connect to the phone in the following manner:

  • VOIP network UNTAGGED
  • PC network VLAN TAGGED
  • Configure the VLAN ID of the PC network in the phone for the passthrough. It probably won't do this automatically.

You will probably do this on the switch, but to connect a phone directly to the gateway, you must configure LAN6 with the VOIP Network configs (without VLAN) and then assign a new VLAN (for the PCs) to it.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events