Configure interfaces as a bridge to deploy security devices in a topology without reconfiguration of the IP routing scheme. This is an important advantage for large-scale, complex environments.
Bridge interfaces connect two different interfaces (bridge ports). Bridging two interfaces causes every Ethernet frame that is received on one bridge port to be transmitted to the other port. Thus, the two bridge ports participate in the same Broadcast domain (different from router port behavior). The security policy inspects every Ethernet frame that passes through the bridge.
Only two interfaces can be connected by one Bridge interface, creating a virtual two-port switch. Each port can be a physical, VLAN, or bond device.
You can configure bridge mode with one Security Gateway or with a cluster. The bridge functions without an assigned IP address. Bridged Ethernet interfaces (including aggregated interfaces) to work like ports on a physical bridge. You can configure the topology for the bridge ports in SmartConsole. A separate network or group object represents the networks or subnets that connect to each port.
Notes:
Check Point supports bridge interfaces that implement native, Layer-2 bridging. The bridge interfaces send traffic with Layer-2 addressing. On the same device, you can configure some interfaces as bridge interfaces, while other interfaces work as layer-3 interfaces. Traffic between bridge interfaces is inspected at Layer-2. Traffic between two Layer-3 interfaces, or between a bridge interface and a Layer-3 interface is inspected at Layer-3.
Step |
Description |
---|---|
1 |
In the navigation tree, click Network Management > Network Interfaces. |
2 |
Make sure that the slave interfaces, which you wish to add to the Bridge interface, do not have IP addresses. |
3 |
Click Add > Bridge. To configure an existing Bridge interface, select the Bridge interface and click Edit. |
4 |
On the Bridge tab, enter or select a Bridge Group ID (unique integer between 1 and 1024). |
5 |
Select the interfaces from the Available Interfaces list and then click Add. Notes:
|
6 |
On the IPv4 tab, enter the IPv4 address and subnet mask. Note - R80.30SP does not support the option Obtain IPv4 address automatically (see MBS-3246 in sk148074). |
7 |
On the IPv6 tab (optional), enter the IPv6 address and mask length. Important - First, you must enable the IPv6 Support and reboot. Notes: |
8 |
Click OK. |
Description
Bridge interfaces are known as Bridging Groups in Gaia Clish commands. You can assign an IPv4 or IPv6 address to a bridge interface.
Syntax
add bridging group <Bridge Group ID> |
add bridging group <Bridge Group ID> interface <Name of Slave Interface> |
Note - Make sure that the slave interfaces do not have any IP addresses or aliases configured.
add bridging group <Bridge Group ID> fail-open-interfaces <Name of Slave Interface> |
set interface <Name of Bridge Interface> comments "Text" ipv4-address <IPv4 Address> subnet-mask <Mask> mask-length <Mask Length> ipv6-address <IPv6 Address> mask-length <Mask Length> ipv6-autoconfig {on | off} mac-addr <MAC Address> mtu <68-16000 | 1280-16000> rx-ringsize <0-4096> tx-ringsize <0-4096> |
show bridging group <Bridge Group ID> |
show bridging groups |
delete bridging group <Bridge Group ID> interface <Name of Slave Interface> |
delete bridging group <Bridge Group ID> fail-open-interfaces <Name of Slave Interface> |
delete bridging group <Bridge Group ID> |
Important - After you add, configure, or delete features, run the save config
command to save the settings permanently.
Parameters
Parameter |
Description |
---|---|
|
Configures the Bridge Group ID.
|
|
Specifies a physical slave interface. |
|
Configures the name of the Bridge interface. |
|
Configures an optional free text comment.
|
|
Configures the IPv4 address. |
|
Configures the IPv6 address. Important - First, you must enable the IPv6 Support and reboot. Note - R80.30SP does not support IPv6 (see MBS-7903 in sk162552). |
|
Configures the IPv4 subnet mask using dotted decimal notation (X.X.X.X). |
|
Configures the IPv4 or IPv6 subnet mask length using the CIDR notation (integer between 2 and 32). |
|
R80.30SP does not support this option (see MBS-3246 in sk148074). |
|
Configures the hardware MAC address. |
|
Configures the Maximum Transmission Unit size for an interface. For IPv4:
For IPv6: Note - R80.30SP does not support IPv6 (see MBS-7903 in sk162552).
|
|
Configures the receive buffer size.
|
|
Configures the transmit buffer size.
|
Example
gaia> add bridging group 56 interface eth1
gaia> set interface br1 ipv4-address 192.168.20.1 mask-length 24
gaia> show bridging groups
gaia> delete bridging group 56 interface eth1
gaia> delete bridging group 56 |
Notes:
set interface <Bridge Group ID> state {on|off}
command. This is done automatically by the bridging driver.Important - In a cluster, you must configure all the cluster members in the same way.
To allow or drop Ethernet frames with specific protocols:
By default, Security Gateway in Bridge mode allows Ethernet frames that carry protocols other than IPv4 (0x0800), IPv6 (0x86DD), or ARP (0x0806) protocols.
Starting in R77.10, administrator can configure a Security Gateway in Bridge mode to either accept, or drop Ethernet frames that carry specific protocols.
For more information, see sk101371: Bridge Mode on Gaia OS and SecurePlatform OS.
To disable BPDU forwarding:
When VLAN translation is configured, BPDU frames can arrive with the wrong VLAN number to the switch ports through the Bridge interface. This mismatch can cause the switch ports to enter blocking mode.
In Bridge Active/Standby only, there are options to avoid blocking mode.
Step |
Description |
---|---|
1 |
Connect to the command line on the Security Gateway. |
2 |
Log in to the Expert mode. |
3 |
Backup the current
|
4 |
Edit the current
|
5 |
After the line:
Add this line:
|
6 |
Save the changes in the file and exit the Vi editor. |
7 |
Reboot the Security Gateway. |
8 |
Make sure the Security Gateway loaded the new configuration:
|