Configuring Virtual Systems in Bridge Mode

This section explains configurations and procedures for Virtual Systems in Bridge mode. With native layer-2 bridging instead of IP routing, you can add Virtual Systems without affecting the existing IP structure.

When in Bridge mode, Virtual System interfaces do not require IP addresses. You can assign an IP address to the Virtual System itself (not the interfaces) to enable layer-3 monitoring. This feature enhances network fault detection.

VSX supports these Bridge mode models:

• STP Bridge Mode: Redundancy and prevention of undesirable loops between redundant switches.
• Active/Standby Bridge Mode: Path redundancy and loop prevention, with seamless support for Virtual System Load Sharing. This model overcomes many of the limitations of STP.

Included Topics STP Bridge Mode Active/Standby Bridge Mode Multi Bridges

STP Bridge Mode

This section presents the procedures for enabling and configuring the STP Bridge mode for Virtual Systems and VSX Gateways.

The same procedures are applicable for a VSX cluster for PVST + Load Sharing.

Defining the Spanning Tree Structure

Define and configure the Spanning Tree structure according to your network requirements. (For PVST + Load Sharing, configure the structure for each VLAN.)

See your hardware documentation for the specific procedures for your network deployment.

Enabling Active/Active Bridge Mode when Creating Member

When you create a new VSX Gateway to use as a cluster member, configure it as a cluster member when you first define the gateway.

1. Run: cpconfig
2. At Would you like to install a Check Point clustering product, enter: y
3. If prompted to disable Active/Standby Bridge Mode, enter: n
4. Continue with the cpconfig options as usual.

Enabling Active/Active Bridge Mode for Existing Members

To enable the Active/Active Bridge mode for existing cluster members:

1. Run: cpconfig
2. Enable cluster membership for this member.

   (If a numerical value appears here, cluster membership has already been enabled).

3. Disable ClusterXL for Bridge Active/Standby.
4. Reboot the member.

Configuring Clusters for Active/Active Bridge Mode

To enable the Active/Active Bridge mode for a cluster:

1. Open SmartDashboard.
2. From the Network Objects tree, double-click the VSX Cluster object.

   The VSX Cluster Properties window opens.

3. Select Other > VSX Bridge Configuration.
4. Select Standard Layer-2 Loop Detection Protocols.

Configuring Virtual Systems for STP Bridge Mode

To configure a Virtual System to use bridge mode, define it as a Virtual System in bridge mode when you first create it. You cannot reconfigure a non-Bridge mode Virtual System to use bridge mode later.

Active/Standby Bridge Mode

This section presents the procedures for enabling and configuring the Active/Standby Bridge Mode for Virtual Systems and VSX Gateways.

Enabling Active/Standby Bridge Mode for a New Member

When you create a new cluster member, enable the cluster options during the first configuration.

1. In the Gaia First Time Configuration Wizard Products page, select ClusterXL.
2. From the VSX Gateway CLI, run: cpconfig
   • If you enable the Per Virtual System State feature, (required for VSLS), Active/Standby Bridge Mode is enabled automatically.
   • If you chose not to enable Virtual System Load Sharing, an option to enable Active/Standby Bridge Mode appears. Enter y and continue with the gateway configuration.

Enabling Active/Standby Bridge Mode for Existing Members

To enable the Active/Standby Bridge Mode on existing Virtual Systems:

1. Run: cpconfig
2. Enable ClusterXL for Bridge Active/Standby.
3. Reboot the member.

Configuring Clusters for Active/Standby Bridge Mode

To enable the Active/Standby Bridge Mode for a cluster:

1. Open SmartDashboard.
2. From the Network Objects tree, double-click the VSX Cluster object.

   The VSX Cluster Properties window opens.

3. Select Other > VSX Bridge Configuration.
4. Select Check Point ClusterXL.

   The Active/Standby Bridge Mode loop detection algorithms in ClusterXL is enabled.

Configuring Virtual Systems for Active/Standby Bridge Mode

To configure a Virtual System to use bridge mode, define it as such when you first create the object.

To configure a Virtual System for the Active/Standby Bridge Mode:

1. In the Virtual System General Properties page of the new Virtual System object, select Bridge Mode.
2. Click Next.

   The Virtual System Network Configuration window opens.

3. Configure the external and internal interfaces for the Virtual System.
4. Optional: Select Enable Layer-3 Bridge Interface Monitoring.

   The IP address must be unique and on the same subnet as the protected network.

5. Click Next and then click Finish.

Multi Bridges

This feature is supported only in R77.30 and higher, for VSX Gateways, and VSX clusters in Active/Active Bridge mode.

Multi Bridge allows traffic from many different VLANs to move over one Virtual System in Bridge mode. In a Virtual System in Bridge mode, you can add physical and VLAN interfaces. When you add more than two VLAN interfaces, Multi Bridge is automatically enabled. Configure the same VLAN tag on each set of two interfaces to make them bridged.

Requirements for Multi Bridge interfaces:

• All interfaces must be VLANs.
• You can make multiple bridges only between two VLAN trunks.
• You can add up to 64 pairs of VLAN interfaces for one Multi-bridge.
• Those two VLAN trunks must be used together, and not with other VLAN trunks, in other Virtual Systems in Bridge mode or Multi Bridges.

  For example, you define eth1.10, eth2.10, eth1.20, eth2.20. Now the VLAN trunks, eth1 and eth2, cannot be used with other VLAN trunks on other Virtual Systems in Bridge mode: eth1.30 cannot bridge with eth3.30.

Item	Description
1	Virtual System in Bridge Mode with two bridges on VLAN interfaces 81 and 82.
2	Virtual System in Bridge Mode with three bridges on VLAN interfaces 40, 50, and 60.
3 and 4	VLAN Trunks. Each must be paired with the other in all bridges, or used without bridging. They cannot be paired with a different trunk.

To define a new Multi Bridge:

1. In SmartDashboard, right-click the VSX gateway and select Checkpoint > VSX.
2. Click Virtual System.
3. Enter a name for the bridge.
4. Select Bridge Mode.
5. Click Next.
6. Click Add and add a VLAN interface for the bridge.
7. Click Add again to add the second VLAN interface.
8. Add more VLAN interfaces to the multi bridge in the same way.

   Make sure the interfaces in each pair have the same VLAN tag, from different interfaces.

   For example: eth2.50, eth2.51, eth3.50, eth3.51

   Make sure you keep using the same two VLAN trunks.

9. Click Next.
10. Click Finish.
11. Install policy.

To convert a bridge to a Multi Bridge:

1. In SmartDashboard, double-click the Virtual System in Bridge mode.
2. In the Bridge Configuration window, click Topology.

   If there are physical interfaces in the Interfaces list, delete them.

3. Click Add, to add more VLAN interface pairs.
4. Click OK.
5. Install policy.