Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
CyberBreaker
Contributor

VSX ClusterXL Bridge Mode

Hi Guys,

I have some clarifications, I have somehow successfully configured my VSX setup but I have some questions and I am not sure if the one that I configured is the correct way to do it.

My requirements are the following;

- 2x VSX Gateway in Cluster XL Active/Standby

- 4x Virtual Systems

- Allow multiple VLANs in each virtual systems

- All virtual systems cluster state should be active in just 1x member of the VSX gateway and the other will be on standby.

Currently, I set my physical interfaces to non-trunk (meaning I did not checked the VLAN Trunking option). So far, I can see traffic from my different VLANs. Is this the correct way to configure the interface or do I need to specify the VLAN in the interface (which means I need to check the VLAN Trunking option)? 

If this is the correct way by not checking the VLAN Trunking option in the physical interfaces, how does the Check Point knows that the traffic coming in is from VLAN X or VLAN Y then how will the firewall know that the traffic should go out to VLAN X or VLAN Y?

I searched already over the internet and Check Point support site but I cannot see any documents that explains this scenario.

Also, multi-bridge is not an option because it only supports in Active/Active and not in Active/Standby failover.

Thanks

 

 

0 Kudos
8 Replies
Chris_Atkinson
Employee Employee
Employee

sk121451 will assist in ensuring the active/standby configuration is complete.

CCSM R77/R80/ELITE
0 Kudos
CyberBreaker
Contributor

Hi @Chris_Atkinson thanks for the feedback. But how can I configure my interfaces to accepts multiple VLANs when I am running in VSX in bridge mode? 
Some says, in Smart Console I need to configure the physical interfaces to be in bridge interface and that bridge interface, I need to tag the VLAN but how can I have the bridge interface to be in my Smart Console if I am running in VSX?

or There is no need to tag the VLANs in the interfaces either in physical or in bridge interface?

 

thanks

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Two options currently as I understand.

- Active / Active with multi-bridge

- Separate VS per-VLAN

CCSM R77/R80/ELITE
CyberBreaker
Contributor

Hi @Chris_Atkinson sorry for the confusion I just want to describe what my setup is 😀. But what I really need to know is how Check Point Bridge mode handles the ethernet traffic, i mean how the firewall knows how to forward the traffic from a specific VLAN (e.g. VLAN 10) to the correct VLAN which needs to be in VLAN 10 as well? 

All I know that in VSX, I cannot do multi-bridge setup in active/standby. So what I did is that I configured a TRUNK bridge interface by bridging two non-trunk physical ports in which works fine but it brings me back to question above about how CP handles ethernet traffic.

Chris_Atkinson
Employee Employee
Employee


In the supported documented use-cases it is based on the configured tags.

What blades are enabled and does it work "properly" for _all_ VLANs i.e. how is the interface topology configured?

CCSM R77/R80/ELITE
0 Kudos
CyberBreaker
Contributor

Hi @Chris_Atkinson , I am just using Firewall blade and based on the logs, it seems to be working fine as far as forwarding ethernet frames are concerned as it get in and out of  firewall in the correct way. My current topology is just simple, 

DIST-SW <--> eth1-FW-eth2 <--> CORE-SW

I configured my VSX bridge mode with active/standby in Smart Console, eth1 and eth2 physical interfaces are set to non-trunk link (Trunk is not checked) then I chose those interfaces to be on my virtual system to build the bridge interface.

Is this correct?

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Apologies for the confusion, regarding interface topology we typically refer to this as the anti-spoofing settings etc

CCSM R77/R80/ELITE
0 Kudos
CyberBreaker
Contributor

Hi @Chris_Atkinson , I disabled the anti-spoofing for all interfaces.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events