This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
RS_Daniel
Advisor
Advisor
Monday
Jump to solution

Check Point integration with Cisco ACI Multi-Pod (Maestro and Active-Active support)

Hello Community,

I have a few questions regarding the Check Point integration with Cisco ACI, especially in Multi-Pod deployments and when using Maestro.

I’ve reviewed the following document:
Private Cloud Security for Cisco ACI Infrastructure – Release 2.0

https://community.checkpoint.com/t5/Cloud-Network-Security/Private-Cloud-Security-for-Cisco-ACI-Infr...

The whitepaper describes two firewall deployment options for Multi-Pod stretched networks:

  1. Active-Active Firewall with different IP / MAC addresses using LPBR
  2. Active-Active Firewall with the same IP/MAC addresses using Cisco Anycast

The document mentions that Maestro deployment for both scenarios was not GA at the time. Since the document dates from 2022, could someone please confirm if this is now GA and officially supported by Check Point?

Additionally, both deployment examples describe a setup with one MHO per pod, with a sync interface between them.
From a Maestro perspective, it means as a single site / dual orchestrator configuration?

Finally, both designs rely on Active-Active firewall operation. Considering that Check Point introduced new capabilities with ElasticXL since 2022, which Active-Active model would be recommended for Multi-Pod stretched environments — ClusterXL, ElasticXL, or Maestro?

Any guidance or or help would be highly appreciated.

Regards

0 Kudos
1 Solution

Accepted Solutions
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
Monday
Jump to solution

Active/Active dual site Maestro is available in R82 with special involvement from CP. It's considered GA but it's not available out of the box. It's similar to CXL Active/Active geo cluster, in that it's separate IPs per site, but I don't know how it applies to ACI installs. Probably best to contact your local sales office to involve our architecture team here for a full update on what we can do with ACI. 

View solution in original post

4 Replies
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
Monday
Jump to solution

Active/Active dual site Maestro is available in R82 with special involvement from CP. It's considered GA but it's not available out of the box. It's similar to CXL Active/Active geo cluster, in that it's separate IPs per site, but I don't know how it applies to ACI installs. Probably best to contact your local sales office to involve our architecture team here for a full update on what we can do with ACI. 

RS_Daniel
Advisor
Advisor
Wednesday
In response to emmap
Jump to solution

Hello,

@emmap Do you know if there is any doc we can check about Active/Active dual site Maestro?

If someone else has recommendation for active/active deployment in ACI i'd appreciate it. Thanks in advance.

Regards

0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
Wednesday
In response to RS_Daniel
Jump to solution

I don't think we have public documentation about it at this stage.

0 Kudos
Dario_Perez
Employee Employee
Employee
Wednesday
Jump to solution

Is depending how fabric is routing/balancing traffic through sites, could be using SVI or IPN but is depending if have any other routing 3party if fabric is working on L3-out or if is using Service Graph. each scenario is different as per need. 

I recommended reach your local SE then if you have special need. SE can work together with Solution Center where they can build the lab/PoC as customer need and create the proper design. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events