Unable to attach two circuits with same VLAN ID to the same NPM physical interface
Article ID: 168444
Updated On:
Products
XOS
Issue/Introduction
Example of existing configuration with two circuits using same VLAN ID and first circuit attached to interface 1/1
circuit Inside circuit-id 1096
device-name Ins
vap-group fw
default-egress-vlan-tag 210 hide-vlan-header
ip 10.10.10.234/24 10.10.10.255
circuit Inside_2 circuit-id 1097
device-name Ins2
vap-group fw
default-egress-vlan-tag 210 hide-vlan-header
ip 10.11.11.254/24 10.11.11.255
interface ethernet 1/1
logical Inside ingress-vlan-tag 210 210
circuit Inside
########
While creating the logical statement for the second circuit with same VLAN tag of 210, an error is displayed:
-------
Pod10# conf interface ethernet 1/1 logical Inside2 ingress-vlan-tag 210
%CONF-ERR: Invalid value
Detail: Same ingress-vlan-tag already used in logical Inside
------
#########
In case of VSX, if the same VLAN ID is used for two different interfaces using the same base template circuit, then the second one will not be created successfully on the chassis once the configuration is pushed, even if they are created in different Virual Systems.
circuit Inside circuit-id 1096
device-name Ins
vap-group fw
default-egress-vlan-tag 210 hide-vlan-header
ip 10.10.10.234/24 10.10.10.255
circuit Inside_2 circuit-id 1097
device-name Ins2
vap-group fw
default-egress-vlan-tag 210 hide-vlan-header
ip 10.11.11.254/24 10.11.11.255
interface ethernet 1/1
logical Inside ingress-vlan-tag 210 210
circuit Inside
########
While creating the logical statement for the second circuit with same VLAN tag of 210, an error is displayed:
-------
Pod10# conf interface ethernet 1/1 logical Inside2 ingress-vlan-tag 210
%CONF-ERR: Invalid value
Detail: Same ingress-vlan-tag already used in logical Inside
------
#########
In case of VSX, if the same VLAN ID is used for two different interfaces using the same base template circuit, then the second one will not be created successfully on the chassis once the configuration is pushed, even if they are created in different Virual Systems.
Cause
The XOS functionality does not allow two logical interfaces with the same VLAN tags to be attached to the same NPM interface, to ensure that the incoming traffic matching the specified VLAN tag is directed to the correct circuit via the logical interface matching the VLAN tag.
Resolution
The VSX VLAN circuits are attached to the same physical interface to which the base template circuit is attached, and only one template circuit is attached to a physical (NPM) interface. Using different VLAN IDs when using a specific template circuit will prevent this issue.
1. Use a different VLAN ID for the circuits attached to the same physical interfaces.
2. Circuits with same VLAN ID can be attached to different physical interfaces.
3. In case of VSX, where the VLAN tags are assigned as per the VLAN IDs selected within the VS in the Check Point Management GUI, please use different VLAN IDs when using the same base template circuit in two different Virtual Systems.
1. Use a different VLAN ID for the circuits attached to the same physical interfaces.
2. Circuits with same VLAN ID can be attached to different physical interfaces.
3. In case of VSX, where the VLAN tags are assigned as per the VLAN IDs selected within the VS in the Check Point Management GUI, please use different VLAN IDs when using the same base template circuit in two different Virtual Systems.
Feedback
Powered by
