Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Srdjan_B
Collaborator
Collaborator

Bridge mode and tagged traffic

Hello all,

There is a regular L3 HA cluster (having internal, external and sync interfaces). It is not VSX.

There is a need to use this same cluster to do some L2 bridging. Firewall will not do any routing for L2 IP address scopes (that may change at some point, but it is not the issue here).

Lab topology for testing the scenario is displayed on drawing. When all switch ports are configured as access mode for vlan 100, two PCs can ping each other, bridging works OK. Policy allows any service from 10.10.100.0/24 to 10.10.100.0/24.

When I change switchports connecting firewalls to trunk (tagged vlans), firewall is not passing traffic anymore.

When PC 101 is trying to ping PC 102 traffic arrive on interface eth5, it is clear that traffic is tagged by vlan id 100, but nothing is seen on eth6:

Click to Expand
[Expert@gw_dc1:0]# tcpdump -enni eth5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth5, link-type EN10MB (Ethernet), capture size 262144 bytes
14:35:17.171156 00:0c:29:ac:e5:3f > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 64: vlan 100, p 0, ethertype ARP, Request who-has 10.10.100.102 tell 10.10.100.101, length 46
14:35:18.195079 00:0c:29:ac:e5:3f > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 64: vlan 100, p 0, ethertype ARP, Request who-has 10.10.100.102 tell 10.10.100.101, length 46
14:35:19.219390 00:0c:29:ac:e5:3f > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 64: vlan 100, p 0, ethertype ARP, Request who-has 10.10.100.102 tell 10.10.100.101, length 46
14:35:20.243128 00:0c:29:ac:e5:3f > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 64: vlan 100, p 0, ethertype ARP, Request who-has 10.10.100.102 tell 10.10.100.101, length 46
14:35:21.267126 00:0c:29:ac:e5:3f > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 64: vlan 100, p 0, ethertype ARP, Request who-has 10.10.100.102 tell 10.10.100.101, length 46
^C
5 packets captured
5 packets received by filter
0 packets dropped by kernel
[Expert@gw_dc1:0]# tcpdump -enni eth6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth6, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
[Expert@gw_dc1:0]#

Firewalls are configured to use "Check Point ClusterXL for Bridge Active/Standby" to avoid loop. The above test was also done with FW2 shut down, to make sure all traffic is passing only via FW1. Gaia configuration:

 

Click to Expand

gw_dc1> show configuration bridging
add bridging group 1000
add bridging group 1000 interface eth5
add bridging group 1000 interface eth6

gw_dc1> show configuration interface
set interface br1000 state on
set interface eth0 state on
set interface eth0 auto-negotiation on
set interface eth0 ipv4-address 192.168.2.236 mask-length 24
set interface eth1 link-speed 1000M/full
set interface eth1 state on
set interface eth1 ipv4-address 10.200.200.2 mask-length 24
set interface eth2 link-speed 1000M/full
set interface eth2 state on
set interface eth2 ipv4-address 10.255.254.1 mask-length 30
set interface eth3 state off
set interface eth4 state off
set interface eth5 state on
set interface eth6 state on
set interface lo state on
set interface lo ipv4-address 127.0.0.1 mask-length 8

Bridge interface is not part of topology in Smart Console. Tested this with R80.40 and also R81 JHF take 65. Tried it with single firewall (not part of cluster) and ClusterXL described above.

I am out of ideas. According to documentation, this is supported scenario but it is not working for some reason 😞

If you configure the switch ports as VLAN trunk, the Check Point Bridge interface should not interfere with the VLANs.

To configure a Bridge interface with VLAN trunk, create the Bridge interface with two physical (non-VLAN) interfaces as its subordinate interfaces

Thank you

0 Kudos
8 Replies
PhoneBoy
Admin
Admin

Is the gateway seeing the same traffic twice?
Double inspection is...not supported.

0 Kudos
Srdjan_B
Collaborator
Collaborator

No, not really. Also, when tagging on switches is off, everything works as expected. 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Did you contact TAC yet ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Srdjan_B
Collaborator
Collaborator

I did not contact TAC, this is lab environment with eval licenses and no support. When we do it on production boxes, it will have to work from day 1, so I am trying to verify the configuration and steps upfront.

Thank you.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

As long as this is for a customer with valid support you only need his UC Account# - this is a common scenario...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Ruan_Kotze
Advisor

Hi @Srdjan_B - did you manage to get this scenario working in the end.  I'm building out a similiar solution now.

0 Kudos
Srdjan_B
Collaborator
Collaborator

Hello @Ruan_Kotze . Customer decided to accept alternative design, without firewall in bridge mode, so further testing was abandoned. 

AkosBakos
Advisor
Advisor

Hi Ruan_Kotze,

Try the followings:

When the traffic does not pass the bridge: have you tried to switch off the acceleration (#fwaccel off)? 

According to this article: https://support.checkpoint.com/results/sk/sk105899

Set the relevant kernel parameters (all four)

Let's see what we get.

Akos

----------------
\m/_(>_<)_\m/
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events