topic Re: Single site dual MHO-140 and 3 6700 in Hyperscale Firewall (Maestro)

Single site dual MHO-140 and 3 6700

Blason_R — Wed, 11 Aug 2021 03:59:50 GMT

Hi team,

I have a scenario where I have 2 MHO140 and 3 6700s. I need to configure single site dual Orchs

Hence I have certain queries about the same. MHOs I have upgraded to R81.10 SP and 6700 with R81SP with latest HFA

The routes will be configured on MHO? [Default and Network routes]
Since I need to terminate fibre on two MHO, I need to configure Bond on MHO, right?
Both MHO should have management IP?
Since there are two MHO; which one I need access from mgmt IP to configure SGM?
Do I always need to connect to primary MHO and perform the administrative tasks, like adding routes, defining bonds, etc..

TIA

Blason R

Re: Single site dual MHO-140 and 3 6700

Danny — Wed, 11 Aug 2021 06:02:05 GMT

I have just configured the same.

Routes for the MHOs are configured directly on them, probably just the default Route. Routes for the Security Group (SG) are configured on the first appliance within the SG and are then cloned to the other appliances when these are added to the SG in the last step.
Interface bonds have to be configured within the SG using gClish. On the MHO you just drag the interfaces to the SG that it will work with.
Yes, both MHOs have a Management IP.
Doesn‘t matter. As long as you have a Sync cable between both MHOs and the Operator Status of the Sync port is up and is showing RX packets you are good.
No, this is done on the SG. Just connect to the SG‘s management IP and configure it there.

Re: Single site dual MHO-140 and 3 6700

Blason_R — Wed, 11 Aug 2021 05:47:03 GMT

Thanks for the info - So

My MHO1 is 10.10.10.10 and MHO2 is 10.10.10.20 with DG 10.10.10.1

While my external interface is 30.30.30.30/28

Internal LAN is 192.168.40.2/24

In this case to access the MHO Management IP; I just need to add route on MHO with default gateway pointed to 10.10.10.1

And since my external and internal interfaces are terminated on MHO [with bond]; my internet default gateway will be on SG using gclish?

Re: Single site dual MHO-140 and 3 6700

vinceneil666 — Wed, 11 Aug 2021 05:54:18 GMT

Hi,

The default gateway for your production traffic and internal is defined on the SGM, using gclish as you say.

Re: Single site dual MHO-140 and 3 6700

Blason_R — Mon, 16 Aug 2021 03:23:21 GMT

So my Mgmt port from MHO to connect SMO can be on different subnet? Wondering if not then who would route the traffic to SGM? Like

Lets say my Management server IP is 192.168.14.10 and SGM is 172.16.10.10? Will that work?

Re: Single site dual MHO-140 and 3 6700

vinceneil666 — Mon, 16 Aug 2021 05:43:27 GMT

Hi, I know from experience that it will work - but you should really get the mgmt interface of the SMO directly connected to the same subnet as the Management and log server etc...

There will/can be issues related to NAT, and also - if your management network in addition to contain management server, also has some esx hosts, a server or two...whatever else - that traffic will get issues.

In my last setup, the customer had a subnet where the management server was on a subnet that containd lots of "other stuff" to - due to design and historical configs, I ended ut adding an additional interface on the management server, and had my SMO connect to that, just to get it directly connected.

Re: Single site dual MHO-140 and 3 6700

Blason_R — Mon, 16 Aug 2021 11:03:50 GMT

Thanks man for the valuable input.