Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Alex_Mondol
Participant

VSXs maximum subinterfaces? Check Point Suggestions requested

Jump to solution

some of our DMZs switches have been depreciated and we are planning on moving the hosts from these switches to a layer two DMZ switch and have the routed interface of each of the VLANs that support all our host in the DMZs be routed by the FW. In other words the FW would have a bond to the new switch and have sub interfaces down the trunk where the routed interface for the DMZ networks would be the FWs; static routing. Management has asked to get a sign off from Check Point of the maximum number of routed interfaces the FWs could handle and if there would be any impact moving the routed interface to the FWs instead of leaving the routing at the switches. I know that sub interfaces are directly dependent to the amount of VLANs supported on an interface; which is 4096. If this the same for your FWs and would there be a performance degradation moving to this design? The FWs Backchannel FWs will be trunked down to the layer two DMZ switch down 10G links. Will moving to static routing off of FW sub interfaces representing the DMZ VLANs degrade or have a performance hit on our Perimeter Gateways? 

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
0 Kudos
3 Replies
PhoneBoy
Admin
Admin
0 Kudos
Alex_Mondol
Participant

We are in the middle of collapsing our DMZ VLANs into VRFs to secure them better. The thought has occurred withing our Network group, since there are some limitations on how many sub-interfaces and VLANs that each VS can have, that we could use one sub-interface with a point to point in our Global routing table that will have a router/switch leak the DMZ VRF routes into the Global routing table with a gateway of the FWs so that all traffic hits the FWs first. This solution would allow fewer VLANs or sub-interfaces to be created on the FW clusters per VS's. My concern is that without sub-interfaces the east-west traffic and securing the DMZ VLANs would not be secured, especially through blades like IPS/IDS, etc. Can I get your insight on this? The question is the overhead on the FWs is concerned switching all that traffic to and from and through the FWs... Would it be better to use sub-interfaces for each VRF at the FW level to better segment/view/analyze the traffic (especially east-west traffic) instead of creating one big spoofing group for DMZ zones that will collapse onto one DMZ switch that will separate each VLAN into its own VRF? or Is it better to use sub-interfaces for each VRF (DMZ VLANs) and size the VSs for the load? We currently do have Carbon Black Response clients on all our machines but not a complete EDR solution on each node. Hence my worry to protect cross VLAN traffic in the DMZs. Thank you ahead of time for your thoughts. 

0 Kudos
Magnus-Holmberg
Advisor

How many VLANs you actually need? each VS in VSX can have 64 per default, but its possible to change so they can have 256.
Cisco ACI, VMware NSX or similar would work good in cases like this if you want to microsegment within VLAN.
That would also limit the need for sub interfaces by alot. (and it would increase the price by alot aswell if you dont already have such a solution 🙂 )

Regards,
Magnus

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos