Print Download PDF Send Feedback

Previous

Next

Bridge Interfaces

Configure interfaces as a bridge to deploy security devices in a topology without reconfiguration of the IP routing scheme. This is an important advantage for large-scale, complex environments.

Bridge interfaces connect two different interfaces (bridge ports). Bridging two interfaces causes every Ethernet frame that is received on one bridge port to be transmitted to the other port. Thus, the two bridge ports participate in the same Broadcast domain (different from router port behavior). The security policy inspects every Ethernet frame that passes through the bridge.

Only two interfaces can be connected by one Bridge interface, creating a virtual two-port switch. Each port can be a physical, VLAN, or bond device.

You can configure bridge mode with one Security Gateway or with a cluster. The bridge functions without an assigned IP address. Bridged Ethernet interfaces (including aggregated interfaces) to work like ports on a physical bridge. You can configure the topology for the bridge ports in SmartConsole. A separate network or group object represents the networks or subnets that connect to each port.

Notes:

Check Point supports bridge interfaces that implement native, Layer-2 bridging. The bridge interfaces send traffic with Layer-2 addressing. On the same device, you can configure some interfaces as bridge interfaces, while other interfaces work as layer-3 interfaces. Traffic between bridge interfaces is inspected at Layer-2. Traffic between two Layer-3 interfaces, or between a bridge interface and a Layer-3 interface is inspected at Layer-3.

Configuring Bridge Interfaces - Gaia Portal

Step

Description

1

In the navigation tree, click Network Management > Network Interfaces.

2

Make sure that the slave interfaces, which you wish to add to the Bridge interface, do not have IP addresses.

3

Click Add > Bridge.

To configure an existing Bridge interface, select the Bridge interface and click Edit.

4

On the Bridge tab, enter or select a Bridge Group ID (unique integer between 1 and 1024).

5

Select the interfaces from the Available Interfaces list and then click Add.

Notes:

  • Make sure that the slave interfaces do not have any IP addresses or aliases configured.
  • A Bridge interface in Gaia can contain only two slave interfaces.

6

On the IPv4 tab, enter the IPv4 address and subnet mask.

You can optionally select the Obtain IPv4 Address automatically option.

7

On the IPv6 tab (optional), enter the IPv6 address and mask length.

You can optionally select the Obtain IPv6 Address automatically option.

Important - First, you must enable the IPv6 Support and reboot.

8

Click OK.

Configuring Bridge Interfaces - Gaia Clish

Description

Bridge interfaces are known as Bridging Groups in Gaia Clish commands. You can assign an IPv4 or IPv6 address to a bridge interface.

Syntax

Important - After you add, configure, or delete features, run the save config command to save the settings permanently.

Parameters

Parameter

Description

<Bridge Group ID>

Configures the Bridge Group ID.

  • Range: 0 - 1024
  • Default: No default value

<Name of Slave Interface>

Specifies a physical slave interface.

<Name of Bridge Interface>

Configures the name of the Bridge interface.

comments "Text"

Configures an optional free text comment.

  • Write the text in double-quotes.
  • Text must be up to 100 characters.
  • This comment appears in the Gaia Portal and in the output of the show configuration command.

ipv4-address <IPv4 Address>

Configures the IPv4 address.

ipv6-address <IPv6 Address>

Configures the IPv6 address.

Important - First, you must enable the IPv6 Support and reboot.

subnet-mask <Mask>

Configures the IPv4 subnet mask using dotted decimal notation (X.X.X.X).

mask-length <Mask Length>

Configures the IPv4 or IPv6 subnet mask length using the CIDR notation (integer between 2 and 32).

ipv6-autoconfig {on | off}

Configures if this interface gets an IPv6 address from a DHCPv6 Server:

  • on - Gets an IPv6 address from a DHCPv6 Server
  • off - Does not get an IPv6 address from a DHCPv6 Server (you must assign it manually)

Important - First, you must enable the IPv6 Support and reboot.

mac-addr <MAC Address>

Configures the hardware MAC address.

mtu <68-16000 | 1280-16000>

Configures the Maximum Transmission Unit size for an interface.

For IPv4:

  • Range: 68 - 16000 bytes
  • Default: 1500 bytes

For IPv6:

  • Range: 1280 - 16000 bytes
  • Default: 1500 bytes

rx-ringsize <0-4096>

Configures the receive buffer size.

  • Range: 0 - 4096bytes
  • Default: 4096 bytes

tx-ringsize <0-4096>

Configures the transmit buffer size.

  • Range: 0 - 4096 bytes
  • Default: 4096 bytes

Example

gaia> add bridging group 56 interface eth1

 

gaia> set interface br1 ipv6-address 3000:40::1 mask-length 64

 

gaia> show bridging groups

 

gaia> delete bridging group 56 interface eth1

 

gaia> delete bridging group 56

Notes:

Configuring a Security Gateway in Bridge Mode to Accept, or Drop Ethernet Frames with Specific Protocols

Important - In a cluster, you must configure all the cluster members in the same way.

To allow or drop Ethernet frames with specific protocols:

By default, Security Gateway in Bridge mode allows Ethernet frames that carry protocols other than IPv4 (0x0800), IPv6 (0x86DD), or ARP (0x0806) protocols.

Starting in R77.10, administrator can configure a Security Gateway in Bridge mode to either accept, or drop Ethernet frames that carry specific protocols.

For more information, see sk101371: Bridge Mode on Gaia OS and SecurePlatform OS.

To disable BPDU forwarding:

When VLAN translation is configured, BPDU frames can arrive with the wrong VLAN number to the switch ports through the Bridge interface. This mismatch can cause the switch ports to enter blocking mode.

In Bridge Active/Standby only, there are options to avoid blocking mode.

Step

Description

1

Connect to the command line on the Security Gateway.

2

Log in to the Expert mode.

3

Backup the current /etc/rc.d/init.d/network file:

# cp -v /etc/rc.d/init.d/network{,_BKP}

4

Edit the current /etc/rc.d/init.d/network file:

# vi /etc/rc.d/init.d/network

5

After the line:

./etc/init.d/functions

Add this line:

/sbin/sysctl -w net.bridge.bpdu_forwarding=0

6

Save the changes in the file and exit from the Vi editor.

7

Reboot the Security Gateway.

8

Make sure the Security Gateway loaded the new configuration:

# sysctl net.bridge.bpdu_forwarding