https://community.checkpoint.com/t5/Firewall-and-Security-Management/Deploying-new-VLANs-in-production/m-p/183562#M33695 <P>Thank you for your response.</P> <P>For this type of configuration that I have exposed.</P> <P>Do you think it is necessary, to break the ClusterXL????</P> <P>In your experience, is it feasible to leave the interface as it is now configured, with one IP, and add the new segment as a VLAN?<BR />Or is it better to "leave the interface blank" and configure the 2 segments as distinct VLANs? ????</P> <P>Greetings.</P> Wed, 07 Jun 2023 22:02:28 GMT Matlu 2023-06-07T22:02:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Deploying-new-VLANs-in-production/m-p/183550#M33693 <P>Hello, world.</P> <P>A query, I currently have a ClusterXL which has configured in its interface Eth2 of each Firewall:</P> <P>FW 01 -&gt; 10.20.20.1<BR />FW 02 -&gt; 10.20.20.2<BR />VIP -&gt; 10.20.20.254</P> <P>What we need, is to put a new segment in that same interface, (10.100.100.0/22)</P> <P>In this scenario, it is ideal to leave configured the segment that currently already has the interface, and add the new segment as a VLAN?</P> <P>Or is it necessary to leave the interface blank by default and configure the 2 segments as different VLANs?</P> <P>What is the best practice in your experience?</P> <P>This type of configuration, it is advisable to always start it in the passive member, and then in the active, and all this, in a working window, right ????</P> <P>Thanks for your comments.</P> Wed, 07 Jun 2023 19:54:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Deploying-new-VLANs-in-production/m-p/183550#M33693 Matlu 2023-06-07T19:54:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Deploying-new-VLANs-in-production/m-p/183559#M33694 <P>In general, changes of this nature should be done on the passive member first, OS level changes first, then update the configuration in SmartConsole.<BR />And yes, this will definitely need to be done in a maintenance window.</P> Wed, 07 Jun 2023 21:51:33 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Deploying-new-VLANs-in-production/m-p/183559#M33694 PhoneBoy 2023-06-07T21:51:33Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Deploying-new-VLANs-in-production/m-p/183562#M33695 <P>Thank you for your response.</P> <P>For this type of configuration that I have exposed.</P> <P>Do you think it is necessary, to break the ClusterXL????</P> <P>In your experience, is it feasible to leave the interface as it is now configured, with one IP, and add the new segment as a VLAN?<BR />Or is it better to "leave the interface blank" and configure the 2 segments as distinct VLANs? ????</P> <P>Greetings.</P> Wed, 07 Jun 2023 22:02:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Deploying-new-VLANs-in-production/m-p/183562#M33695 Matlu 2023-06-07T22:02:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Deploying-new-VLANs-in-production/m-p/183563#M33696 <P>Note that ClusterXL requires the interface configuration to be the same on both cluster members.<BR />Generally interfaces with VLANs should only have VLANs configured on it (i.e. no IP on the physical interface).<BR />That implies "leave the interface blank" as you put it.<BR />Not sure if that's a hard requirement or just best practice.</P> Wed, 07 Jun 2023 22:10:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Deploying-new-VLANs-in-production/m-p/183563#M33696 PhoneBoy 2023-06-07T22:10:02Z