Is there documentation or article that can inform limitations or best practices when configuring a VLAN and using the physical interface with IP address?
I assume you are referring to the practice of directly assigning an IP address to a physical interface for untagged/native traffic, then also having VLAN-tagged subinterfaces on that same physical interface. That configuration is most definitely not supported for ClusterXL and may cause some strange performance issues.
I have seen this done on a non-clustered firewall and everything seemed to work, but I'm pretty sure it is not officially supported.
--Second Edition of my "Max Power" Firewall BookNow Available at http://www.maxpowerfirewalls.com
Thanks for the info. It is exactly what I have configured due to an infrastructure limitation.
It is a non-clustered firewall and apparently seems to work, however, there is an adverse behavior in redundancy when enabling the functionality of ISP Redundancy. The traffic is not in being balanced in accordance with the configured weight, presenting discrepancies in the monitoring.
I searched the documentation for something related, unsuccessfully so far.
Experiencing traffic balancing issues for ISP Redundancy sounds about right for configuring an interface in a way that is not supported, as in it works most of the time but causes subtle problems or improper behavior in certain situations.
Topic: Creating VLAN interfaces on a physical interface, which already has an assigned IP address
sk88700 : It is mandatory to remove an IP address from a physical interface before creating any VLAN interfaces on that physical interface.
Regarding sk88700, it informs that in order to configure the VLAN interface, the IP address must be removed.
However, after removing the IP address of the physical interface and configuring the VLAN, it is possible to reconfigure the address in the physical interface for the native traffic, this way not making it clear whether this setting is recommended or not as Tim reported.
By doing a test in the laboratory, I managed through the CLI configure an IP address on the physical interface and after that configure the VLAN interface, without removing the IP address previously configured.
Hello Danny Jung,Thank you for providing your feedback to SecureKnowledge on sk88700, titled "Creating VLAN interfaces on physical interface, which already has an assigned IP address in SecurePlatform OS / Gaia OS". Your feedback was: ------------------Please clarify what happens AFTER the VLAN interfaces were configured. Is it supported to create an IP address to the physical interface then? This question has been raised at https://community.checkpoint.com/thread/8176------------------Once this solution is updated, we will notify you by email.
Tks for request one clarification regarding this case, let's wait for the response from Check Point.
Well, this is the answer I got from Check Point:
The answer will require more investigation which is out of my scope.Please open a service request by logging into Check Point User Center.Please do not reply to this message.
I really think Check Point should be able to tell officially if VLAN interfaces are supported on physical interfaces, that get an IP address assigned after the VLAN was created.
Check Point updated sk88700: Creating VLAN interfaces on a physical interface, which already has an assigned IP address
It is mandatory to remove an IP address from a physical interface BEFORE creating VLAN interfaces on it and it is not supported to add an IP address to that physical interfaces AFTER creating a VLAN interface on it.
Hi, it is definitely not supported to configure an IP address natively on an interface that is to be used as a VLAN trunk. We don't block the configuration, as you have discovered here, but it is not supported.
Retrieving data ...