Dual Chassis in Bridge Mode

This chapter describes how to deploy Dual Chassis in Layer 2 Bridge modeClosed Security Gateway or Virtual System that works as a Layer 2 bridge device for easy deployment in an existing topology..

Bridge Mode Topologies

Active/Active Bridge Mode supports these topologies:

Topology

Description

Diagram

Layer 2 connectivity between Chassis

This topology requires Spanning Tree Protocol (STP) on the Layer 2 switches.

STP is a network protocol that confirms a loop-free topology for Ethernet networks.

STP sends special data frames called Bridge Protocol Data Units (BPDUs).

These BPDUs help the switches select which port to block, if there is a loop detection.

The BPDUs get to the switch from a different interface when they pass through the bridge interface of the chassis.

This results in a successful blockage.

No Layer 2 connectivity between Chassis

This topology does not require STP on the Layer 2 switches.

It is usually a router-based topology, where a dynamic routing protocol selects through which segment to route the traffic.

BPDU

The BDPU maximum age timer controls the maximum length of time that passes before a bridge port saves its configuration BPDU information.

The default time it takes to reach a chassis failover is 20 seconds. It is possible to configure be configure this time to a value from 6 to 40 seconds.

Example for Cisco switches:

Use the "spanning-tree vlan" command on each VLAN to configure the BDPU maximum age timer. For more information, see Cisco documentation.

Configuring Bridge Interfaces in Gateway Mode

Description

Use the applicable commands in Gaia gClishClosed The name of the global command line shell in Check Point Gaia operating system for Security Gateway Modules. Commands you run in this shell apply to all Security Gateway Module in the Security Group. to work with Bridge interfaces.

For more information, see the R81 Scalable Platforms Gaia Administration Guide > Chapter Network Management > Section Network Interfaces - Subsection Bridge Interfaces.

Example

[Expert@MyChassis-ch0x-0x:0]# gclish
[Global] MyChassis-ch01-01 > add bridging group 2
[Global] MyChassis-ch01-01 >
[Global] MyChassis-ch01-01 > add bridging group 2 interface eth2
[Global] MyChassis-ch01-01 >
[Global] MyChassis-ch01-01 > add bridging group 2 interface eth3
[Global] MyChassis-ch01-01 >
[Global] MyChassis-ch01-01 > show bridging group 2
Bridge Configuration
    Bridge Interfaces
        eth2
        eth3
[Global] MyChassis-ch01-01 >

Configuring Bridge Interfaces in VSX Mode

Configure a Virtual System in Bridge Mode when you first create its object.

For more information, see the R81 Scalable Platforms VSX Administration Guide.

To configure an existing Virtual System in Active/Standby Bridge Mode:

Step

Instructions

1

Connect with SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server., or the Target Domain Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. that manages this Virtual System.

2

From the left navigation panel, click Gateways & Servers.

3

Open the Virtual System object.

4

In Virtual System General Properties, select Bridge Mode.

5

Click Next.

The Virtual System Network Configuration window opens.

6

Configure the external and internal interfaces for the Virtual System.

7

Click Next.

8

Click Finish.

9

Connect to the command line on the Security GroupClosed A logical group of Security Gateway Modules that provides Active/Active cluster functionality. A Security Group can contain one or more Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway..

10

Log in to Gaia ClishClosed The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)..

11

Go to GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. gClish: enter gclish and press Enter.

12

Switch to the context of the applicable Virtual System:

set virtual-system <VS ID>

13

Examine the interfaces:

show interfaces all

Configuring Virtual Systems in Bridge Mode to Forward Non-IP Protocols

Step

Instructions

1

Connect to the command line on the Security Group.

2

Log in to the Expert mode.

3

Create the required empty file on all Security Group Members:

g_all touch $FWDIR/conf/enable_non_ip_protocols

4

Follow Configuring Bridge Interfaces in VSX Mode.