Clarification on VLAN Tagging and Configuration:

We defined the allowed networks for the VPN tunnel. However, I'm unsure how VLAN tagging would work in this scenario.

Ideally, I'd like to find a comprehensive guide that outlines the configuration process for both the Check Point firewall at the main office and the Check Point firewall in the branch office. This guide should specifically address:

• VLAN Tagging Configuration: How to configure VLAN tagging on both the firewall and switch to ensure proper segregation and routing of VLAN traffic from the main office to the branch office through the VPN tunnel.
• Visibility and Functionality: How to ensure that VLANs from the main office appear and function seamlessly on the switch connected to the Check Point firewall in the branch office.

By following a detailed guide that addresses these aspects, I can confidently configure the VPN tunnel and achieve the desired functionality for VLAN traffic across both locations.

Additionally:

• If there are any best practices or security considerations regarding VLAN tagging in this setup, I would appreciate any insights you can provide.

On CP side you only need to consider R81.10 Gaia Administration Guide - VLAN Interfaces. Switches are configured according to their specs. It should work transparently over VPN if the Encryption Domains are defined correctly.

Maybe this needs to be considered?

f you configure the switch ports as VLAN trunk, the Check Point Bridge interface should not interfere with the VLANs.

To configure a Bridge interface with VLAN trunk, create the Bridge interface with two physical (non-VLAN) interfaces as its subordinate interfaces (see Bridge Interfaces).

The Security Gateway processes the tagged packet and does not remove VLAN tags from them.

The traffic passes with the original VLAN tag to its destination.

Just follow link Guenther gave. I am not aware of any specific document/acticle that talks about something like this through the vpn tunnel.

Andy

Just adding in my 2p on this one if I may; apologies if I have misunderstood you but I had a similar question put to me just last week. In that case, the customer had an existing MPLS L2 network and wanted to find a way to keep the L2 build broadly similar after migrating to VPN tunnels.

Its important to note that the VPN tunnel is a layer 3 entity; its IP to IP. Its not possible to segregate this L3 tunnel into a series of layer 2 VLANs, in the manner of an ethernet trunk.

Instead, what you need to do (as Gunther and Andy mention) is include the respective subnets in the 'encryption domain'.

Again, apologies if thats not what you're asking.

G

Thats super valid point, it would be layer 3 "system" if you will, so the statement about segregating it into separate layer 2 entities may not work, agree.

Not sure if there is written statement anywhere about it, but I could not find one myself.

Andy

You have a very good point about the difference between l2 and l3 in this specific case

If the Interface VLAN that i need to send to the branch office is not defined in the firewall but only in the router (internal traffic)

How would the process of creating a new interface vlan on the firewall go?

Example:

add interface bond0 vlan 530
set interface bond0 state on

set interface bond0.530 comments "Print"
set interface bond0.530 state on
set interface bond0.530 ipv4-address 10.40.10.25 mask-length 24

what happens next?

That looks right. Well, just make sure its aded as part of enc vpn domain.

Andy

that config will be done on the main office, what about the branch office configuration. Is it the same?

Do i need to consider this:

If you configure the switch ports as VLAN trunk, the Check Point Bridge interface should not interfere with the VLANs.

To configure a Bridge interface with VLAN trunk, create the Bridge interface with two physical (non-VLAN) interfaces as its subordinate interfaces (see Bridge Interfaces).

The Security Gateway processes the tagged packet and does not remove VLAN tags from them.

The traffic passes with the original VLAN tag to its destination.

Why would you use a bridge interface ? This will make many features unavailable! Both peers have their own Encryption domain - all networks should be included that have to be reached by clients from peer site.

I am not an expert here, but i am trying to learn!

In the branch office a Cisco switch will be connected to the firewall. How would the firewall configuration be ?

How would the switch understand that this traffic is tagged? I am trying to understand the process!

The branch office is 1575 small business appliance