Configuring VLAN Interfaces on Uplink Ports

Introduction

Starting in the R81.10 release for Quantum Maestro Orchestrators, Check Point integrated a major enhancement for the configuration of VLAN interfaces on the Uplink ports Interfaces on the Quantum Maestro Orchestrator used to connect to external and internal networks. Gaia operating system shows these interfaces in Gaia Portal and in Gaia Clish. SmartConsole shows these interfaces in the corresponding SMO Security Gateway object. of a Quantum Maestro Orchestrator A scalable Network Security System that connects multiple Check Point Security Appliances into a unified system. Synonyms: Orchestrator, Quantum Maestro Orchestrator, Maestro Hyperscale Orchestrator. Acronym: MHO.:

• Increased the number of supported VLAN interfaces on an Orchestrator:

  • No limit for each Uplink port.

  • The total supported number of VLAN interfaces is 9000 (more details are below).

• All distribution modes are now supported on Uplink ports.

  You can use all VLAN interfaces instead of only General + Layer 4 distribution (see sk165172).

• All distribution modes are supported on each VLAN interface on an Uplink port, even if the Uplink port allows only specific VLAN interfaces.

• It is no longer required to configure the VLAN interfaces on an Orchestrator.

  Workflow:

  1. Assign the physical interface (e.g., eth1-05) to the applicable Security Group A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected..

  2. Configure the applicable IP address on the physical interface (e.g., eth1-05) or VLAN interfaces (e.g., eth1-05.100) on the Security Group.

  3. In SmartConsole:

     1. Open the Security Gateway object for this Security Group.

     2. From the left tree, click the Network Management page.

     3. Click Get Interfaces > Get Interfaces Without Topology > click Accept.

     4. Configure the topology settings for each interface.

     5. Install the Access Control Policy on the Security Gateway object.

  If there are changes in the configuration of the Security Group interfaces (for example, VLAN interfaces or distribution mode), then the Security Group automatically sends these changes to the Orchestrator. The Security Group does so after a policy installation or a manual change in Gaia gClish The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators. Commands you run in this shell apply to all Security Appliances in the Security Group..

Viewing VLAN Interfaces on Uplink Ports in Gaia Portal

Example 1

Port: Port 1/3/1 (eth1-05) Tooltip: Port VLANs: Untagged, All Explanation: The Orchestrator forwards to the Security Group 1 all untagged and all tagged packets that arrive at the Orchestrator port 1/3/1 (eth1-05). This is similar to a VLAN Trunk interface configured to allow all VLAN interfaces.

Example 2

Port: Port 1/20/1 (eth1-20) Tooltip: Port VLANs: 3-4, 6, 34 Explanation: The Orchestrator forwards to the Security Group 4 only packets with VLAN tags 3-4, 6, and 34 that arrive at the Orchestrator port 1/20/1 (eth1-20). This is similar to a VLAN Trunk interface configured to allow VLANs 3-4, 6, and 34.

Viewing VLAN Interfaces on Uplink Ports in Gaia Clish

Configuring More Than 4000 VLAN Interfaces on Orchestrators

If it is necessary to configure more than ~4000 VLAN interfaces on the Orchestrator, we recommend that you configure the physical interface on the Orchestrator as a VLAN trunk interface that allows all untagged and all tagged packet to be forwarded to the Security Group. This makes it possible for an internal automatic optimization to occur.

For a VLAN trunk interface to forward all tagged and all untagged packets, these conditions must be met:

• VLAN Trunk mode must be enabled (see the instructions before how to enable the VLAN Trunk mode).

• The distribution mode of all the VLAN interfaces on a specific physical interface must be the same (because this VLAN optimization occurs for each Orchestrator port).

  Example

  Physical interface on the Orchestrator - eth1-20

  VLAN interfaces - eth1-20.33, eth1-20.44, eth1-20.55, eth1-20.66

  Each of these four VLAN interfaces must have the same distribution mode.

  If one or more of the VLAN interfaces of this specific base interface (eth1-20) have a different distribution than other VLAN interfaces, the internal automatic optimization is disabled. This is part of the design because the total supported number of VLAN interfaces has a limit.

  For example, if the distribution mode of eth1-20.55 is different, then the Orchestrator forwards only the packets with the VLAN tags 33, 44, and 66 are forwarded to the applicable Security Group.

  In the above case, automatic optimization occurs (allows all tagged and untagged packets for eth1-20). Therefore, an interface with this optimization is only considered as one VLAN interface out of total supported 9000 VLAN interfaces for this Orchestrator.

  This means that when this optimization occurs, the full VLAN range can be used on all the Orchestrator interfaces without the limitation of the total supported VLAN interfaces.