topic Is that Check Point Maestro Deployment Bonding Group Support with Connecting to Cascading Switches? in Hyperscale Firewall (Maestro)

Is that Check Point Maestro Deployment Bonding Group Support with Connecting to Cascading Switches?

teckwahlee — Wed, 21 Feb 2024 17:24:48 GMT

Hi all,

Currently we are to deploying the Check Point Maestro with single site dual MHO. We know that Maestro is running on Active-Active mode, however the internal and external switch connected is actually a cascading switch which is not support creating any port channel or LACP like stacking switch. Meanwhile, in the design due to insufficient port, we must bond the interface from each security group to provide redundancy within MHO1 & MHO2, but we unable to configure Bond operating mode 802.3ad LACP (load sharing) with both link is Active-Active, it will have issue with cascading switch as it is not like stacking switch.

Please refer to the diagram of the topology, MHO1 & MHO2 connecting straight link to switch 1 & switch 2 separately without cross.

This is the first time we meet maestro with Cascade Switches, so we are not sure whether it is supported?

Is there any similar setup? and What is the best way to configure for this scenario?

Is there any concern Maestro with bonding group connecting to cascaded switch that need to be highlighted?

The Maestro is running Active-Active, but the all the bonding group link is configured with Active-Backup which all active link will at MHO1 while backup link at MHO2 like normal clusterXL deployment. Its quite confusing.

We have tried to configure the bonding group with operating mode 802.3ad but it is totally not workable at all when connected to cascaded switch, unable to ping. Therefore, when we try to change the operating mode to Active-Backup and XOR is able to ping within upstream and downstream.

Best Regards,

Keon

Re: Is that Check Point Maestro Deployment Bonding Group Support with Connecting to Cascading Switch

cassiomaciel — Thu, 22 Feb 2024 11:57:25 GMT

Hi,

I think the best option in this deployment is configure 2 bonds as active - backup.

Each mho will have one port active on different switches, in this way you could use both as Active-active.

In both ends you need to configure duplicate routes to balance between the bonds, depend on routing protocol used, maybe you need to enable ecmp in both ends.

But just a guess 🙂

Cassio

Re: Is that Check Point Maestro Deployment Bonding Group Support with Connecting to Cascading Switch

emmap — Thu, 22 Feb 2024 12:31:30 GMT

In order to do an LACP bond, the switches also have to be acting as a single switch (like VSS or VPC) and present a single LACP bond back to the MHOs.

Re: Is that Check Point Maestro Deployment Bonding Group Support with Connecting to Cascading Switch

teckwahlee — Tue, 05 Mar 2024 16:51:58 GMT

Hi cassiomaciel,

Yes, we would like to configure both link as Active-backup, e.g. all link from MHO1 is Active and connect to the Switch1 meanwhile all link from MHO2 is Backup will connect to Switch2. Which means the traffic coming from switch it will always go through MHO1 only, by right it wont have any traffic go through MHO2 as all the link from there is backup link just like normal clusterXL firewall even though it is Maestro with Active-Active. Theoretically/Logically it should running like this, am I right? Is there any other concern if there's VLAN trunk on the switch with this setup?

Best Regards.

Re: Is that Check Point Maestro Deployment Bonding Group Support with Connecting to Cascading Switch

emmap — Thu, 07 Mar 2024 07:27:58 GMT

This will work fine, the ports on the switches should be set up with no bonding configuration. It should work as either Access or Trunk ports, as long as all the right VLANs are on both switch ports.