Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
nabil_l
Contributor

Traffic Flow

Dear Experts,

I have one question that i didn't get to resolve yet.

 

There is two server, SERVER-A(192.168.10.100) whose gateway is SGM with IP address 192.168.10.1 and SERVER-B(192.168.20.100) gateway ip 192.168.20.1. SERVER-A and SERVER-B both connected to CORE-SWITCH-1 and CORE-SWITCH-2 and Core switches are in stack and LAG is done between Core switch and server. From same core switch, MHO-1 up link port 5 is connected to CORE-SWITCH-1 and MHO-2 uplink port 5 is connected to CORE-SWITCH-2 and lacp is done. There is two SGM, from SGM-1 port 1 is connected to MHO-1(Port-27) and Port-2 is connected to MHO-2(Port-27). From SGM-2 port 1 is connected to MHO-1(PORT-28) and port-2 is connected to MHO-2(PORT-28). This is the connection part. Now my question is.

 

Server-A need to connect Server-B. Packet from Server_A generate and reach to core switch. From core switch LACP load balance and packet reaches to MHO-1 uplink, now MHO-1 perform distribution and send that packet to SGM-1. SGM-1 process that packet and now my question is, From SGM-1 there is two downlink connected to MHO-1 and MHO-2, toward which link does SGM forward that processed traffic so that it reaches to Server-B.

 

Request you to provide me answer with why traffic flow to that specific downlink along with exact reason.

 

Thank you

0 Kudos
2 Replies
Gennady
Collaborator

Good day!

I understood the sentence "SGM-1 port 1 is connected to MHO-1(Port-27) and Port-2 is connected to MHO-2(Port-27)" as MHO1 Port27 and MHO2 Port27 are part of the same Bond interface from SGM perspective. If the statement above is correct, then reply packet will be sent to Server B according to Bond interface xmit-hash-policy (set to Layer2 in the example below):

set bonding group 1 mode 8023AD
set bonding group 1 lacp-rate slow
set bonding group 1 min-links 0
set bonding group 1 mii-interval 100
set bonding group 1 down-delay 200
set bonding group 1 up-delay 200
set bonding group 1 xmit-hash-policy layer2

- MHO distribution matrix regulates which SGM receives a packet

- Bong interface xmit-hash-policy regulates which uplink port an SGM uses to send a packet

Lari_Luoma
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP

Hi,

I think the key point is that the Security Group behaves as one logical firewall, not as individual gateways tied to a specific orchestrator.

In your example:

  1. SERVER-A sends traffic toward its default gateway.
  2. The packet reaches one of the uplinks on the Maestro system (for example MHO-1).
  3. MHO-1 performs the distribution calculation and forwards the packet to SGM-1 for inspection.
  4. SGM-1 processes the packet and returns it to the Maestro fabric.
  5. The packet is then forwarded toward SERVER-B.

The important thing is that the SGM is not deciding whether to use MHO-1 or MHO-2. The Security Group sees the network as a single logical system.

The actual egress path depends primarily on the uplink and bond configuration. If the uplinks are part of an LACP bond, the connected switches will apply their hashing algorithm and determine which physical link carries the traffic. As a result, traffic may leave through either orchestrator depending on how the bond is built and how the switch calculates the outbound path.

In other words, it is not:

Packet entered MHO-1 → therefore packet must leave through MHO-1.

Instead, it is:

Packet enters through an orchestrator, is distributed to the appropriate SGM for inspection, and after processing is forwarded toward the destination network. The actual physical egress link is determined by the uplink design, bonding configuration, and switching infrastructure.

A useful way to think about Maestro is that the orchestrators form a forwarding fabric in front of a single logical firewall. Your focus should be on how traffic is distributed to the correct SGM and how the uplink bonds are designed, rather than which specific orchestrator received the original packet.

If your goal is to predict the exact egress interface, then the answer is: look at the LACP/bond hashing algorithm and switch configuration, because that ultimately determines which physical uplink carries the packet toward SERVER-B.

0 Kudos