Print Download PDF Send Feedback

Previous

Next

Configuring Virtual Systems in Bridge Mode

This section explains configurations and procedures for Virtual Systems in Bridge mode. With native layer-2 bridging instead of IP routing, you can add Virtual Systems without affecting the existing IP structure.

When in Bridge mode, Virtual System interfaces do not require IP addresses. You can assign an IP address to the Virtual System itself (not the interfaces) to enable layer-3 monitoring. This feature enhances network fault detection.

VSX supports these Bridge mode models:

Overview

STP Bridge Mode

This section presents the procedures for enabling and configuring the STP Bridge mode for Virtual Systems and VSX Gateways.

The same procedures are applicable for a VSX Cluster for PVST + Load Sharing.

Defining the Spanning Tree Structure

Define and configure the Spanning Tree structure according to your network requirements. (For PVST + Load Sharing, configure the structure for each VLAN.)

See your hardware documentation for the specific procedures for your network deployment.

Enabling Active/Active Bridge Mode for Existing VSX Cluster Members

  1. Connect to the command line on each VSX Cluster Member.
  2. Log in to the Expert mode.
  3. Run: cpconfig
  4. Select Enable ClusterXL membership for this member.
  5. Select Disable ClusterXL for Bridge Active/Standby.
  6. Reboot each VSX Cluster Member.
Configuring Clusters for Active/Active Bridge Mode

To enable the Active/Active Bridge mode for a cluster:

  1. Connect with SmartConsole to the Security Management Server or Main Domain Management Server used to manage the VSX Cluster.
  2. From the Gateways & Servers view or Object Explorer, double-click the VSX Cluster object.

    The VSX Cluster Properties window opens.

  3. From the left tree, click Other > VSX Bridge Configuration.
  4. Select Standard Layer-2 Loop Detection Protocols.
  5. Click OK.
  6. Install the VSX Policy (<Name of VSX Cluster Object>_VSX) on the VSX Cluster object.
Configuring Virtual Systems for STP Bridge Mode

To configure a Virtual System to use bridge mode, define it as a Virtual System in bridge mode when you first create it. You cannot reconfigure a non-Bridge mode Virtual System to use bridge mode later.

Configuring PVST + Load Sharing

Defining the Spanning Tree Structure

Define and configure the Spanning Tree structure for each VLAN according to your network deployment. Please refer to your network hardware documentation for specific procedures.

Configuring a Cluster for PVST + Load Sharing

To configure a VSX Cluster for PVST + Load Sharing, perform the procedures described in the STP Bridge Mode section.

Active/Standby Bridge Mode

This section presents the procedures for enabling and configuring the Active/Standby Bridge Mode for Virtual Systems and VSX Gateways.

Enabling and Configuring Active/Standby Bridge Mode

Enabling Active/Standby Bridge Mode for a New VSX Cluster Member
  1. In the Gaia First Time Configuration Wizard Products page, select ClusterXL.
  2. After the First Time Configuration Wizard is complete, from the VSX Gateway CLI, run: cpconfig
    • If you enabled the Per Virtual System State feature (required for VSLS), the Active/Standby Bridge Mode is enabled automatically.
    • If you chose not to enable the Virtual System Load Sharing, an option to enable Active/Standby Bridge Mode appears.

      Enter y and continue with the gateway configuration.

Enabling Active/Standby Bridge Mode for Existing Cluster Members
  1. Connect to the command line on each VSX Cluster Member.
  2. Log in to the Expert mode.
  3. Run: cpconfig
  4. Select Enable ClusterXL for Bridge Active/Standby.
  5. Reboot each VSX Cluster Member.
Configuring Clusters for Active/Standby Bridge Mode

To enable the Active/Standby Bridge Mode for a cluster:

  1. Connect with SmartConsole to the Security Management Server or Main Domain Management Server used to manage the VSX Cluster.
  2. From the Gateways & Servers view or Object Explorer, double-click the VSX Cluster object.

    The VSX Cluster Properties window opens.

  3. From the left tree, click Other > VSX Bridge Configuration.
  4. Select Check Point ClusterXL.

    The Active/Standby Bridge Mode loop detection algorithms in ClusterXL are enabled.

  5. Click OK.
  6. Install the VSX Policy (<Name of VSX Cluster Object>_VSX) on the VSX Cluster object.
Configuring Virtual Systems for Active/Standby Bridge Mode

To configure a Virtual System in Bridge Mode, define it as such when you first create the Virtual System object.

To configure a Virtual System for the Active/Standby Bridge Mode:

  1. In the Virtual System General Properties page of the new Virtual System object, select Bridge Mode.
  2. Click Next.

    The Virtual System Network Configuration window opens.

  3. Configure the external and internal interfaces for the Virtual System.
  4. Optional: Select Enable Layer-3 Bridge Interface Monitoring.

    The IP address must be unique and on the same subnet as the protected network.

  5. Click Next.
  6. Click Finish.

Multi Bridges

This feature is supported only in R77.30 and higher, for VSX Gateways, and VSX Clusters in Active/Active Bridge mode.

Multi Bridge allows traffic from many different VLANs to move through one Virtual System in Bridge mode. In a Virtual System in Bridge mode, you can add physical and VLAN interfaces. When you add more than two VLAN interfaces, Multi Bridge is automatically enabled. Configure the same VLAN tag on each set of two interfaces to make them bridged.

Requirements for Multi Bridge interfaces:

Item

Description

1

Virtual System in Bridge Mode with two bridges on VLAN interfaces with tags 81 and 82.

2

Virtual System in Bridge Mode with three bridges on VLAN interfaces with tags 40, 50, and 60.

3
and
4

VLAN Trunks.

Each must be paired with the other in all bridges, or used without bridging.

They cannot be paired with a different VLAN Trunk.

To define a new Multi Bridge:

  1. Connect with SmartConsole to the Security Management Server or Target Domain Management Server used to manage the new Virtual System.
  2. From the left navigation panel, click Gateways & Servers.
  3. Create a new Virtual System object in one of these ways:
    • From the top toolbar, click the New (Star icon) > VSX > New Virtual System.
    • In the top left corner, click Objects menu > More object types > Network Object > Gateways and Servers > VSX > New Virtual System.
    • In the top right corner, click Objects Pane > New > More > Network Object > Gateways and Servers > VSX > Virtual System.
  4. In the Name field, enter the name for the new Virtual System.
  5. In the VSX Gateway / Cluster field, select the applicable VSX Gateway or VSX Cluster.
  6. Select Bridge Mode.
  7. Click Next.
  8. In the Interfaces section, click Add to add the first VLAN interface for the bridge.
  9. In the Interfaces section, click Add again to add the second VLAN interface for the bridge.
  10. In the Interfaces section, add more VLAN interface pairs to the Multi Bridge in the same way.

    Make sure the interfaces in each pair have the same VLAN tag, from different interfaces.

    For example:

    eth2.50, eth2.51

    eth3.50, eth3.51

    Make sure to use the same two VLAN Trunks.

  11. Click Next.
  12. Click Finish.
  13. Install the Access Control Policy on the new Virtual System object.

To convert a Bridge to a Multi Bridge:

  1. Connect with SmartConsole to the Security Management Server or Target Domain Management Server used to manage the Virtual System in the Bridge mode.
  2. From the Gateways & Servers view or Object Explorer, double-click the Virtual System object.
  3. From the left tree, click Bridge Configuration > Topology.
  4. In the Interfaces section, if there are physical interfaces in the Interfaces list, remove them.
  5. In the Interfaces section, add more VLAN interface pairs to the Multi Bridge.
  6. Click OK.
  7. Install the Access Control Policy on the Virtual System object.
05 November 2019 © 2019 Check Point Software Technologies Ltd. All rights reserved.