topic Re: Sync single site through sw l2 in Hyperscale Firewall (Maestro)

Sync single site through sw l2

Oscar_David_Gom — Thu, 09 May 2024 18:09:01 GMT

Hi,

We have a dual maestro deployment in single site. Each maestro is separated from the other and we cannot connect them directly so we tried to connect Sync ports (48 port MHO140) using 10G sfp multimode passing through a L2 SW.

Basically is like this

Our problem is, they dont see each other:

[Expert@MHO-ML-1:0]# tcpdump -nni Sync-int
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on Sync-int, link-type EN10MB (Ethernet), capture size 262144 bytes
12:36:03.789415 ARP, Request who-has 192.0.2.2 tell 192.0.2.1, length 28
12:36:04.791420 ARP, Request who-has 192.0.2.2 tell 192.0.2.1, length 28

arp is never answered and sw says they see mac fomr dl48, not the one from Sync-int port. Anyone knows if some configuration is missing or a clue on where to put the full troubleshooting power?

Thanks in advance.

Re: Sync single site through sw l2

Dario_Perez — Thu, 09 May 2024 21:00:17 GMT

if the orchestrators are connected through switches, is not single site deployment is dual site. you can enable or disable the Q-in-Q or connect directly using SFP+ and fiber between them without switches in the middle.

Re: Sync single site through sw l2

Oscar_David_Gom — Thu, 09 May 2024 22:30:17 GMT

Hi Dario,

So using port 48 in this is not supported? what im trying to understand is why i can reach 192.0.2.1 from 192.0.2.2 if both ports on both sw have the same vlan in access mode and the trunk between sw propagate that VLAN, is there any vlan tagged from packets going from .2 to .1? the obvious test was to put 2 PCS on same topology and they reach each other, but syncs cant reach each other, so it has to be some VLAN thing behind this.

Re: Sync single site through sw l2

Dario_Perez — Thu, 09 May 2024 23:09:52 GMT

port 48 is supported,

we use more than 1 VLAN for Sync, that's why leaving only 1 VLAN on switch is not enough to sync them.

Re: Sync single site through sw l2

emmap — Fri, 10 May 2024 06:16:31 GMT

This isn't a supported setup for a single-site deployment, and what's more is that you have to connect each SGM directly to both MHOs as well, so it's more than just the MHO sync issue.

If you don't have sufficient direct connectivity between your two racks you can look at a dual-site deployment, which would be active/standby failover between the stack in each rack.

Re: Sync single site through sw l2

Oscar_David_Gom — Fri, 10 May 2024 12:11:00 GMT

Hi emmap,

I wold like to understand why isn't supported. What would be the difference from having a directly connected fiber to having them connected through 2 L2 SW and encapsulation disabled, all sync VLANs being recognized and accepted by the trunk ports where the traffic crosses. From my PoV that's like having the cable connected directly, isn't it? Well, LLDP won't recognize the other orch, but if I have full connectivity between sync interfaces, won't work?

Thanks in advance for your answer.

Re: Sync single site through sw l2

emmap — Mon, 13 May 2024 02:05:40 GMT

It's not a scenario that we have tested or QA'd, hence it isn't supported. It may be that you can get it to work, but it won't be a setup that we can support if there are any issues that arise.