Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Northy
Contributor
Jump to solution

Maestro Uplink to network infrastructure

I am trying to find some documentation that will tell me how uplinks can be configured, This year we will be deploying Maestro so need to scope out our network infrastructure requirements.

 

Let's say i have the following scenario

 

I have Dual MHO - Single Site with 2 security groups configured, both of which have 2 firewalls in

These 2 Security groups have an inside and outside interface. made up in the following way

Inside is a lacp bond interface which consists of 2 x 10Gb  fibre SFP

outside is a single 10Gb interface 1 x fibre SFP

 

The question is can I configure a sub-interface on the bond lets say bond1.10 and have it so that both security groups have an interface in bond1.10

They will have different IP addresses of course.

 

Or 

 

If I want to have it so the security groups can have an interface in the same VLAN, do I need to create 2 separate bond interfaces to the same VLAN?

 

 

I have read the quick start guide and this goes through adding those vlans to bond interfaces but describes a seperate vlan to each SG. 

0 Kudos
1 Solution

Accepted Solutions
Maarten_Sjouw
Champion
Champion
Each security group will need to be assigned with it's own Uplink interfaces so when you assign port 10 to SG1 (best practice) you should assign eth1-10 AND eth2-10 to this SG1. Once they are assigned you connect to the SG1 management IP and you create a bond and add these 2 interfaces to it. You make sure that the portchannel you create on the switch to set the ports in trunk mode.
On SG2 you cannot use port 10, you will need to add other ports to it i.e. port 12 and create a bond in SG2 with both ports eth1-12 and eth2-12.
Now you can add VLAN 10 to both portchannels and to both SG1 and SG2 on the bond interfaces.

You need to keep in mind that a Security Group is handled as a Gateway that cannot share uplink ports. The Management ports are the only ports that can be shared and even there you have to create the Bond interface in each SG separately.
Regards, Maarten

View solution in original post

0 Kudos
2 Replies
Maarten_Sjouw
Champion
Champion
Each security group will need to be assigned with it's own Uplink interfaces so when you assign port 10 to SG1 (best practice) you should assign eth1-10 AND eth2-10 to this SG1. Once they are assigned you connect to the SG1 management IP and you create a bond and add these 2 interfaces to it. You make sure that the portchannel you create on the switch to set the ports in trunk mode.
On SG2 you cannot use port 10, you will need to add other ports to it i.e. port 12 and create a bond in SG2 with both ports eth1-12 and eth2-12.
Now you can add VLAN 10 to both portchannels and to both SG1 and SG2 on the bond interfaces.

You need to keep in mind that a Security Group is handled as a Gateway that cannot share uplink ports. The Management ports are the only ports that can be shared and even there you have to create the Bond interface in each SG separately.
Regards, Maarten
0 Kudos
Maarten_Sjouw
Champion
Champion
0 Kudos