Hello CP community,
I have a question about switch trunk configurations which are connected to Check Point firewalls. I've come across a few instances where the switch trunk is set to pass all VLANs. The Check Point clusters however does not have all the VLANs defined as those missing are specific to subnets that belong to another cluster downstream. That being said, both Cluster A and Cluster B connect to the same two distribution switches. We normally hardcode the trunks on the switch port to match those on the firewall as seen below.
interface GigabitEthernet2/48
description trunk to xxxxNFW01C
switchport trunk allowed vlan 22,32,42
switchport mode trunk
In this instance, the trunk configuration is set as follows:
interface GigabitEthernet2/48
switchport mode trunk
spanning-tree portfast trunk
I am not seeing any issues with the latter switch config but wondering if there is any impact. My assumption based on logic is that any traffic such as multicast/broadcast going out the trunk port for VLANs not defined on the cluster would simply be dropped due to the rulebase. The config is simply adding unnecessary noise but poses no risk.
Any input would be greatly appreciated.
Regards.