Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Michel_B
Participant

Benefits of using multiple interfaces vs VLAN trunk

Moving from a 4200 to a 5600, we've doubled in ethernet ports. This made me wonder, what are the pros/cons of multiple physical interfaces versus a VLAN trunk. Why would I connect, for example, VLAN1, 2, 3 and 4 to eth1, 2, 3 and 4 as opposed to trunking them all on eth1?

I could come up with this, but what am I missing?

  • Theoretical sharing of the 1Gb bandwidth
  • Spreading them over several switches
  • Bonding

 

 

0 Kudos
6 Replies
Jerry
Mentor
Mentor

if I were you I'd do BOND few 1GB interfaces on LACP L2 and make sub-vlan interfaces to the switch 🙂 That way is not only redundancy but also performance relief to the 5600(if in HA even better).
Jerry
Jerry
Mentor
Mentor

plus on 5600 ( I got them in HA) you can have one Fiber 10G interface with vlan's as sub-ints and all sits in 1 place towards your LAN switch.
Jerry
Michel_B
Participant

Thanks for your response Jerry.

On our 4200's, we've just been creating trunks and dumping most of our VLANs on 1 interface. 

The 5600 are going to be running in HA. 10Gb fiber is not really an option because of pricing and hardly any benefits. We won't be passing that amount of traffic through our units. Bonding 2 interfaces might be a good idea, since we have the ports available anyway.

Maarten_Sjouw
Champion
Champion

Most of the times the interfaces are also connected to different switches (in bigger environments) for the different security zones. Many companies do not like the internet directly connected to their switches.
For DMZ networks and LAN / internal WAN connections most of the times they are also on separate physical connections.
When you have 2 switches for each zone, you could indeed use bond (active/standby for switches not stacked) to be able to recover from a switch failure.
Regards, Maarten
0 Kudos
4398be09-30fd-4
Explorer

The pro vs cons are entirley related to the specific environment.

If the environment require physically seperate networks (e.g no virtual networks (VLANs)

Generally you would see the interfaces used for seperating specific networks (External, DMZ, Internal, etc...) or for improving availability (bonding interfaces)

The use of vlans allows for cheaper physical infrastructure due to less physical kit.

0 Kudos
Vladimir
Champion
Champion

This topi c did come up in the past few times and you can probably search the community for past discussions.

There are people in favor of separating physical connectivity by security zones and those who advocate trunking on the bonds.

My personal opinion is that in a cloud based environments we are relying on the trunk interfaces every time we spin-up a vSEC instance. Same goes for VSX (mostly, not always) for the external connectivity via shared switch.

If you do not have the 10G capacity, bonding 1G and trunking it is not a bad thing, IMHO. You still can have separate trunks for zones, but you'll gain the flexibility of dynamically adding more networks to your Check Point gateways programmatically, as opposed to requiring a cable runs each time for the physical interface based deployments.

There was, in the past, for a brief time a VLAN hoping exploit, but switch manufacturers have clamped down on it pretty fast and I did not hear about similar techniques succeeding recently.

 

Regards,

Vladimir

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events