- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Gaia r80.10 tag vlan 1 and native vlan
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Gaia r80.10 tag vlan 1 and native vlan
Hello team,
I need to add a new subinterface for vlan 1, like:
bond2.1
Is there any way to tag vlan 1 in checkpoint? Cisco switches have the possibility to change native vlan for trunk and tag vlan 1 but I cannot find how to match this configuration in checkpoint.
Thank you in advance.
Daniel
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not supported in Gaia as described in sk110096.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please had a look at the discussion here:
It is not supported having an IP configured on the native interface if tagged VLANs used on that interface.
I know, it will work but you have problems if you need support from the vendor.
Wolfgang
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The native VLAN is what it is and you cannot add a VLAN lower than 2.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not supported in Gaia as described in sk110096.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you all guys.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The SK does not seem to apply R80.10 version. Do you know how can I notify checkpoint to update it?
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
At the bottom of each sk there is a "Give us Feedback" window. Enter your comments into that window and click "Submit". A Content Developer from the SK Team will be assigned to take care of your feedback.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please make sure you are logged in with your User Center credentials if you would like to hear back from us.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One last comment: I am not sure why you thought sk110096 applies to R80.10. It clearly states the following versions:
R75.40, R75.40VS, R75.45, R75.47, R76, R76SP, R76SP.10, R76SP.10_VSLS, R76SP.20, R76SP.30, R77, R77.10, R77.20, R77.30.01
No R80.x here so actually nothing is wrong with the sk...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The "Versions" field is now updated to "All".
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had this issue about 2 years ago when I migrated all my gateways from 1Gb interfaces to 10Gb and started trunking on the 10G interfaces. For some reason a predecessor of mine thought it to be a good idea and use VLAN 1 as an ID for the main subnet.
I didn't realize that a bond0.1 could not be used until the night of cut over. What I did to work around this was, on the switch side, made the native VLAN on the interface to be 1, and allowed all the other VLAN's I wanted to tag. So the IP on my main bond0 would be the native IP on VLAN 1.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good workaround, I have configured L3 at bond interface too then change native vlan to be ID 1 at the switch side.
Thank you!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glad it worked!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please had a look at the discussion here:
It is not supported having an IP configured on the native interface if tagged VLANs used on that interface.
I know, it will work but you have problems if you need support from the vendor.
Wolfgang
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a question here. If adding an IP address to the main interface that is utilizing VLAN tagging is not supported, and the support of VLAN ID 1 as a tagged VLAN is not supported. What is the suggestion on how to handle this? Burn another interface for a single VLAN when the use of VLAN ID 1 may be used in someones environment?
Understood that it is not best practice to use VLAN ID 1, but when it is already used in a network from predecessors that may not have done things, the best way, and changing the VLAN ID from 1 to something else may be a huge lift for some individuals and/or organizations (as this may pertain to access ports changing, vSwitch on ESX, etc.). What is the recommendation? I'm not refuting the fact that not using it is the right move, and or not adding an IP to a main interface that is using tags is not supported. My question is really about what the recommendation would be in this situation to possible help others in the future before they get into this situation.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correct. Use a separate interface and attach it natively to your switch. Then have your switch route it into Vlan 1.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Mike,
Two weeks ago we had this problem. We was migrating to 10GB interface. We want to migrate the gateway of network VLAN 1 to the firewall, however we cant. What was your solution? Because we had the vlan native in the switch VLAN ID 1.
Because another options is use other interface only for vlan 1 in mode access, however we lose the capacity of interface 10GB. Or your recomendation is migrate or change VLAN 1I know is the best practices but now is a little complex in our infraestructure.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Julian,
Just to be clear, what I had proposed in this thread is not supported by Check Point as @Wolfgang had posted above. I think we all agree it will work, but if you have issues, TAC may not support you.
With that said, as long as you have the native VLAN ID you require configured on the trunk port you would set an IP for VLAN 1 on the physical NIC. Below is an example.
Gateway Physical Interface = eth1-01
VLAN 1 = 10.0.1.0/24
VLAN 2 = 10.0.2.0/24
VLAN 3 = 10.0.3.0/24
clish commands
set interface eth1-01 state on
add interface eth1-01 vlan 2
add interface eth1-01 vlan 3
set interface eth1-01 ipv4-address 10.0.1.1 mask-length 24
set interface eth1-01.2 ipv4-address 10.0.2.1 mask-length 24
set interface eth1-01.3 ipv4-address 10.0.3.1 mask-length 24
The line highlighted in RED is what is not supported when you are using a trunk on eth1-01.
Hope this helps/explains.
- Mike
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
We are facing issues with VLAN 1 in CP1550 embedded device. So even this device doesn't support the VLAN1 as it treat as native vlan 1 by default?
Regards,
Sanjay S
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this limitation is valid also for Bond interfaces i guess... right?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Worth noting sk120684 as related to this discussion.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this sounds crazy to me
move native vlan away from 1 is a security best practice
anyway i found a working environment with VLAN1 configured on bond interface: (example)
bond1 : 192.168.1.1
bond1.10: 192.168.10.0
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This was in my example above.
