topic Re: Maestro dual site site sync in Hyperscale Firewall (Maestro)

Maestro dual site site sync

Northy — Mon, 13 Jul 2020 14:23:43 GMT

Hi all,

I am looking to understand what kind of configuration is required to interconnect 2 site sync interfaces in a dual site configuration.

I have followed the configuration guide found here on checkmates and altered configuration on port 1/47/1 at each site to be a site_sync, but the MHOs are saying they cannot reach one another.

My setup looks similar to below

------------ Site 1------------ | ------------ Site 2 ------------

MHO 1 <---> SW1 <-------Inter-site link------->SW2<--->MHO2

From each MHO to each local switch I have configured a dot1q (VLAN) tunnel

Does anyone have any suggestions to set up in this way?

Thanks for any assistance

Re: Maestro dual site site sync

Wolfgang — Mon, 13 Jul 2020 18:12:38 GMT

@Northy

Have look at How to configure Single Site Dual MHO Cluster, Dual Site Single MHO Cluster, or Dual Site Dual MHO Cluster

option B is your example.

Wolfgang

Re: Maestro dual site site sync

Northy — Mon, 13 Jul 2020 19:12:49 GMT

Thank you for the response @Wolfgang, I have reviewed the guide you mentioned and this only discusses the the maestro configuration and does not indicate what the configuration needs to be on the switch side.

The switch configuration is what I am looking to find out and understand.

I have had the appliances directly attached whne they were in the lab with no issues and now they are mounted in there final resting place they are not able to see each other.

So this leads me to believe that perhaps there is a requirement that maestro needs fulfilling to be able to connect via a switch. The link between sites is less than 100ms in latency and has 0 packet loss. So I know these are not the issue. I have also installed a relatively new jumbo hotfix so I know that I am on a version that supports the dual site configuration via a switch

Re: Maestro dual site site sync

Wolfgang — Mon, 13 Jul 2020 19:47:08 GMT

@Northy , do you have your VLANs on your switch interconnect configured?

You have to have the VLANs from site A too on the site B. Meaning you need a VLAN-trunk on the switches between your site's.

Wolfgang

Re: Maestro dual site site sync

Maarten_Sjouw — Mon, 13 Jul 2020 21:06:11 GMT

On the link between the 2 interfaces connecting to the MHOP you need to configure QinQ which kinda creates a tunnel between the 2 portsand all VLANs used will be forwarded to the othe side without the switches actually seeing them.

Re: Maestro dual site site sync

Northy — Mon, 13 Jul 2020 21:19:46 GMT

Correct, I have the interfaces that connect to each MHO configured as a dot1q tunnel so this will tunnel any traffic on that interface via the vlan 957 which is trunked through to both sites.

Are there any MTU requirements that people are aware of? Currently it is standard 1500 but I'm thinking ill need to support jumbo frames for this to work properly and to account for the additional headers from VLAN tags.

On the off chance it needs to perform some form of lldp discovery I also have the lldp packets tunneling inside of the dot1q tunnel but that doesn't seem to make a difference.

Re: Maestro dual site site sync

Maarten_Sjouw — Mon, 13 Jul 2020 21:23:17 GMT

Check the official guide from Check Point for that part, but as far I am aware you need Jumbo frames enabled on that link.

Re: Maestro dual site site sync

genisis__ — Mon, 07 Sep 2020 21:35:21 GMT

Are there any working examples for fully redundant configuration with three sites with each Maestro having dual sync links (If this is even possible).

It would be great if someone can post a training video of how to setup single and dual site configuration with fully redundant inter-site links.

Re: Maestro dual site site sync

Maarten_Sjouw — Tue, 08 Sep 2020 05:14:30 GMT

A 3 site setup is not supported and cannot be configured. As far as I've been told it is on the roadmap but nobody knows for which month of which year.

There are no video's available yet to my knowledge. You can use my Maestro basic setup manual for now.

Re: Maestro dual site site sync

vinceneil666 — Tue, 08 Sep 2020 07:23:45 GMT

Hi,

Yes, you will need to adjust MTU - QinQ adds a bit - I cant remember the exact number - but I think it is 1518 that is needed.