VLAN Interfaces

This section shows you how to configure VLAN interfaces in the Gaia PortalClosed Web interface for the Check Point Gaia operating system. and Gaia ClishClosed The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)..

You can configure virtual LAN (VLAN) interfaces on Ethernet interfaces.

VLAN interfaces let you configure subnets with a secure private link to Security Gateways and Management Servers using your existing topology.

With VLAN interfaces, you can multiplex Ethernet traffic into many channels using one cable.

Notes:

Configuring VLAN Interfaces in Gaia Portal

Note - You must connect to the Gaia Portal of the applicable Security GroupClosed A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected..

Step

Instructions

1

In the navigation tree, click Network Management > Network Interfaces.

2

Make sure that the physical interface, on which you add a VLAN interface, does not have an IP address.

3

Click Add > VLAN.

4

In the Add VLAN window, select the Enable option to set the VLAN interface to UP.

5

On the IPv4 tab, enter the IPv4 address and subnet mask.

Important - R80.20SP does not support the option Obtain IPv4 address automatically (Known Limitation MBS-3246).

6

Optional: On the IPv6 tab, enter the IPv6 address and mask length.

Important:

7

On the VLAN tab, enter or select a VLAN ID (VLAN tag) between 2 and 4094.

8

In the Member Of field, select the applicable physical interface.

9

Click OK.

Step

Instructions

1

In the navigation tree, click Network Management > Network Interfaces.

2

Select a VLAN interface and click Edit.

3

Configure the applicable settings.

4

Click OK.

Note - You cannot change the VLAN ID or physical interface for an existing VLAN interface. To change these parameters, delete the VLAN interface and then create a new VLAN interface.

Step

Instructions

1

In the navigation tree, click Network Management > Network Interfaces.

2

Select a VLAN interface and click Delete.

3

Click OK, when the confirmation message shows.

Configuring VLAN Interfaces in Gaia Clish

Important - Make sure that the physical interface, on which you wish to add a VLAN interface, does not have an IP address.

Note - You must run these commands in Gaia gClishClosed The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators. Commands you run in this shell apply to all Security Appliances in the Security Group. of the applicable Security Group.

Syntax

add interface <Name of Physical Interface> vlan <VLAN ID> 

set interface <Name of Physical Interface>.<VLAN ID>
      comments "Text"
      ipv4-address <IPv4 Address>
            subnet-mask <Mask>
            mask-length <Mask Length>
      ipv6-address <IPv6 Address> mask-length <Mask Length>
      ipv6-autoconfig {on | off}
      mtu <68-16000 | 1280-16000>
      state {on | off}

Note - You cannot change the VLAN ID or physical interface for an existing VLAN interface. To change these parameters, delete the VLAN interface and then create a new VLAN interface.

show interface<SPACE><TAB>

show interface <Name of VLAN Interface>

delete interface <Name of Physical Interface> vlan <VLAN ID>

Important - After you add, configure, or delete features, run the "save config" command to save the settings permanently.

Parameters

Parameter

Description

<Name of Physical Interface>

Specifies a physical interface.

comments "Text"

Defines the optional comment.

  • Write the text in double quotes.

  • Text must be up to 100 characters.

  • This comment appears in the Gaia Portal and in the output of the "show configuration" command.

<VLAN ID>

Configures the ID of the VLAN interface (integer between 2 and 4094).

<IPv4 Address>

Assigns the IPv4 address.

<IPv6 Address>

Optional: Assigns the IPv6 address.

Important:

  • First, you must enable the IPv6 Support and reboot (see System Configuration).

  • R80.20SP does not support IPv6 Address on Gaia Management Interface (Known Limitation 01622840).

subnet-mask <Mask>

Configures the IPv4 subnet mask using the dotted decimal notation (X.X.X.X) - integer between 2 and 32.

mask-length <Mask Length>

Configures the IPv6 subnet mask length using CIDR notation (/xx) - integer between 1 and 128.

ipv6-autoconfig {on | off}

R80.20SP does not support the option Obtain IPv6 address automatically (Known Limitation MBS-3246).

mtu <68-16000 | 1280-16000>

Configures the Maximum Transmission Unit size for an interface.

For IPv4:

  • Range: 68 - 16000 bytes

  • Default: 1500 bytes

For IPv6:

  • Range: 1280 - 16000 bytes

  • Default: 1500 bytes

state {on | off}

Configures interface's state:

  • on - Enabled

  • off - Disabled

 
[Global] MyChassis-ch01-01 > add interface vlan eth1
[Global] MyChassis-ch01-01 > set interface eth1.99 ipv4-address 99.99.99.1 subnet-mask 255.255.255.0
[Global] MyChassis-ch01-01 > set interface eth1.99 ipv6-address 209:99:1 mask-length 64
[Global] MyChassis-ch01-01 > delete interface eth1 vlan 99

Access Mode VLAN and Trunk Mode VLAN

VLAN traffic can pass through a Bridge interface in one of these modes:

If you configure the switch ports in Access Mode, create the Bridge interface with two VLAN interfaces as its slaves.

For VLAN translation, use different numbered VLAN interfaces to create the Bridge interface.

You can build multiple VLAN translation bridges on the same Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

  1. Configure two VLAN interfaces.

  2. Create a Bridge interface and select the VLAN interfaces as its slaves (see Bridge Interfaces).

Example topology:

Item

Description

1

Security Gateway

2

Switch

3

Access mode bridge 1 with VLAN translation

4

Access mode bridge 2 with VLAN translation

5

VLAN 3 (eth 1.3)

6

VLAN 33 (eth 2.33)

7

VLAN 2 (eth 1.2)

8

VLAN 22 (eth 2.22)

If you configure the switch ports as VLAN trunk, the Check Point Bridge interface should not interfere with the VLANs.

To configure a Bridge interface with VLAN trunk, create the Bridge interface with two physical (non-VLAN) interfaces as its slaves (see Bridge Interfaces).

The Security Gateway processes the tagged packet and does not remove VLAN tags from them.

The traffic passes with the original VLAN tag to its destination.

Note - VLAN translation is not supported in Trunk mode.