topic Re: L3 Uplink non vendor device status in Hyperscale Firewall (Maestro)

L3 Uplink non vendor device status

anikaralam — Tue, 16 Apr 2024 20:22:42 GMT

Hi Team,

Consider that maestro uplink l3 devices are from other vendor. In single site dual deployment we have two rooms and it's 2 km away. We have 2 Maestro and 4 security gateway. There are 2 security group and one uplink connecting to l3 device which configured as VSX between two room. Other uplink bond planning to connect on different l3 device where no vsx between these device between two room. Will this work? Or do I need to suggest to connect uplink to same L3 devices which configured as VSX. Please share a checkpoint link for further clarification.

Re: L3 Uplink non vendor device status

Dario_Perez — Tue, 16 Apr 2024 21:45:04 GMT

Let me try to understand

Do you have 2 maestros? maestro is solution with orchestrator and security gateways, maybe you have 2 orchestrators and 4 Security Gateways on site one (no other side)?
Device uplink for other vendor it does mean the SFP is other than Check Point or you mean the SFP is Check Point and connects to switch (other vendor)?
When you say single site dual deployment you mean 2 MHO per site?
2 Security Groups one uplink connected? are you sharing the same interface on both Security group or is one per SG?
2 SG connected to 3party device connected to L3 as VSX? this is other check point gateway with maestro VSX Dual Site?

A topology might help here

Re: L3 Uplink non vendor device status

Dario_Perez — Tue, 16 Apr 2024 21:48:58 GMT

Please elaborate you scenario, then we can try to answer

Re: L3 Uplink non vendor device status

Chris_Atkinson — Tue, 16 Apr 2024 23:54:43 GMT

A diagram might help to understand the proposed topology

Re: L3 Uplink non vendor device status

anikaralam — Wed, 17 Apr 2024 05:02:00 GMT

High level Uplink topology

Re: L3 Uplink non vendor device status

anikaralam — Wed, 17 Apr 2024 05:03:12 GMT

Attached high level uplink design

Re: L3 Uplink non vendor device status

anikaralam — Wed, 17 Apr 2024 05:10:59 GMT

Do you have 2 maestros? maestro is solution with orchestrator and security gateways, maybe you have 2 orchestrators and 4 Security Gateways on site one (no other side)? ==> We have 2 maestro and four security gateways. In one room one maestro and 2 security gateways from two different security groups and in the other which is far from room 1 one maestro and 2 security gateway.
Device uplink for other vendor it does mean the SFP is other than Check Point or you mean the SFP is Check Point and connects to switch (other vendor)? ==> Other vendor side it's vendor SFP and in checkpoint it will be checkpoint SFP
When you say single site dual deployment you mean 2 MHO per site? Yes. 1 MHO in each room.
2 Security Groups one uplink connected? are you sharing the same interface on both Security group or is one per SG? No sharing uplink. MGMT(SMS) will be same. Please refer the diagram I attached for other reply.
2 SG connected to 3party device connected to L3 as VSX? this is other check point gateway with maestro VSX Dual Site?One security group will connect to 3rd part device connected as VSX. My understanding its work well. Problem with the other security group which is currently planning to connect on L3 device which not configured as VSX between two different room. Need to know best practice from 3rd party vendor side.

Re: L3 Uplink non vendor device status

Dario_Perez — Wed, 17 Apr 2024 17:39:42 GMT

Ok I think I understand now.

So, you have single site, with dual orchestrator all 4 gateways on 2 Security Group 2km? do you have the lattency less than 100ms? else should change to Multi-room

the VSX is I think Aruba technology to segregate VLANs.

I see the topology for MHO but what about Security Group?

The HLD is for current or proposal?

Re: L3 Uplink non vendor device status

the_rock — Wed, 17 Apr 2024 18:46:22 GMT

As the guys said, if you share network diagram, would certainly help.

Andy

Re: L3 Uplink non vendor device status

anikaralam — Thu, 18 Apr 2024 04:57:40 GMT

UPLINK design network diagram already shared earlier.

Re: L3 Uplink non vendor device status

anikaralam — Thu, 18 Apr 2024 05:38:37 GMT

I'm looking for a document related to third-party L3 third-party device configuration best practices while connecting maestro uplink. That's the reason not to include downlink and related security groups. HLD is the proposed one. Would like to know what is the drawback if L3 third-party vendor is not configured as VSX/LAG. Why its recommending to configure L3 switches as one virtual switch (VSX/LAG) even its away for couple of kilometers.

Re: L3 Uplink non vendor device status

emmap — Thu, 18 Apr 2024 06:26:56 GMT

On Maestro, the uplink bonds are configured and managed at the security group level, not the MHOs. This means that when you create a bond using interfaces over both MHOs (which is recommended so that you have high availability on this bond interface in the event of an MHO going down) it has to be configured as a single bond on the neighbouring devices.

If you create two separate bonds to your neighbour devices, they are just two separate interfaces onto the security group. They would need to be in separate IP address spaces and you'll need some sort of dynamic routing running to achieve proper HA.

If your uplink neighbour devices cannot act as one virtual switch, you can use Active/Standby bonds at the security group. In that case you only need to have regular interfaces configured on the neighbour devices in the same VLANs. The security group will use the primary interface when it's up (make sure you configure this) by default.

Re: L3 Uplink non vendor device status

anikaralam — Thu, 18 Apr 2024 10:01:51 GMT

Thanks emmap. Will you able to share the URL where the checkpoint recommendation is to configure L3 switches as one virtual switch?

Re: L3 Uplink non vendor device status

emmap — Fri, 19 Apr 2024 07:30:36 GMT

It's not that there's an explicit recommendation to do that, it's just understanding that if you're creating a load sharing bond with interfaces on two MHOs, it's a single bond. If those two MHOs are connected to two different switches, those switches logically have to be acting as a single switch to present back to the MHOs a single load sharing bond. It's an architectural understanding more than it is a Check Point recommendation.