Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AngusM
Explorer
Jump to solution

Local network settings - Meraki switch connection

CP1800, Firmware R81.10, Smart-1 cloud managed

I'm looking for thoughts on the best way to configure a Checkpoint appliance for a Meraki switch network.

I am planning to replace all the Dell switches at one of our large sites;  the existing network is a tiered design, so I have OSPF configured on the main core switch to distribute routes to the Checkpoint.

The Dell switch is the main routed core for the network, and the internet uplink is configured as the default route for the network.

I have CP LAN1 configured for the local network access, and the connected switch port is configured as access mode on the core switch.

All pretty straight-forward, however the issue I have discovered is that Meraki 's management network IP address must be separate from the Internet uplink transit network IP address,  so I'll have to configure the Checkpoint accordingly.

I am comfortable with the switch config, but I have limited exposure to Checkpoints so I am looking for advise on the best way to connect and configure the Meraki internet uplink - whether that would be separate LAN interfaces, VLAN port, Bridge, etc?

So my options (I think) are as follows:

1. Leave existing LAN1 config for internet access from the Meraki network, and add a second LAN connection for the Meraki Management

Or,

2. Remove the existing config from port LAN1 and recreate as a new VLAN port, with VLANs for management and internet access

I want to try to keep things as simple as possible, so rightly or wrongly, my preference would be to keep the 2 VLANs physically separate with dedicated LAN connections, rather than creating a VLAN trunk

 

Can anyone suggest or recommend the best way to configure this?

Appreciate any help

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

You can take one of the LAN ports and assign it to a different network.
Or you can use the DMZ port for this (if you're not already using it).
In any case, you can remove the LAN port from the LAN1 switch here (click on Edit):

image.png

Then you can create a new switch/bridge, assign the network/mask, and add the port to it.

View solution in original post

4 Replies
PhoneBoy
Admin
Admin

You can take one of the LAN ports and assign it to a different network.
Or you can use the DMZ port for this (if you're not already using it).
In any case, you can remove the LAN port from the LAN1 switch here (click on Edit):

image.png

Then you can create a new switch/bridge, assign the network/mask, and add the port to it.

AngusM
Explorer

Hi, thank you for the reply.

 

I am I'm already using my DMZ for guest network access, so it looks like I will have to remove a LAN port to achieve what I require.

I assume that i will have to create firewall rules to allow traffic between these LAN segments, but in what situation would I create a bridge rather than 2 switches?

Regards

 

0 Kudos
PhoneBoy
Admin
Admin

Yes, you will have to create rules.
Use cases for bridges include:

  • Operating as a Layer 2 firewall (bridging WAN and LAN port, for instance)
  • Having WiFi and LAN ports on the same network
0 Kudos
AngusM
Explorer

Thank you again - I tested separating the LAN ports as you advised, and it's working as expected 🙂

I also appreciate the info re bridges - we don't have any wireless models so that was confusing me a bit, but the examples you have given make sense now.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events