This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Michal_Gust
Explorer
‎2018-11-21 04:30 PM

Redundant connection to switch with 802.1q tag based VLAN on 730

Customer has 730 appliance as a firewall and stack of LAN switches. All servers and network devices are connected to the stack redundantly and we want to connect 730 appliance same way as well. There was requirement for just one VLAN till now - my colleague who is ChP specialist configured it using "switch" or so called port-based VLAN - not a smart way from what I know now, but it seems to work well.

 

But now we need to transport more than one VLAN to the switches - you can imagine it like one VLAN is to the internal LAN and the other one is for wireless guests. When I thought ChP switch is true virtual switch (I'm not ChP specialist 😉 I wanted to assign VLANs to it, but it didn't offer such option. I tried to search documentation and found there is bond interface on Gaia based appliances - I expect 802.1q VLANs could be assigned to the bond interface just like to physical port. But there is no option to create bond interface...

 

Is there any way how to connect firewall redundantly to the stack of switches with more VLAN, except dumb one by creating one port based-VLAN for each VLAN and connecting each by separate pair of physical links...? Best way by using 802.1q tags...

 

I quite optimist/naive because I'm Cisco specialist and features like etherchannel is supported from the smallest devices by the Cisco and bonding is feature is available even on many embedded Linux based platforms because it’s Linux feature not ChP so I really don't see any reason why not to support redundant connection on LAN ports on ChP SMB products.

Thank you for help.

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2018-11-21 04:55 PM

You can assign multiple VLANs to a single port as described here: Working with VLANs on 600 / 700/1100 / 1200R appliances and Edge / Safe@Office devices 

However, SMB appliances do not support bond or link aggregation interfaces (other Check Point appliances do): Bond / Link aggregated interfaces on SMB appliances 

0 Kudos
Michal_Gust
Explorer
‎2018-11-21 05:38 PM
In response to PhoneBoy

802.1q tagged VLAN assigned to single port doesn't allow redundant connection - there is no support for shared virtual IP between ports like VRRP/GLBP. It's even not possible to create overlapping segments on two ports for case I implement intelligent switching of next hop IP address on Cisco switches based on reachability of either first or second IP.

 

Yes, I already understood there is no bonding port, but it's disproportionate restriction by my opinion.


On the other hand there are switch and bridge, which are both bridges in fact, except one check box necessary for turning off inspection to bridge support what switch does. If it would really be virtual switch I can assign to it multiple SVI (interface VLAN) and problem would be easily solved as well, but virtual switch is much more complex concept than just support bonding which is already available in Linux under the ChP sw.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-11-21 06:36 PM
In response to Michal_Gust

You can cluster multiple devices and have a shared IP that persists on the active node.

But that's not exactly what you're after, I understand.

Maarten_Sjouw
Champion
Champion
‎2018-11-22 10:23 AM

You are correct, to achieve what you want you need a real GAIA box, not an SMB. This unit does not support port bonding at all, you can only create multiple switches with 1 IP based on 1 VLAN per switch.

Once you create a switch you cannot assign a VLAN to it.

Regards, Maarten
0 Kudos
Ricardo_Gros
Collaborator
‎2018-11-23 07:09 AM

Hi,

The simple way to achieve this is to remove one port from the Switch and configure the VLANS on the physical port.

 It seems that you want to connect a bond interface to 2 separate Hardware switches. I m not quite sure how it works on stacked devices  but normally this would be a VPC (virtual port channel) and this is again different from a regular lacp bond and There are some limitations to this, regular bonds (PO on same hardware) however work quite well on Gaia appliances (unfortunately not on SMB appliances as already stated).


You may want to consider clustering the Checkpoint Appliance, this way you can connect each member to a separate switch and provide the redundancy, having just 1 appliance makes it the Single point of failure and would also not be really redundant.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events