VLAN Interfaces

You can configure virtual LAN (VLAN) interfaces on Ethernet interfaces. VLAN interfaces let you configure subnets with a secure private link to Security Gateways and Management Servers using your existing topology. With VLAN interfaces, you can multiplex Ethernet traffic into many channels using one cable.

This section shows you how to configure VLAN interfaces using the Gaia Portal and the Gaia Clish.

Configuring VLAN Interfaces - Gaia Portal

Step	Description
1	In the navigation tree, click Network Management > Network Interfaces.
2	Make sure that the physical interface, on which you add a VLAN interface, does not have an IP address.
3	Click Add > VLAN. To configure an existing VLAN interface, select the VLAN interface and click Edit.
4	In the Add VLAN (or Edit VLAN) window, select the Enable option to set the VLAN interface to UP.
5	On the IPv4 tab, enter the IPv4 address and subnet mask. Note - R80.30SP does not support the option Obtain IPv4 address automatically (see MBS-3246 in sk148074).
6	On the IPv6 tab, enter the IPv6 address and mask length. Important - First, you must enable the IPv6 Support and reboot. Notes: R80.30SP does not support the option Obtain IPv6 address automatically (see MBS-3246 in sk148074). R80.30SP does not support IPv6 (see MBS-7903 in sk162552).
7	On the VLAN tab, enter or select a VLAN ID (VLAN tag) between 2 and 4094.
8	In the Member Of field, select the physical interface related to this VLAN.

Note - You cannot change the VLAN ID or physical interface for an existing VLAN interface. To change these parameters, delete the VLAN interface and then create a New VLAN interface.

Configuring VLAN Interfaces - Gaia Clish

Description

Add, configure and delete VLAN interfaces.

Note - Make sure that the physical interface, on which you wish to add a VLAN interface, does not have an IP address.

Syntax

To add a new VLAN interface:

add interface <Name of Physical Interface> vlan <VLAN ID>

To configure a VLAN interface:

set interface <Name of Physical Interface>.<VLAN ID>

comments "Text"

ipv4-address <IPv4 Address>

subnet-mask <Mask>

mask-length <Mask Length>

ipv6-address <IPv6 Address> mask-length <Mask Length>

ipv6-autoconfig {on | off}

mtu <68-16000 | 1280-16000>

state {on | off}

To show the configuration of a specific VLAN interface:

show interface<SPACE><TAB>

show interface <Name of VLAN Interface>
To delete a VLAN interface:

delete interface <Name of Physical Interface> vlan <VLAN ID>

Important - After you add, configure, or delete features, run the save config command to save the settings permanently.

Note - You cannot change the VLAN ID or physical interface for an existing VLAN interface. To change these parameters, delete the VLAN interface and then create a new VLAN interface.

Parameters

Parameter	Description
<Name of Physical Interface>	Specifies a physical interface.
`comments "`Text`"`	Defines the optional comment. Write the text in double-quotes. Text must be up to 100 characters. This comment appears in the Gaia Portal and in the output of the `show configuration` command.
<VLAN ID>	Configures the ID of the VLAN interface (integer between 2 and 4094).
<IPv4 Address>	Assigns the IPv4 address.
<IPv6 Address>	Assigns the IPv6 address. Important - First, you must enable the IPv6 Support and reboot. Note - R80.30SP does not support IPv6 (see MBS-7903 in sk162552).
`subnet-mask` <Mask>	Configures the IPv4 subnet mask using the dotted decimal notation (X.X.X.X).
`mask-length` <Mask Length>	Configures the IPv4 or IPv6 subnet mask length using CIDR notation (/xx) - integer between 2 and 32.
`ipv6-autoconfig {on \| off}`	R80.30SP does not support this option (see MBS-3246 in sk148074).
`mtu <68-16000 \| 1280-16000>`	Configures the Maximum Transmission Unit size for an interface. For IPv4: Range: 68 - 16000 bytes Default: 1500 bytes For IPv6: Note - R80.30SP does not support IPv6 (see MBS-7903 in sk162552). Range: 1280 - 16000 bytes Default: 1500 bytes
`state {on \| off}`	Configures interface's state: `on` - Enabled `off` - Disabled

Example

gaia> add interface vlan eth1

gaia> set interface eth1.99 ipv4-address 99.99.99.1 subnet-mask 255.255.255.0

gaia> set interface eth1.99 ipv6-address 209:99:1 mask-length 64

gaia> delete interface eth1 vlan 99

Access Mode VLAN and Trunk Mode VLAN

VLAN traffic can pass through a Bridge interface in Access mode, or in Trunk mode:

Access mode (VLAN translation) - Slaves of the Bridge interface are two VLAN interfaces.
Trunk mode - Slaves of the Bridge interface are two non-VLAN interfaces. The Security Gateway processes the tagged packet and does not remove VLAN tags from them. The traffic passes with the original VLAN tag to its destination.

Example topology:

Item	Description
1	Security Gateway
2	Switch
3	Access mode bridge 1 with VLAN translation
4	Access mode bridge 2 with VLAN translation
5	VLAN 3 (eth 1.3)
6	VLAN 33 (eth 2.33)
7	VLAN 2 (eth 1.2)
8	VLAN 22 (eth 2.22)

Access Mode VLAN

If you configure the switch ports in Access Mode, create the Bridge interface with two VLAN interfaces as its slaves. For VLAN translation, use different numbered VLAN interfaces to create the Bridge interface. You can build multiple VLAN translation bridges on the same Security Gateway.

Configure two VLAN interfaces.
Create a Bridge interface and select the VLAN interfaces as its slaves.

Trunk Mode VLAN

If you configure the switch ports as VLAN trunk, the Check Point Bridge interface should not interfere with the VLANs. To configure a Bridge interface with VLAN trunk, create the Bridge interface with two physical (non-VLAN) interfaces as its slaves.

Note - VLAN translation is not supported in Trunk mode.