Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Contributor

Maestro dual site site sync

Hi all, 

 

I am looking to understand what kind of configuration is required to interconnect 2 site sync interfaces in a dual site configuration.

I have followed the configuration guide found here on checkmates and altered configuration on port 1/47/1 at each site to be a site_sync, but the MHOs are saying they cannot reach one another. 

 

My setup looks similar to below

------------ Site 1------------   |    ------------ Site 2 ------------ 

MHO 1 <---> SW1 <-------Inter-site link------->SW2<--->MHO2

 

From each MHO to each local switch I have configured a dot1q (VLAN) tunnel 

 

Does anyone have any suggestions to set up in this way?

Thanks for any assistance

0 Kudos
Reply
9 Replies
Leader
Leader

0 Kudos
Reply
Contributor

Thank you for the response @Wolfgang, I have reviewed the guide you mentioned and this only discusses the the maestro configuration and does not indicate what the configuration needs to be on the switch side.

 

The switch configuration is what I am looking to find out and understand. 

 

I have had the appliances directly attached whne they were in the lab with no issues and now they are mounted in there final resting place they are not able to see each other. 

 

So this leads me to believe that perhaps there is a requirement that maestro needs fulfilling to be able to connect via a switch. The link between sites is less than 100ms in latency and has 0 packet loss. So I know these are not the issue. I have also installed a relatively new jumbo hotfix so I know that I am on a version that supports the dual site configuration via a switch

0 Kudos
Reply
Leader
Leader

@Northy , do you have your VLANs on your switch interconnect configured?

You have to have the VLANs from site A too on the site B. Meaning you need a VLAN-trunk on the switches between your site's.

Wolfgang

0 Kudos
Reply
Champion
Champion

On the link between the 2 interfaces connecting to the MHOP you need to configure QinQ which kinda creates a tunnel between the 2 portsand all VLANs used will be forwarded to the othe side without the switches actually seeing them.
Regards, Maarten
0 Kudos
Reply
Contributor

Correct, I have the interfaces that connect to each MHO configured as a dot1q tunnel so this will tunnel any traffic on that interface via the vlan 957 which is trunked through to both sites. 

Are there any MTU requirements that people are aware of? Currently it is standard 1500 but I'm thinking ill need to support jumbo frames for this to work properly and to account for the additional headers from VLAN tags.

 

On the off chance it needs to perform some form of lldp discovery I also have the lldp packets tunneling inside of the dot1q tunnel but that doesn't seem to make a difference. 

0 Kudos
Reply
Champion
Champion

Check the official guide from Check Point for that part, but as far I am aware you need Jumbo frames enabled on that link.
Regards, Maarten
0 Kudos
Reply
Collaborator

Hi,

Yes, you will need to adjust MTU - QinQ adds a bit - I cant remember the exact number - but I think it is 1518 that is needed.

0 Kudos
Reply
Contributor

Are there any working examples for fully redundant configuration with three sites with each Maestro having dual sync links (If this is even possible).

It would be great if someone can post a training video of how to setup single and dual site configuration with fully redundant inter-site links.

0 Kudos
Reply
Champion
Champion

A 3 site setup is not supported and cannot be configured. As far as I've been told it is on the roadmap but nobody knows for which month of which year.

There are no video's available yet to my knowledge. You can use my Maestro basic setup manual for now.

Regards, Maarten
0 Kudos
Reply