topic Re: CheckPoint Maestro R81.20 and Nexus N9K -vPC connection in Hyperscale Firewall (Maestro)

CheckPoint Maestro R81.20 and Nexus N9K -vPC connection

Network_SNP — Fri, 05 Dec 2025 01:46:22 GMT

Hi Community,

We are deploying two Maestro systems, R81.20, bundled and connected via VPC to nexus switches. On the MHO cluster, we configured 1 bond with 4 ports. However, on the Cisco Nexus 9000 devices, we declared them as 2 POs running VPC.

We monitored and recorded the Mac move log status appearing continuously on the Cisco Nexus 9000 devices, causing the CPU load of the device to be high. %L2FM-4-L2FM_MAC_MOVE2: MAC 001c.7f82.060a in VLAN 34 has moved from Po30 to Po29.

We have a few questions as follows:
- Is the connection model between the MHO pair and the Cisco Nexus 9000 pair (on MHO use 1 Bond and on Cisco Nexus use 2 POs running VPC) a standard model or not?
- We are considering that on the Cisco Nexus pair, the ports will be grouped into 1 PO, then the connection between the MHO pair and Cisco Nexus.

Please help me recommend Steps move from Po30 to Po29 on Cisco Nexus. There is no effect and no downtime for the system.

CheckPoint Maestro to Cisco nexus 9K vPC

Network_SNP — Fri, 05 Dec 2025 01:38:27 GMT

Hi Community,

Please help me recommend Steps move from Po30 to Po29 on Cisco Nexus. There is no effect and no downtime for the system.

Re: CheckPoint Maestro R81.20 and Nexus N9K -vPC connection

emmap — Fri, 05 Dec 2025 01:50:06 GMT

All four ports needs to be in one bond/PO on both ends. It's all one LACP setup.

Re: CheckPoint Maestro R81.20 and Nexus N9K -vPC connection

Network_SNP — Fri, 05 Dec 2025 01:56:08 GMT

Hi @emmap

Please help me advise steps to bundle all interfaces in one bond/PO from Po30 to Po29 to no downtime.

Re: CheckPoint Maestro R81.20 and Nexus N9K -vPC connection

emmap — Fri, 05 Dec 2025 02:10:31 GMT

I can't provide any guarantees about downtime but the simplest method to mind would be to take the interfaces out of Po30 and put them in Po29. This isn't a Cisco forum though and I'm not a Cisco user or expert.

Re: CheckPoint Maestro R81.20 and Nexus N9K -vPC connection

Network_SNP — Fri, 05 Dec 2025 06:55:37 GMT

Thanks @emmap

My idea to change configuration:

1> Move MHO-02 to down with the command: cpstop

2> Disable port5 and Port 6 on MHO-02 --> MHO-01 cover traffic

3> Change config on Cisco Nexus from po30 to po29 for 4 interface uplink to MHO.

4> cpstart MHO-02

5> Enable Port5 and Port6 on MHO-02

Please help me recheck Steps to ensure no downtime.

Re: CheckPoint Maestro R81.20 and Nexus N9K -vPC connection

Network_SNP — Fri, 05 Dec 2025 06:58:38 GMT

My plan is to isolate the MHO 02 device (which in the diagram is currently connected to PO30 on the Nexus). After that, we will remove the configuration interfaces member of Po30 and add those interfaces as members of Po29 on the Cisco Nexus switch.
Next, we will reconnect the MHO 02 device back into the system.

Can you help me with the following two issues?
-------------------------------------------------------
1. Is our approach feasible to avoid system downtime?
Summary of steps: [1] – Isolate MHO 02 → [2] – Configure the Cisco switch → [3] – Reconnect MHO 02.
2. If this approach is applicable, please provide us with the instructions on how to isolate the MHO and then reconnect the MHO afterward.
3. Do you have any other recommendations for this task?

Re: CheckPoint Maestro R81.20 and Nexus N9K -vPC connection

emmap — Fri, 05 Dec 2025 07:46:20 GMT

Bonding and uplink interface usage is managed at the security groups, there's no requirement or option to isolate the MHOs. Simply shut the ports at the switch side, make the necessary changes, then unshut them.

Re: CheckPoint Maestro R81.20 and Nexus N9K -vPC connection

Pauli — Fri, 05 Dec 2025 09:00:20 GMT

Hi,

Yes, that should work.

Important:

Please disable the ports on the switch side, not on the MHO.

Procedure:

- Shut down the switch ports on vpc30

- Add the ports to vpc29

- Then, re-enable the ports on the switch one by one.

Important:

Be sure to perform this action in the Change Window and ensure that the switch can still be configured even the procedure fails (Consoleconnection to the switch...)

Re: CheckPoint Maestro R81.20 and Nexus N9K -vPC connection

Wolfgang — Fri, 05 Dec 2025 09:34:17 GMT

@Pauli described the correct way. The bond on the security group is ok with your 4 interface. You have to change your Nexus portchannel to one portchannel with all 4 interfaces from both Nexus.

Re: CheckPoint Maestro to Cisco nexus 9K vPC

Chris_Atkinson — Sun, 28 Dec 2025 09:52:40 GMT

If you have separate vPC on the switch side you will need separate bonds on the Check Point side.

The detailed steps to otherwise move as you described would be better asked of a network engineer familiar with Nexus.