Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ricardo_Olivei1
Participant

Combine VLAN and physical interface, which already has an assigned IP

Hello,


Is there documentation or article that can inform limitations or best practices when configuring a VLAN and using the physical interface with IP address?

11 Replies
Timothy_Hall
Legend Legend
Legend

I assume you are referring to the practice of directly assigning an IP address to a physical interface for untagged/native traffic, then also having VLAN-tagged subinterfaces on that same physical interface.  That configuration is most definitely not supported for ClusterXL and may cause some strange performance issues.

I have seen this done on a non-clustered firewall and everything seemed to work, but I'm pretty sure it is not officially supported.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Ricardo_Olivei1
Participant

Hello Tim,

Thanks for the info. It is exactly what I have configured due to an infrastructure limitation.

It is a non-clustered firewall and apparently seems to work, however, there is an adverse behavior in redundancy when enabling the functionality of ISP Redundancy. The traffic is not in being balanced in accordance with the configured weight, presenting discrepancies in the monitoring.

I searched the documentation for something related, unsuccessfully so far.

0 Kudos
Timothy_Hall
Legend Legend
Legend

Experiencing traffic balancing issues for ISP Redundancy sounds about right for configuring an interface in a way that is not supported, as in it works most of the time but causes subtle problems or improper behavior in certain situations. 

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Danny
Champion Champion
Champion

Topic: Creating VLAN interfaces on a physical interface, which already has an assigned IP address

sk88700 : It is mandatory to remove an IP address from a physical interface before creating any VLAN interfaces on that physical interface.

Ricardo_Olivei1
Participant

Hi Danny,

Regarding sk88700, it informs that in order to configure the VLAN interface, the IP address must be removed.

However, after removing the IP address of the physical interface and configuring the VLAN, it is possible to reconfigure the address in the physical interface for the native traffic, this way not making it clear whether this setting is recommended or not as Tim reported.

By doing a test in the laboratory, I managed through the CLI configure an IP address on the physical interface and after that configure the VLAN interface, without removing the IP address previously configured.

0 Kudos
Danny
Champion Champion
Champion

Hello Danny Jung,

Thank you for providing your feedback to SecureKnowledge on sk88700, titled "Creating VLAN interfaces on physical interface, which already has an assigned IP address in SecurePlatform OS / Gaia OS".

Your feedback was:
------------------
Please clarify what happens AFTER the VLAN interfaces were configured. Is it supported to create an IP address to the physical interface then? This question has been raised at https://community.checkpoint.com/thread/8176
------------------

Once this solution is updated, we will notify you by email.
Ricardo_Olivei1
Participant

Hi Danny,

Tks for request one clarification regarding this case, let's wait for the response from Check Point.

My bests

Danny
Champion Champion
Champion

Well, this is the answer I got from Check Point:

The answer will require more investigation which is out of my scope.
Please open a service request by logging into Check Point User Center.
Please do not reply to this message.

I really think Check Point should be able to tell officially if VLAN interfaces are supported on physical interfaces, that get an IP address assigned after the VLAN was created.

Danny
Champion Champion
Champion

Check Point updated sk88700: Creating VLAN interfaces on a physical interface, which already has an assigned IP address

 

It is mandatory to remove an IP address from a physical interface BEFORE creating VLAN interfaces on it and it is not supported to add an IP address to that physical interfaces AFTER creating a VLAN interface on it.

Ross_Pember
Employee
Employee

Hi, it is definitely not supported to configure an IP address natively on an interface that is to be used as a VLAN trunk. We don't block the configuration, as you have discovered here, but it is not supported.

0 Kudos
Danny
Champion Champion
Champion

I added a check for this in our ccc script starting from version 4.3

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events