CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 8 of 8

Thread: Interface alias

  1. #1
    Join Date
    2011-10-20
    Posts
    162
    Rep Power
    7

    Default Interface alias

    Hi everyone, I have a question about the use of Alias.

    I have a server with a interface limit and needs to share one of these interfaces, so I configured a different network as an Alias of one interface.

    But it seems that the traffic is not routable to this network, is this a limitation?

  2. #2
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,369
    Rep Power
    15

    Default Re: Interface alias

    If you're doing this to a Security Gateway, this an exceedingly bad idea as there's no way to enforce segmentation when more than one subnet is using the same physical segment without putting each subnet on a VLAN.
    It also creates other issues down the road if, for instance, you want to do VSX, which does not support such a configuration (neither does ClusterXL, FYI).
    At the very least, set up your switch with VLANs and do an 802.1q trunk to the Security Gateway.
    VLANs are not my favorite technology for segmentation either, but it's far better than sticking multiple subnets on the same physical, non-VLANed interface.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  3. #3
    Join Date
    2011-10-20
    Posts
    162
    Rep Power
    7

    Default Re: Interface alias

    Quote Originally Posted by PhoneBoy View Post
    If you're doing this to a Security Gateway, this an exceedingly bad idea as there's no way to enforce segmentation when more than one subnet is using the same physical segment without putting each subnet on a VLAN.
    It also creates other issues down the road if, for instance, you want to do VSX, which does not support such a configuration (neither does ClusterXL, FYI).
    At the very least, set up your switch with VLANs and do an 802.1q trunk to the Security Gateway.
    VLANs are not my favorite technology for segmentation either, but it's far better than sticking multiple subnets on the same physical, non-VLANed interface.
    Thanks for your reply.

    When would you use the Alias?

    The problem of Vlan is that we need to change a lot of settings and most of this settings is on switch.

  4. #4
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,369
    Rep Power
    15

    Default Re: Interface alias

    I would never use it myself on a Security Gateway.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  5. #5
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,412
    Rep Power
    8

    Default Re: Interface alias

    Quote Originally Posted by crosspopz View Post
    Hi everyone, I have a question about the use of Alias.

    I have a server with a interface limit and needs to share one of these interfaces, so I configured a different network as an Alias of one interface.

    But it seems that the traffic is not routable to this network, is this a limitation?
    Its hard to say what you should be doing since you haven't explained the setup. I'm thinking there is something going on with a server with multiple nics connecting to multiple networks and you've run out of nics using this setup. I can't say if this is true, but its kind of what it sounds like.

    If you can provide some details on the setup maybe we can help you with what your doing.

    I would add i agree with phoneboy and that there is almost no reason to use an alias on a firewall. This is the exact issue that vlan/trunking is designed to solve. Yes, it will require changes on the firewall and switches, but this should be fairly basic changes. If your switch doesn't support trunking you need a new switch, no way around it. I know for a fact even the off the shelf switches that you can get at best buy support this, its just going to cost more.

  6. #6
    Join Date
    2015-08-26
    Posts
    81
    Rep Power
    3

    Default Re: Interface alias

    We are out of ports and need to add an additional subnet. Does Cluster XL support Vlan interfaces?

    I can add an IP to an interface from the cli but how do I do it for a vlan interface?

    set interface eth6.25 ipv4-address 192.168.167.18 mask-length 29
    NMSETH0049 Invalid Interface name
    set interface eth6.25
    ----^^^^^^^^^^^^^^^^^

    Found it https://supportcenter.checkpoint.com...tionid=sk92356
    Last edited by jerryroy1; 2016-08-25 at 19:43.

  7. #7
    Join Date
    2011-10-20
    Posts
    162
    Rep Power
    7

    Default Re: Interface alias

    Quote Originally Posted by jerryroy1 View Post
    We are out of ports and need to add an additional subnet. Does Cluster XL support Vlan interfaces?

    I can add an IP to an interface from the cli but how do I do it for a vlan interface?

    set interface eth6.25 ipv4-address 192.168.167.18 mask-length 29
    NMSETH0049 Invalid Interface name
    set interface eth6.25
    ----^^^^^^^^^^^^^^^^^

    Found it https://supportcenter.checkpoint.com...tionid=sk92356
    Yes, it works!

    You can add from the GUI or from CLI you need to add the interface vlan first, then set the interface ip.

    Cya!

  8. #8
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,053
    Rep Power
    12

    Default Re: Interface alias

    Quote Originally Posted by jerryroy1 View Post
    We are out of ports and need to add an additional subnet. Does Cluster XL support Vlan interfaces?
    As you found, yes it does. However ClusterXL can only present 1 IP address per interface whether it is a physical (no tags) or a logical (tagged/Vlan) interface. If you need to present multiple IP addresses (such as a secondary address) per physical/logical interface in an HA scenario VRRP will have to be used. This is a rather rare requirement though.
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

Similar Threads

  1. Cluster alias on SPLAT
    By enroth in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 2
    Last Post: 2011-10-10, 03:59
  2. How to use a secondary IP (alias)
    By Jay_D in forum Topology Issues
    Replies: 1
    Last Post: 2009-01-19, 15:21
  3. Secureplatform: Add alias interface on nodes and management
    By motociclante in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 3
    Last Post: 2008-02-01, 04:26
  4. IP alias problem
    By Hitman in forum Check Point SecurePlatform (SPLAT)
    Replies: 2
    Last Post: 2007-06-11, 13:24
  5. Configure HA whis alias interface
    By misha-kr in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 1
    Last Post: 2006-11-30, 15:39

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •