VLAN Interfaces
This section shows you how to configure VLAN interfaces in the Gaia Portal Web interface for the Check Point Gaia operating system. and Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)..
You can configure virtual LAN (VLAN) interfaces on Ethernet interfaces.
VLAN interfaces let you configure subnets with a secure private link to Security Gateways and Management Servers using your existing topology.
With VLAN interfaces, you can multiplex Ethernet traffic into many channels using one cable.
|
Important - In a Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way. |
|
Notes:
|
Configuring VLAN Interfaces in Gaia Portal
|
Important - On Scalable Platforms (Maestro and Chassis), you must connect to the Gaia Portal of the applicable Security Group. |
Step |
Instructions |
||||
---|---|---|---|---|---|
1 |
In the navigation tree, click Network Management > Network Interfaces. |
||||
2 |
Make sure that the physical interface, on which you add a VLAN interface, does not have an IP address. |
||||
3 |
Click Add > VLAN. |
||||
4 |
In the Add VLAN window, select the Enable option to set the VLAN interface to UP. |
||||
5 |
On the IPv4 tab, do one of these:
|
||||
6 |
Optional: On the IPv6 tab, do one of these:
|
||||
7 |
On the VLAN tab, enter or select a VLAN ID (VLAN tag) between 2 and 4094. |
||||
8 |
In the Member Of field, select the applicable physical interface. |
||||
9 |
Click OK. |
Step |
Instructions |
---|---|
1 |
In the navigation tree, click Network Management > Network Interfaces. |
2 |
Select a VLAN interface and click Edit. |
3 |
Configure the applicable settings. |
4 |
Click OK. |
|
Note - You cannot change the VLAN ID or physical interface for an existing VLAN interface. To change these parameters, delete the VLAN interface and then create a new VLAN interface. |
Step |
Instructions |
---|---|
1 |
In the navigation tree, click Network Management > Network Interfaces. |
2 |
Select a VLAN interface and click Delete. |
3 |
Click OK, when the confirmation message shows. |
Configuring VLAN Interfaces in Gaia Clish
|
Important:
|
Syntax
|
set interface <Name of Physical Interface>.<VLAN ID> comments "Text" ipv4-address <IPv4 Address> subnet-mask <Mask> mask-length <Mask Length> ipv6-address <IPv6 Address> mask-length <Mask Length> ipv6-autoconfig {on | off} mtu <68-16000 | 1280-16000> state {on | off} |
|
Note - You cannot change the VLAN ID or physical interface for an existing VLAN interface. To change these parameters, delete the VLAN interface and then create a new VLAN interface. |
|
|
|
|
Important - After you add, configure, or delete features, run the " |
Parameters
Parameter |
Description |
||
---|---|---|---|
|
Specifies a physical interface. |
||
|
Defines the optional comment.
|
||
|
Configures the ID of the VLAN interface (integer between 2 and 4094). |
||
|
Assigns the IPv4 address. |
||
|
Assigns the IPv6 address.
|
||
|
Configures the IPv4 subnet mask using the dotted decimal notation (X.X.X.X) - integer between 2 and 32.. |
||
|
Configures the IPv6 subnet mask length using CIDR notation (/xx) - integer between 1 and 128. |
||
|
Configures if this interface gets an IPv6 address from a DHCPv6 Server:
|
||
|
Configures the Maximum Transmission Unit size for an interface. For IPv4:
For IPv6:
|
||
|
Configures interface's state:
|
gaia> add interface vlan eth1 gaia> set interface eth1.99 ipv4-address 99.99.99.1 subnet-mask 255.255.255.0 gaia> set interface eth1.99 ipv6-address 209:99:1 mask-length 64 gaia> delete interface eth1 vlan 99 |
Access Mode VLAN and Trunk Mode VLAN
VLAN traffic can pass through a Bridge interface in one of these modes:
If you configure the switch ports in Access Mode, create the Bridge interface with two VLAN interfaces as its subordinate interfaces.
For VLAN translation, use different numbered VLAN interfaces to create the Bridge interface.
You can build multiple VLAN translation bridges on the same Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..
-
Configure two VLAN interfaces.
-
Create a Bridge interface and select the VLAN interfaces as its subordinate interfaces (see Bridge Interfaces).
|
Note - VLAN translation is not supported over bridged ports of a FONIC (Fail-Open NIC, see sk85560). |
Item |
Description |
---|---|
1 |
Security Gateway |
2 |
Switch |
3 |
Access mode bridge 1 with VLAN translation |
4 |
Access mode bridge 2 with VLAN translation |
5 |
VLAN 3 (eth 1.3) |
6 |
VLAN 33 (eth 2.33) |
7 |
VLAN 2 (eth 1.2) |
8 |
VLAN 22 (eth 2.22) |
If you configure the switch ports as VLAN trunk, the Check Point Bridge interface should not interfere with the VLANs.
To configure a Bridge interface with VLAN trunk, create the Bridge interface with two physical (non-VLAN) interfaces as its subordinate interfaces (see Bridge Interfaces).
The Security Gateway processes the tagged packet and does not remove VLAN tags from them.
The traffic passes with the original VLAN tag to its destination.
|
Note - VLAN translation is not supported in Trunk mode. |