Bridging Trunked VLANs on ClusterXL Active/Standby... - Check Point CheckMates

Unleashing Performance & Stability
with Harmony Endpoint E88.70!

Register Now

It's Here!
CPX 2025 Content

Get It Now

Zero Trust: Remote Access and Posture
Help us with the Short-Term Roadmap

Take the Survey

The Future of Browser Security:
AI, Data Leaks & How to Stay Protected!

Watch now

CheckMates Go:
Recently on CheckMates

LISTEN NOW

I am deploying a pair of Check Point Firewalls running R81.20 JHF t76 in ClusterXL Active/Standby Bridge Mode between 2 pairs of stacked switches. The firewall interfaces are connected to each switch stack using a pair of LACP bonds. The adjacent switch stacks use VPC to connect to the firewall's bonds and trunk several VLANs running STP. A basic image of the topology is attached.

What would be the appropriate way to configure the CPFWs so that the STP BPDUs generated by the switches can traverse the bridge? Should the bonds be configured with sub-interfaces for each of the VLANs that the switches are trunking? I believe this would be required in order to maintain VLAN separation and enable the switches to perform the root bridge election process.

The R81.20 Installation and Upgrade Guide page for ClusterXL in Active/Standby Bridge Mode states that the "best practice" is to disable STP on the adjacent switches, but it is unclear to me why this recommendation exists or how this topology would be expected to function without it.

I have inquired the same with TAC in SR 6-0004219095 but would appreciate any second opinions from this audience.

132 KB

0 Replies

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

User

Count

17

8

8

8

6

5

4

4

3

3

Upcoming Events

Sort by:

In-Person

Tue 25 Mar 2025 @ 09:00 AM (CET)

CheckMates Live Paris: Harmony – Protection avancée de l’espace utilisateur

In-Person

Tue 25 Mar 2025 @ 09:00 AM (EDT)

Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!

Virtual

Wed 26 Mar 2025 @ 04:00 PM (IST)

Validating Cyber Exposures: How To Continuously Test Exposures For Exploitability

Virtual

Thu 27 Mar 2025 @ 03:00 PM (CET)

Be Your Own TAC Part Deux: Advanced Gateway Troubleshooting Commands - EMEA

Virtual

Thu 27 Mar 2025 @ 02:00 PM (EDT)

Be Your Own TAC Part Deux: Advanced Gateway Troubleshooting Commands - Americas

Virtual

Tue 01 Apr 2025 @ 11:00 AM (IDT)

Simplifying Zero Trust with Infinity Identity: Centralized, Scalable, Secure - EMEA

Virtual

Wed 26 Mar 2025 @ 04:00 PM (IST)

Validating Cyber Exposures: How To Continuously Test Exposures For Exploitability

Virtual

Thu 27 Mar 2025 @ 03:00 PM (CET)

Be Your Own TAC Part Deux: Advanced Gateway Troubleshooting Commands - EMEA

Virtual

Thu 27 Mar 2025 @ 02:00 PM (EDT)

Be Your Own TAC Part Deux: Advanced Gateway Troubleshooting Commands - Americas

Virtual

Tue 01 Apr 2025 @ 11:00 AM (IDT)

Simplifying Zero Trust with Infinity Identity: Centralized, Scalable, Secure - EMEA

Virtual

Tue 01 Apr 2025 @ 06:00 PM (IDT)

Simplifying Zero Trust with Infinity Identity: Centralized, Scalable, Secure - Americas

Virtual

Wed 02 Apr 2025 @ 03:00 PM (CEST)

The Power of SASE: Smarter Security, Stronger Network - EMEA

In-Person

Tue 25 Mar 2025 @ 09:00 AM (CET)

CheckMates Live Paris: Harmony – Protection avancée de l’espace utilisateur

In-Person

Tue 25 Mar 2025 @ 09:00 AM (EDT)

Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!

In-Person

Tue 08 Apr 2025 @ 12:00 PM (MDT)

Denver: CPX 2025 Recap

In-Person

Thu 10 Apr 2025 @ 10:00 AM (EEST)

CheckMates Live Sofia - Maintenance and Upgrade Best Practices

In-Person

Thu 10 Apr 2025 @ 12:00 PM (PDT)

Renton, WA: Golf and Learn!

In-Person

Wed 16 Apr 2025 @ 12:00 PM (PDT)

Hillsboro, OR: Golf and Learn!

CheckMates Events