VXLAN Interfaces

This section shows you how to configure VXLAN interfaces in the Gaia PortalClosed Web interface for the Check Point Gaia operating system. and Gaia ClishClosed The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)..

Virtual Extensible LAN (VXLAN) is a network virtualization technology that attempts to address the scalability problems associated with large cloud computing deployments. VXLAN uses a VLAN-like encapsulation technique to encapsulate OSI Layer 2 Ethernet frames within Layer 4 UDP datagrams. See RFC 7348.

Notes:

Warning - By default, SecureXLClosed Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. does not accelerate traffic over a VXLAN tunnel.

  • If you configure SecureXL to accelerate such traffic, the Firewall only inspects the payload of VXLAN packets (it does not inspect the VXLAN data).

  • To configure SecureXL to accelerate such traffic, set the value of the SecureXL kernel parameter sim_enable_vxlan to 1 (one) in the $PPKDIR/conf/simkern.conf file and reboot.

    For more information, see the R81 Performance Tuning Administration Guide > Chapter Working with Kernel Parameters on Security Gateway > Section SecureXL Kernel Parameters.

For additional information, see sk170014.

Configuring VXLAN Interfaces in Gaia Portal

Step

Instructions

1

In the navigation tree, click Network Management > Network Interfaces.

2

Click Add > VXLAN.

3

In the Add VXLAN window, select the Enable option to set the VXLAN interface to UP.

4

On the IPv4 tab, enter the local IPv4 address and subnet mask for the VXLAN interface.

5

Optional: On the IPv6 tab, enter the local IPv6 address and mask length for the VXLAN interface.

Important - First, you must enable the IPv6 Support and reboot (see System Configuration).

6

On the VXLAN Tunnel tab:

  1. In the VXLAN VNI field, enter or select the VXLAN Network Identifier (or VXLAN Segment ID) between 1 and 16,777,215.

    Important - This value must be the same on the VXLAN peers.

  2. In the Member Of field, select the physical interface related to this VXLAN.

  3. In the Remote Address field, enter the IPv4 address of the applicable physical interface on the remote VXLAN peer.

  4. In the DST Port field, enter or select the destination UDP port number between 1 and 65535 (default is 4789 - see IANA Service Name and Port Number Registry).

    Best Practice - Use the default UDP port 4789.

7

Click OK.

Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. "GW1" and Security Gateway "GW2" create a VXLAN.

[GW1] (physical interface eth1) (VXLAN interface) <==>

<==> (Internet) <==>

<==> (VXLAN interface) (physical interface eth2 [GW2]

The VXLAN interface configuration on these VXLAN peers:

Setting

Security Gateway "GW1"

Security Gateway "GW2"

Local physical interface

eth1 with IPv4 10.10.10.11 / 24

eth2 with IPv4 172.30.40.22 / 24

(VXLAN) IPv4 Address

192.168.10.11 / 24

192.168.10.22 / 24

VXLAN VNI

33

33

Member Of

eth1

eth2

Remote Address

172.30.40.22

10.10.10.11

Important - It is not supported to edit the settings of an existing VxLAN interface.

You must delete the existing VxLAN interface and create a new VxLAN interface.

Step

Instructions

1

In the navigation tree, click Network Management > Network Interfaces.

2

Select a VXLAN interface and click Delete.

3

Click OK, when the confirmation message shows.

Configuring VXLAN Interfaces in Gaia Clish

Syntax

add vxlan id <VXLAN VNI> dev <Name of local physical interface> remote <IPv4 address of physical interface on remote peer> dstport <Destination UDP port>

show configuration vxlan

show vxlan id <VXLAN ID>

Important - It is not supported to edit the settings of an existing VxLAN interface.

You must delete the existing VxLAN interface and create a new VxLAN interface.

delete vxlan id <VXLAN VNI>

Important - After you add, configure, or delete features, run the "save config" command to save the settings permanently.

Parameter

Description

id <VXLAN VNI>

Configures the VXLAN Network Identifier (or VXLAN Segment ID) of the VXLAN interface (integer between 1 and 16,777,215).

Important - This value must be the same on the VXLAN peers.

comments "Text"

Defines the optional comment.

  • Write the text in double quotes.

  • Text must be up to 100 characters.

  • This comment appears in the Gaia Portal and in the output of the "show configuration" command.

dev <Name of local physical interface>

Specifies a local physical interface.

dstport <Destination UDP port>

Specifies the destination UDP port number between 1 and 65535 (default is 4789 - see IANA Service Name and Port Number Registry).

Important - This value must be the same on the VXLAN peers.

Best Practice - Use the default UDP port 4789.

remote <IPv4 address of physical interface on remote peer>

Specifies the IPv4 address of the applicable physical interface on the remote VXLAN peer.

Security Gateway "GW1" and Security Gateway "GW2" create a VXLAN.

[GW1] (physical interface eth1) (VXLAN interface) <==>

<==> (Internet) <==>

<==> (VXLAN interface) (physical interface eth2 [GW2]

The VXLAN interface configuration on these VXLAN peers:

Setting

Security Gateway "GW1"

Security Gateway "GW2"

Local physical interface

eth1 with IPv4 10.10.10.11 / 24

eth2 with IPv4 172.30.40.22 / 24

(VXLAN) IPv4 Address

192.168.10.11 / 24

192.168.10.22 / 24

VXLAN VNI

33

33

Member Of

eth1

eth2

Remote Address

172.30.40.22

10.10.10.11

The VXLAN interface configuration on the Security Gateway "GW1":

gaia1> add vxlan id 33 dev eth1 remote 172.30.40.22 dstport 4789

The VXLAN interface configuration on the Security Gateway "GW2":

gaia2> add vxlan id 33 dev eth2 remote 10.10.10.11 dstport 4789

Configuring VXLAN Interfaces on Cluster Members

For more information, see the R81 ClusterXL Administration Guide.

In ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you have these options:

  1. Configure a VXLAN interface on all the Cluster Members.

    You must configure the same VXLAN VNI and Remote Address on each Cluster MemberClosed Security Gateway that is part of a cluster..

  2. Connect with SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

  3. From the left navigation panel, click Gateways & Servers.

  4. Double-click the cluster object.

  5. From the left tree, click Network Management.

  6. From the toolbar, click Get Interfaces > Get Interfaces With Topology and confirm.

    Make sure you see the new VXLAN interface from each Cluster Member.

  7. Select the new VXLAN interface and click Edit.

  8. From the left tree, click the General page.

  9. In the General section, in the Network Type field, select Cluster.

  10. In the IPv4 field, configure the applicable cluster Virtual IP address.

  11. In the Member IPs section, make sure the IPv4 address and its Net Mask are correct on each Cluster Member.

  12. Click OK.

  13. Publish the SmartConsole session.

  14. Install the Access Control Policy on this cluster object.

  1. Configure a VXLAN interface on a specific Cluster Member.

  2. Connect with SmartConsole to the Management Server.

  3. From the left navigation panel, click Gateways & Servers.

  4. Double-click the cluster object.

  5. From the left tree, click Network Management.

  6. From the toolbar, click Get Interfaces > Get Interfaces With Topology and confirm.

    Make sure you see the new VXLAN interface from the specific Cluster Member, on which you configured it.

  7. Select the new VXLAN interface and click Edit.

  8. From the left tree, click the General page.

  9. In the General section, in the Network Type field, select Private.

  10. Click OK.

  11. Publish the SmartConsole session.

  12. Install the Access Control Policy on this cluster object.