This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vladimir
Champion
Champion
‎2019-02-14 01:49 PM

VLAN1 and IP on Bonded Interfaces

When creating bonded interfaces and VLAN subinterfaces, the first VLAN ID we can define is 2.

Does it mean that the bond itself should be assigned the IP in the network residing in VLAN 1 ?

6 Replies
Maarten_Sjouw
Champion
Champion
‎2019-02-14 02:17 PM

Always keep in mind that VLAN 1 has a special function in a switch.

Only when VLAN 1 has been assigned to the port as the native VLAN you will be able to assign an IP in that VLAN on the interface itself.

Do keep in mind it is NOT good practice to use the native VLAN in a trunk port, nor to assign an IP to the port that has subinterfaces (VLAN's assigned to it)

Regards, Maarten
0 Kudos
Vladimir
Champion
Champion
‎2019-02-14 02:23 PM
In response to Maarten_Sjouw

Thank you Maarten Sjouw‌, it figures that this is not a best practice and that's why I did not run into it before.

This time around though, I am working with the client where this may very well be the case on the switch side and thus, I'll have to deal with this situation.

Anything in particular you can share that makes the assignment of the IP to the Bond interface with subinterfaces cause negative effects?

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-02-14 11:17 PM
In response to Vladimir

Vladimir Yakovlev, it is not a point of not working, it's just a thing that you should not do. Recently I had to do the same, luckily  I was able to get the VLAN moved from VLAN 1 to VLAN 10 by using a switch to switch VLAN translation. By setting the 1 switch trunk port to native VLAN 1 and the other switch trunk port to native VLAN 10 we could move the traffic from VLAN 1 to VLAN 10. Ohh and do not forget to disable CDP on those ports!

Regards, Maarten
0 Kudos
JozkoMrkvicka
Authority
Authority
‎2019-02-14 11:07 PM

"Invalid number: 1. Not in range 2..4094" error when configuring VLAN in Gaia Clish 

Kind regards,
Jozko Mrkvicka
0 Kudos
AlekseiShelepov
Advisor
‎2019-02-15 12:38 AM

As I understand, you are in situation, where you need to have bond0.1 interface together with multiple other VLANs. I had similar situations in previous implementations.

I cannot find the confirmation in documents or in SKs for now. I remember that Timothy Hall wrote about this on CheckMates and most probably in his book, but didn't find it quickly. 

But in general, if an interface is configured as interface with multiple vlans ("trunk"), then IP address shoudn't be assigned to the main interface itself. For example, you shouldn't configure:

eth1 = 192.168.1.1

eth1.2 = 192.168.2.1

eth1.3 = 192.168.3.1

One of possibilities - use separate physical interface for VLAN 1. The easiest way usually if nobody wants to change settings on switches. Best practice is to change default/native vlan on switches, as was mentioned previously.

Another possibility was described by Maarten Sjouw‌ here, change settings of native vlan on the closest switch to Check Point gateway. I did it in the same way also when there was a very simple switch, which couldn't be configured.

0 Kudos
Vladimir
Champion
Champion
‎2019-02-15 05:55 AM

Thank you guys. I have found the thread you were referring to:

Combine VLAN and physical interface, which already has an assigned IP 

As well as pertinent SKs:  sk110096 and sk88700

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events