This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Michel_B
Participant
‎2019-03-20 02:42 AM

Benefits of using multiple interfaces vs VLAN trunk

Moving from a 4200 to a 5600, we've doubled in ethernet ports. This made me wonder, what are the pros/cons of multiple physical interfaces versus a VLAN trunk. Why would I connect, for example, VLAN1, 2, 3 and 4 to eth1, 2, 3 and 4 as opposed to trunking them all on eth1?

I could come up with this, but what am I missing?

  • Theoretical sharing of the 1Gb bandwidth
  • Spreading them over several switches
  • Bonding

 

 

0 Kudos
6 Replies
Jerry
Mentor
Mentor
‎2019-03-20 02:52 AM

if I were you I'd do BOND few 1GB interfaces on LACP L2 and make sub-vlan interfaces to the switch 🙂 That way is not only redundancy but also performance relief to the 5600(if in HA even better).
Jerry
Jerry
Mentor
Mentor
‎2019-03-20 02:53 AM

plus on 5600 ( I got them in HA) you can have one Fiber 10G interface with vlan's as sub-ints and all sits in 1 place towards your LAN switch.
Jerry
Michel_B
Participant
‎2019-03-20 03:16 AM
In response to Jerry

Thanks for your response Jerry.

On our 4200's, we've just been creating trunks and dumping most of our VLANs on 1 interface. 

The 5600 are going to be running in HA. 10Gb fiber is not really an option because of pricing and hardly any benefits. We won't be passing that amount of traffic through our units. Bonding 2 interfaces might be a good idea, since we have the ports available anyway.

Maarten_Sjouw
Champion
Champion
‎2019-03-20 03:43 AM
In response to Michel_B

Most of the times the interfaces are also connected to different switches (in bigger environments) for the different security zones. Many companies do not like the internet directly connected to their switches.
For DMZ networks and LAN / internal WAN connections most of the times they are also on separate physical connections.
When you have 2 switches for each zone, you could indeed use bond (active/standby for switches not stacked) to be able to recover from a switch failure.
Regards, Maarten
0 Kudos
4398be09-30fd-4
Explorer
‎2019-03-20 04:34 AM

The pro vs cons are entirley related to the specific environment.

If the environment require physically seperate networks (e.g no virtual networks (VLANs)

Generally you would see the interfaces used for seperating specific networks (External, DMZ, Internal, etc...) or for improving availability (bonding interfaces)

The use of vlans allows for cheaper physical infrastructure due to less physical kit.

0 Kudos
Vladimir
Champion
Champion
‎2019-03-20 04:56 AM

This topi c did come up in the past few times and you can probably search the community for past discussions.

There are people in favor of separating physical connectivity by security zones and those who advocate trunking on the bonds.

My personal opinion is that in a cloud based environments we are relying on the trunk interfaces every time we spin-up a vSEC instance. Same goes for VSX (mostly, not always) for the external connectivity via shared switch.

If you do not have the 10G capacity, bonding 1G and trunking it is not a bad thing, IMHO. You still can have separate trunks for zones, but you'll gain the flexibility of dynamically adding more networks to your Check Point gateways programmatically, as opposed to requiring a cable runs each time for the physical interface based deployments.

There was, in the past, for a brief time a VLAN hoping exploit, but switch manufacturers have clamped down on it pretty fast and I did not hear about similar techniques succeeding recently.

 

Regards,

Vladimir

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events