Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

Working with the Bridge Mode

Check Point security devices support bridge interfaces that implement native, Layer-2 bridging. Configuring an interface as a bridge lets network administrators deploy security devices in an existing topology without reconfiguring the existing IP routing scheme. This is an important advantage for large-scale, complex environments. Gaia does not support Spanning Tree Protocol (STP) bridges.

You configure Ethernet interfaces (including aggregated interfaces) on your Check Point security device to work like ports on a physical bridge. The interfaces then send traffic using Layer-2 addressing. You can configure some interfaces as bridge interfaces, while other interfaces on the same device work as layer-3 devices. Traffic between bridge interfaces is inspected at Layer-2. Traffic between two Layer-3 interfaces, or between a bridge interface and a Layer-3 interface is inspected at Layer-3.

Working with Chassis HA in the Bridge mode

A Dual Chassis 61000/41000 Security System deployment always works in the Active/Standby mode. Only the Active Chassis handles traffic. The 61000/41000 Security System maintains a MAC shadow table that caches MAC addresses handled by the system. When Chassis failover occurs, the new Active Chassis generates advertisement packets with the cached MAC addresses. This lets remote switches "learn" the MAC address, and start to handle STP bridge traffic.

Using the SSM60 in the Bridge Mode

To use the SSM60, with the Bridge mode:

  1. Run:

    # g_update_conf_file simkern.conf bridge_mode_on_ssm60=1

  2. Reboot the system.

Using the Bridge mode with VLAN Trunks

We recommend that you enable the VLAN performance enhancement feature when a Bridge interface handles VLAN trunks. To enable VLAN performance enhancement, run this command in the Expert mode:

# g_vlan_perf_enhancement –s

Distribution mode

The Bridge mode only supports the General Distribution mode.

Active/Active Bridge mode

By default the Active/Active Bridge Mode does not support asymmetric traffic between Chassis. When asymmetric traffic is enabled:

  • Client-to-server traffic is handled by Chassis1.
  • Server-to-client traffic is handled by Chassis2.

To enable asymmetric traffic:

  1. Run (in the Expert mode):

    # g_update_conf_file $FWDIR/modules/fwkern.conf

    fwha_both_chassis_pass_traffic=1

  2. Run:
    # g_fw ctl get int fwha_both_chassis_pass_traffic 1

Note: The fwha_both_chassis_pass_traffic command can decrease performance.

Bridge Mode Limitations

  • Bridge Mode is only supported with 2 interfaces
  • IPv6 is not supported

Related Topics

Configuring Bridge Interfaces

Disabling BPDU Forwarding
 
Top of Page ©2014 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print