topic Re: Check Point integration with Cisco ACI Multi-Pod (Maestro and Active-Active support) in Hyperscale Firewall (Maestro)

Check Point integration with Cisco ACI Multi-Pod (Maestro and Active-Active support)

RS_Daniel — Mon, 06 Oct 2025 15:28:29 GMT

Hello Community,

I have a few questions regarding the Check Point integration with Cisco ACI, especially in Multi-Pod deployments and when using Maestro.

I’ve reviewed the following document:
Private Cloud Security for Cisco ACI Infrastructure – Release 2.0

https://community.checkpoint.com/t5/Cloud-Network-Security/Private-Cloud-Security-for-Cisco-ACI-Infrastructure-Whitepaper-2/m-p/139065

The whitepaper describes two firewall deployment options for Multi-Pod stretched networks:

Active-Active Firewall with different IP / MAC addresses using LPBR
Active-Active Firewall with the same IP/MAC addresses using Cisco Anycast

The document mentions that Maestro deployment for both scenarios was not GA at the time. Since the document dates from 2022, could someone please confirm if this is now GA and officially supported by Check Point?

Additionally, both deployment examples describe a setup with one MHO per pod, with a sync interface between them.
From a Maestro perspective, it means as a single site / dual orchestrator configuration?

Finally, both designs rely on Active-Active firewall operation. Considering that Check Point introduced new capabilities with ElasticXL since 2022, which Active-Active model would be recommended for Multi-Pod stretched environments — ClusterXL, ElasticXL, or Maestro?

Any guidance or or help would be highly appreciated.

Regards

Re: Check Point integration with Cisco ACI Multi-Pod (Maestro and Active-Active support)

emmap — Tue, 07 Oct 2025 02:23:43 GMT

Active/Active dual site Maestro is available in R82 with special involvement from CP. It's considered GA but it's not available out of the box. It's similar to CXL Active/Active geo cluster, in that it's separate IPs per site, but I don't know how it applies to ACI installs. Probably best to contact your local sales office to involve our architecture team here for a full update on what we can do with ACI.

Re: Check Point integration with Cisco ACI Multi-Pod (Maestro and Active-Active support)

RS_Daniel — Wed, 08 Oct 2025 14:24:58 GMT

Hello,

@emmap Do you know if there is any doc we can check about Active/Active dual site Maestro?

If someone else has recommendation for active/active deployment in ACI i'd appreciate it. Thanks in advance.

Regards

Re: Check Point integration with Cisco ACI Multi-Pod (Maestro and Active-Active support)

emmap — Wed, 08 Oct 2025 23:30:35 GMT

I don't think we have public documentation about it at this stage.

Re: Check Point integration with Cisco ACI Multi-Pod (Maestro and Active-Active support)

Dario_Perez — Thu, 09 Oct 2025 03:00:48 GMT

Is depending how fabric is routing/balancing traffic through sites, could be using SVI or IPN but is depending if have any other routing 3party if fabric is working on L3-out or if is using Service Graph. each scenario is different as per need.

I recommended reach your local SE then if you have special need. SE can work together with Solution Center where they can build the lab/PoC as customer need and create the proper design.