Firewall and VLAN's

Unanswered Question
Jul 28th, 2008

Hello all,

I have the next scenario:

1. Checkpoint firewall R60 on win 2000 server

2. Layer 2 switch with vlan management.

My question:

I want to create several vlans on this switch that every vlan will be seperate network, and won't see each other untill I decide otherwise.

What is my topology should be???

The FW should be as a GW for the trunk port.

Should I config a trunk port and config this port as a GW on every VLAN?

Is there any option to make it succeed or it's impossible and only with layer 3 switch it will be able to do so.

If there is some point that I'm missing, I would like to know.

Thanks ahead.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rais Mon, 07/28/2008 - 13:56

On your Checkpoint, if you have multiple interfaces on the server, you may use them for individual VLANs or you can use one port and make it a trunk.

The IP addresses you use on firewall will become your default gateways for hosts on those VLANs. Your VLANs will talk to each other depending upon your rules in FW.


boris_reuven Mon, 07/28/2008 - 14:03

Hi and thank for your quick reply.

I have left only 1 interface for this projet, and I want to make VLANS on the switch with 1 interface of my FW, is it possible or should I buy a layer 3 switch to make this project succeed?


bmcginn Mon, 07/28/2008 - 15:13

Hi Boris,

You don't need a layer 3 device to make this work. You can create the VLANs on the switch but only have 1 management VLAN with an IP address on the switch. If you wanted more than 1 IP on the switch then you will need to get a layer 3 device. You don't need more than 1 IP in this scenario however.

You can create sub-interfaces on the physical interface on the checkpoint box. On those sub-interfaces you will need to input the IP address (VLAN gateway address), subnet mask and interface number. The physical interface will automatically use 802.1Q to trunk all of your sub-interfaces (VLANs).

You will need to create the VLANs on the switch also, and I suspect you will want to create a VLAN interface (SVI) on the switch so you can manage it.

Create a dot1q trunk on the uplink to the checkpoint box.

You will also need to stipulate the particular VLAN for each port on the switch.

Good luck mate!



This Discussion