cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Combine VLAN and physical interface, which already has an assigned IP

Hello,


Is there documentation or article that can inform limitations or best practices when configuring a VLAN and using the physical interface with IP address?

10 Replies

Re: Combine VLAN and physical interface, which already has an assigned IP

I assume you are referring to the practice of directly assigning an IP address to a physical interface for untagged/native traffic, then also having VLAN-tagged subinterfaces on that same physical interface.  That configuration is most definitely not supported for ClusterXL and may cause some strange performance issues.

I have seen this done on a non-clustered firewall and everything seemed to work, but I'm pretty sure it is not officially supported.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: Combine VLAN and physical interface, which already has an assigned IP

Hello Tim,

Thanks for the info. It is exactly what I have configured due to an infrastructure limitation.

It is a non-clustered firewall and apparently seems to work, however, there is an adverse behavior in redundancy when enabling the functionality of ISP Redundancy. The traffic is not in being balanced in accordance with the configured weight, presenting discrepancies in the monitoring.

I searched the documentation for something related, unsuccessfully so far.

0 Kudos

Re: Combine VLAN and physical interface, which already has an assigned IP

Experiencing traffic balancing issues for ISP Redundancy sounds about right for configuring an interface in a way that is not supported, as in it works most of the time but causes subtle problems or improper behavior in certain situations. 

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
Danny
Pearl

Re: Combine VLAN and physical interface, which already has an assigned IP

Topic: Creating VLAN interfaces on a physical interface, which already has an assigned IP address

sk88700 : It is mandatory to remove an IP address from a physical interface before creating any VLAN interfaces on that physical interface.

Re: Combine VLAN and physical interface, which already has an assigned IP

Hi Danny,

Regarding sk88700, it informs that in order to configure the VLAN interface, the IP address must be removed.

However, after removing the IP address of the physical interface and configuring the VLAN, it is possible to reconfigure the address in the physical interface for the native traffic, this way not making it clear whether this setting is recommended or not as Tim reported.

By doing a test in the laboratory, I managed through the CLI configure an IP address on the physical interface and after that configure the VLAN interface, without removing the IP address previously configured.

0 Kudos
Danny
Pearl

Re: Combine VLAN and physical interface, which already has an assigned IP

Hello Danny Jung,

Thank you for providing your feedback to SecureKnowledge on sk88700, titled "Creating VLAN interfaces on physical interface, which already has an assigned IP address in SecurePlatform OS / Gaia OS".

Your feedback was:
------------------
Please clarify what happens AFTER the VLAN interfaces were configured. Is it supported to create an IP address to the physical interface then? This question has been raised at https://community.checkpoint.com/thread/8176
------------------

Once this solution is updated, we will notify you by email.

Re: Combine VLAN and physical interface, which already has an assigned IP

Hi Danny,

Tks for request one clarification regarding this case, let's wait for the response from Check Point.

My bests

Danny
Pearl

Re: Combine VLAN and physical interface, which already has an assigned IP

Well, this is the answer I got from Check Point:

The answer will require more investigation which is out of my scope.
Please open a service request by logging into Check Point User Center.
Please do not reply to this message.

I really think Check Point should be able to tell officially if VLAN interfaces are supported on physical interfaces, that get an IP address assigned after the VLAN was created.

Danny
Pearl

Re: Combine VLAN and physical interface, which already has an assigned IP

Check Point updated sk88700: Creating VLAN interfaces on a physical interface, which already has an assigned IP address

 

It is mandatory to remove an IP address from a physical interface BEFORE creating VLAN interfaces on it and it is not supported to add an IP address to that physical interfaces AFTER creating a VLAN interface on it.

Employee
Employee

Re: Combine VLAN and physical interface, which already has an assigned IP

Hi, it is definitely not supported to configure an IP address natively on an interface that is to be used as a VLAN trunk. We don't block the configuration, as you have discovered here, but it is not supported.

0 Kudos