This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
kingdavid_akubu
Participant
‎2019-07-29 03:42 AM

Implementing vlan interfaces on a physical interface that doesnt have a physical IP.

Hello Experts,

 

I want to migrate from Cisco Router to a Checkpoint Device.

My challenge; how do i interpret the following config from Cisco Router on the Checkpoint Network Management Interface;

interface GigabitEthernet0/0
no ip address
ip flow ingress
duplex auto
speed auto
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip address 10.10.10.1 255.255.255.0
ip flow ingress
!
interface GigabitEthernet0/0.40
description ***-VOIP***
encapsulation dot1Q 40
ip address 172.31.125.1 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip policy route-map VOIPEXCH
!
interface GigabitEthernet0/0.100
description ***f-staff***
encapsulation dot1Q 100
ip address 192.168.100.1 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip policy route-map LAN
!
interface GigabitEthernet0/0.101
description ***staff-2***
encapsulation dot1Q 101
ip address 192.168.101.1 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip policy route-map LAN
!
interface GigabitEthernet0/0.102
description ***Guest***
encapsulation dot1Q 102
ip address 192.168.102.1 255.255.255.0
ip access-group GUEST in
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip policy route-map LAN

 

Please how can i implement this sort of vlan on Checkpoint??

 

Thank you.

0 Kudos
6 Replies
Norbert_Bohusch
Advisor
‎2019-07-29 04:34 AM

This interface has IP addresses on VLANs and also on native VLAN 1 (without using VLAN tag).

This can be configured on Gaia by assigning native VLAN IP to the physical interface and configuring VLANs with the respective IP. But this is not supported on a ClusterXL cluster!
So if you are implementing a cluster, you should migrate VLAN 1 to either a separate interface using access port or by changing VLAN id.
kingdavid_akubu
Participant
‎2019-07-29 04:50 AM
In response to Norbert_Bohusch

Hello Norbert, 

Thank you for your input.

So in my case; The physical ip i assign to the interface (assume eth2) will be 10.10.10.1 (native vlan ip on the config file i posted), then i add the other vlans to eth2??

Please confirm that my assumption is correct.

Thank you for your swift response.

Best Regards.

0 Kudos
Norbert_Bohusch
Advisor
‎2019-07-29 05:00 AM
In response to kingdavid_akubu

that's correct
Wolfgang
MVP Gold
MVP Gold
‎2019-07-29 05:22 AM
In response to kingdavid_akubu

Please had a look at the discussion here:

https://community.checkpoint.com/t5/General-Topics/Combine-VLAN-and-physical-interface-which-already...

and Creating VLAN interfaces on physical interface, which already has an assigned IP address in SecurePl...

It is not supported having an IP configured on the native interface if tagged VLANs used on that interface.

I know, it will work but you have problems if you need support from the vendor.

And in your Cisco configuration VLAN 1 (native VLAN) is tagged with VLAN ID 1, it is not supported to have a tagged VLAN with ID 1 ( sk110096 )

As Norbert suggest, it would be the best to have VLAN 1 on another physical interface without VLAN tag, not the one with the tagged VLANs.

Wolfgang

kingdavid_akubu
Participant
‎2019-07-29 05:35 AM
In response to Wolfgang

Thank you, Norbert and Wolfgang.

I will update you once I have implemented this.

Also, I assume that i will have to create static routes on the Firewall, informing the firewall that the nexthop to those vlans is the Switch!

 

Kind Regards.

0 Kudos
Norbert_Bohusch
Advisor
‎2019-07-29 05:37 AM
In response to kingdavid_akubu

No!
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events