This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ricardo_Olivei1
Participant
‎2018-06-19 10:44 AM

Combine VLAN and physical interface, which already has an assigned IP

Hello,


Is there documentation or article that can inform limitations or best practices when configuring a VLAN and using the physical interface with IP address?

11 Replies
Timothy_Hall
MVP Gold
MVP Gold
‎2018-06-19 11:19 AM

I assume you are referring to the practice of directly assigning an IP address to a physical interface for untagged/native traffic, then also having VLAN-tagged subinterfaces on that same physical interface.  That configuration is most definitely not supported for ClusterXL and may cause some strange performance issues.

I have seen this done on a non-clustered firewall and everything seemed to work, but I'm pretty sure it is not officially supported.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Ricardo_Olivei1
Participant
‎2018-06-19 01:42 PM
In response to Timothy_Hall

Hello Tim,

Thanks for the info. It is exactly what I have configured due to an infrastructure limitation.

It is a non-clustered firewall and apparently seems to work, however, there is an adverse behavior in redundancy when enabling the functionality of ISP Redundancy. The traffic is not in being balanced in accordance with the configured weight, presenting discrepancies in the monitoring.

I searched the documentation for something related, unsuccessfully so far.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2018-06-20 05:52 AM
In response to Ricardo_Olivei1

Experiencing traffic balancing issues for ISP Redundancy sounds about right for configuring an interface in a way that is not supported, as in it works most of the time but causes subtle problems or improper behavior in certain situations. 

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Danny
MVP Gold
MVP Gold
‎2018-06-19 01:29 PM

Topic: Creating VLAN interfaces on a physical interface, which already has an assigned IP address

sk88700 : It is mandatory to remove an IP address from a physical interface before creating any VLAN interfaces on that physical interface.

Ricardo_Olivei1
Participant
‎2018-06-19 01:55 PM
In response to Danny

Hi Danny,

Regarding sk88700, it informs that in order to configure the VLAN interface, the IP address must be removed.

However, after removing the IP address of the physical interface and configuring the VLAN, it is possible to reconfigure the address in the physical interface for the native traffic, this way not making it clear whether this setting is recommended or not as Tim reported.

By doing a test in the laboratory, I managed through the CLI configure an IP address on the physical interface and after that configure the VLAN interface, without removing the IP address previously configured.

0 Kudos
Danny
MVP Gold
MVP Gold
‎2018-06-19 11:44 PM
In response to Ricardo_Olivei1 

Hello Danny Jung,

Thank you for providing your feedback to SecureKnowledge on sk88700, titled "Creating VLAN interfaces on physical interface, which already has an assigned IP address in SecurePlatform OS / Gaia OS". 

Your feedback was: 
------------------
Please clarify what happens AFTER the VLAN interfaces were configured. Is it supported to create an IP address to the physical interface then? This question has been raised at https://community.checkpoint.com/thread/8176
------------------

Once this solution is updated, we will notify you by email.
Ricardo_Olivei1
Participant
‎2018-06-22 11:06 AM
In response to Danny

Hi Danny,

Tks for request one clarification regarding this case, let's wait for the response from Check Point.

My bests

Danny
MVP Gold
MVP Gold
‎2018-08-07 11:49 PM
In response to Ricardo_Olivei1

Well, this is the answer I got from Check Point:

The answer will require more investigation which is out of my scope.
Please open a service request by logging into Check Point User Center.
Please do not reply to this message.

I really think Check Point should be able to tell officially if VLAN interfaces are supported on physical interfaces, that get an IP address assigned after the VLAN was created.

Danny
MVP Gold
MVP Gold
‎2018-08-29 01:41 AM
In response to Danny

Check Point updated sk88700: Creating VLAN interfaces on a physical interface, which already has an assigned IP address

 

It is mandatory to remove an IP address from a physical interface BEFORE creating VLAN interfaces on it and it is not supported to add an IP address to that physical interfaces AFTER creating a VLAN interface on it.

Ross_Pember
Employee
Employee
‎2018-08-29 08:03 PM

Hi, it is definitely not supported to configure an IP address natively on an interface that is to be used as a VLAN trunk. We don't block the configuration, as you have discovered here, but it is not supported.

0 Kudos
Danny
MVP Gold
MVP Gold
‎2019-05-16 07:29 AM
In response to Ross_Pember

I added a check for this in our ccc script starting from version 4.3

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events