cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
DPB_Point
Nickel

Virtual System bridge interfaces

Hello team,

 

I have been configuring some gateways in bridge mode with "inter-vlan multibridging" i mean:

3 bridge interfaces with the following squeme:

bridge 1 = bond2.10 and bond3.100

bridge 2 = bond2.20 and bond3.200

bridge 3 = bond2.30 and bond3.300

I had no problems with this configuration and the gateways bridge the traffic correctly between the corresponding vlan subinterfaces. By definition:

Bridging two interfaces causes every Ethernet frame that is received on one bridge port to be transmitted to the other port. Thus, the two bridge ports participate in the same Broadcast domain (which is different from router ports behavior).

Only two interfaces can be connected by a single Bridge interface. These two interfaces can then be thought of as a two-ports switch. Each port can be a physical, VLAN, or bond device.

 

I have tried to configure the same scenario in a VirtualSystem and I found the following limitation:

I have a VSX cluster and I followed this procedure:

1. Configure 2 bond interfaces in each VSX member:

add bonding group 2

set bonding group 2 mode 8023AD

set interface eth1-01

state on set interface eth1-02 state on

add bonding group 2 interface eth1-01

add bonding group 2 interface eth1-02

Set interface bond2 comments Outside

 

The same configuration with bond3.

 

2. I created the VLAN interfaces in the VSX Cluster via SmartClient. Then, when I create the VS, I select bridge mode, and then I add, for example, bond2.2 and bond 3.200. Vlan 2 is the outside vlan and vlan 200 is the inside vlan (both are in the same ip address range). The purpose of this is to bridge these vlan interfaces in order to force L2 traffic to pass through the VS. 

The problem is that when I try to add more bondX.y interfaces to the virtualsystem and click accept an ERROR is prompted: Something like interfaces vlan must be created in pairs for bridge.

 

I have read in VSX admin guide:

To configure the external and internal interfaces:

  1. In Virtual System Network Configuration page for the Separate Interfaces template in bridge mode, select the interfaces for the internal and external networks from the list.

    If the selected interface is a VLAN interface, enter the same VLAN tag in both the external and internal VLAN Tag fields. This field is not available for non-VLAN interfaces.

 

So after some tests I get the conclusion that in VS you can:

* Configure only one intervlan bridge interface (different vlan in external and internal interfaces)

* Configure multi-bridge interfaces with same vlan tag for internal and external interfaces.

Limitation:

* Configure multi-bridge interfaces with different vlan in external and internal interfaces (as you can do in standard gateway operation)

 

 

Is this correct? Do you know the reason that we cannot configure this on VirtualSystems? 

 

Thank you in advance.

 

 

0 Kudos
11 Replies
Vladimir
Pearl

Re: Virtual System bridge interfaces

Have you tried using vSwitch as the intermediary?

0 Kudos
DPB_Point
Nickel

Re: Virtual System bridge interfaces

Do you mean to connect inside and outside trunks links directly to a Vswitch and then change the tags there in order to match the gateway bridge interfaces? I don't know if I understand you right.

0 Kudos
Admin
Admin

Re: Virtual System bridge interfaces

Are you trying to add more than one bridge to a VS?
I believe a given VS can only have one.
0 Kudos
DPB_Point
Nickel

Re: Virtual System bridge interfaces

Yes, by definition it seems I can configure it in active-active mode with same vlan tag:

Multi Bridges

This feature is supported only in R77.30 and higher, for VSX Gateways, and VSX clusters in Active/Active Bridge mode.

Multi Bridge allows traffic from many different VLANs to move over one Virtual System in Bridge mode. In a Virtual System in Bridge mode, you can add physical and VLAN interfaces. When you add more than two VLAN interfaces, Multi Bridge is automatically enabled. Configure the same VLAN tag on each set of two interfaces to make them bridged.

Requirements for Multi Bridge interfaces:

  • All interfaces must be VLANs.
  • You can make multiple bridges only between two VLAN trunks.
  • You can add up to 64 pairs of VLAN interfaces for one Multi-bridge.
  • Those two VLAN trunks must be used together, and not with other VLAN trunks, in other Virtual Systems in Bridge mode or Multi Bridges.

    For example, you define eth1.10, eth2.10, eth1.20, eth2.20. Now the VLAN trunks, eth1 and eth2, cannot be used with other VLAN trunks on other Virtual Systems in Bridge mode: eth1.30 cannot bridge with eth3.30.Captura.JPG

     

I tried this and it works but it is not exactly what I need. I am trying to migrate from other environment that can work with virtual contexts, multibridges and vlan translation but I cannot find the correct way to configure this in checkpoint. 

 

Thanks!

0 Kudos
Admin
Admin

Re: Virtual System bridge interfaces

A diagram of what exactly you're trying to achieve would help tremendously.
DPB_Point
Nickel

Re: Virtual System bridge interfaces

Sure, will be like this. Endusers, for example in VLAN2, have their default gateway 192.168.1.254 in vlan 200 (who knows all the routes to get to remote networks). As we want to have the minimum impact in network design, we separate the ip network in two broadcast domains (vlan 2 and 200) and we bridge them at Checkpoint firewall in order to force this traffic to pass through it.

Screenshot_1.jpg

 

0 Kudos
DPB_Point
Nickel

Re: Virtual System bridge interfaces

Hi mate! @PhoneBoy  I don't know if you saw the network diagram. Thank you!

0 Kudos
Admin
Admin

Re: Virtual System bridge interfaces

I saw the diagram.
As others have said, you will need to use a VS per VLAN translation or translate them outside of VSX.
DPB_Point
Nickel

Re: Virtual System bridge interfaces

Thanks!!!

Smiley Happy

0 Kudos
Highlighted
Vladimir
Pearl

Re: Virtual System bridge interfaces

Given the limitations described in the "multi bridge" section it appears that you may have to use a dedicated VS for each VLAN translation instance.

Alternatively, translate them outside of the VSX.

 

DPB_Point
Nickel

Re: Virtual System bridge interfaces

Thank you for your reply. I think that using a VS per Bridge will not be cost effective (vs licenses) and will be hard manageable. I think we will need to change the network design, separate networks physically or translate vlans outside the VSX as you said.