Thank you all guys.

The SK does not seem to apply R80.10 version. Do you know how can I notify checkpoint to update it?

Thanks!

At the bottom of each sk there is a "Give us Feedback" window. Enter your comments into that window and click "Submit". A Content Developer from the SK Team will be assigned to take care of your feedback.

Please make sure you are logged in with your User Center credentials if you would like to hear back from us.

One last comment: I am not sure why you thought sk110096 applies to R80.10. It clearly states the following versions:

R75.40, R75.40VS, R75.45, R75.47, R76, R76SP, R76SP.10, R76SP.10_VSLS, R76SP.20, R76SP.30, R77, R77.10, R77.20, R77.30.01

No R80.x here so actually nothing is wrong with the sk...

The "Versions" field is now updated to "All".

Good workaround, I have configured L3 at bond interface too then change native vlan to be ID 1 at the switch side.

Thank you!

Glad it worked! 

I have a question here. If adding an IP address to the main interface that is utilizing VLAN tagging is not supported, and the support of VLAN ID 1 as a tagged VLAN is not supported. What is the suggestion on how to handle this? Burn another interface for a single VLAN when the use of VLAN ID 1 may be used in someones environment? 

Understood that it is not best practice to use VLAN ID 1, but when it is already used in a network from predecessors that may not have done things, the best way, and changing the VLAN ID from 1 to something else may be a huge lift for some individuals and/or organizations (as this may pertain to access ports changing, vSwitch on ESX, etc.). What is the recommendation? I'm not refuting the fact that not using it is the right move, and or not adding an IP to a main interface that is using tags is not supported. My question is really about what the recommendation would be in this situation to possible help others in the future before they get into this situation. 

Correct. Use a separate interface and attach it natively to your switch. Then have your switch route it into Vlan 1.

Hi Mike, 

Two weeks ago we had this problem. We was migrating to 10GB interface. We want to migrate the gateway of network VLAN 1 to the firewall, however we cant. What was your solution? Because we had the vlan native in the switch VLAN ID 1. 

Because another options is use other interface only for vlan 1 in mode access, however we lose the capacity of interface 10GB.  Or your recomendation is migrate or change VLAN 1I know is the best practices but now is a little complex in our infraestructure. 

Julian,

Just to be clear, what I had proposed in this thread is not supported by Check Point as @Wolfgang had posted above. I think we all agree it will work, but if you have issues, TAC may not support you.  

With that said, as long as you have the native VLAN ID you require configured on the trunk port you would set an IP for VLAN 1 on the physical NIC. Below is an example.

Gateway Physical Interface = eth1-01

VLAN 1 = 10.0.1.0/24

VLAN 2 = 10.0.2.0/24

VLAN 3 = 10.0.3.0/24

clish commands

set interface eth1-01 state on

add interface eth1-01 vlan 2

add interface eth1-01 vlan 3

set interface eth1-01 ipv4-address 10.0.1.1 mask-length 24

set interface eth1-01.2 ipv4-address 10.0.2.1 mask-length 24

set interface eth1-01.3 ipv4-address 10.0.3.1 mask-length 24

The line highlighted in RED is what is not supported when you are using a trunk on eth1-01. 

Hope this helps/explains. 

- Mike 

Hi All,

We are facing issues with VLAN 1 in CP1550 embedded device. So even this device doesn't support the VLAN1 as it treat as native vlan 1 by default?

Regards,

Sanjay S

this limitation is valid also for Bond interfaces i guess... right?

Worth noting sk120684 as related to this discussion.

this sounds crazy to me

move native vlan away from 1 is a security best practice

anyway i found a working environment with VLAN1 configured on bond interface: (example)

bond1 : 192.168.1.1

bond1.10: 192.168.10.0

This was in my example above.