This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
katarina_
Participant
‎2025-04-16 12:30 AM
Jump to solution

Implementation Check Point VSX + Maestro s ACI (LACP, One-arm, PBR) – best practices?

Hello Community,

we’re preparing for a Check Point Maestro + ACI implementation and would appreciate any input or best practices.

Our environment and Architecture:

  • Platform: Check Point Maestro (2x 9700 SGMs + MHO-140)

  • Software: R81.20

  • Bonding mode: 802.3ad (LACP)

  • Each bond connects to ACI fabric (2x Leafs) – currently working with 25G SR links

  • One VS per ACI context (stage/prod)

  • L3 IPs assigned directly to bond interfaces

  • One-arm mode

  • Policy-Based Routing (PBR)

  • Interfaces connected to ACI (via LACP bundles)

 

  • Are there best practices for one-arm PBR design with Maestro + ACI?

  • What’s the recommended interface setup for L3 one-arm traffic into VSX (e.g., VLAN tagging, IP on bond, subinterfaces)?

  • Any special considerations with LACP bonding on Maestro?

 

Any insights or shared experiences would be super helpful – we already resolved one port-down issue by hardcoding 25G speed on CP side (vs 10G default), so we’d love to avoid surprises during full implementation.

Thank you!

Katarina

 

 

0 Kudos
2 Solutions

Accepted Solutions
Lari_Luoma
Ambassador Ambassador
Ambassador
‎2025-04-22 11:25 AM
Jump to solution

Hello @katarina_ 

With ACI service graphing and PBR is the recommended setup. You are correctly using VSX with a VS per tenant in one-arm mode. That's the best practice. Using trunked bonds is more scalable solution in my opinion. It needs fewer physical interfaces, and you can add more VLANs into a trunk when necessary. Then you would assign a VLAN from the trunk to each VS. With one-arm mode you should keep anti-spoofing disabled from the interface.

The only limitation with LACP is that the bond members need to be connected to the same logical switch. In ACI you most likely have vPC enabled on leaf switches anyway, so you should be covered. My recommendation is to hard code the speed for the uplinks at the MHO.

View solution in original post

AaronCP
Advisor
‎2025-04-23 11:47 AM
Jump to solution

Hi @katarina_,

We've recently deployed Maestro & VSX with Cisco ACI using Symmetric PBR and have deployed it similar to how you've described. Here are a couple of things I've learned during the process:

  • You'll need to add a rule to permit Service Graph Health Group probes. You can configure the probe on the APIC to use ICMP, HTTPS, etc. If the rule doesn't exist, the Service Graph won't work.
  • If your magg0 interface is connected to the leaf switches, you'll need to disable the "IP dataplane learning" feature for the magg0 bridge domain subnet on the APIC to avoid management connectivity issues.
  • If you're planning to enable dynamic balancing, there's a known issue where the mq_mng process runs multiple times, causing high CPU. I believe this is resolved in T99 (I'll try and dig out the PRJ reference).
  • The 25G autonegotiation issue is an ACI-side issue. We found by hardcoding the leaf switch interface, bouncing the interface, then setting it back to autonegotiation and bouncing the interface again sorted it. That's far from ideal. We were concerned about what the potential impact would be if the leaf switch reloaded and multiple interfaces failed to negotiate correctly. A case was raised with Cisco TAC who confirmed it is a bug. We've now set the interfaces on the leaf switch to use the "Inherit" setting (Cisco's recommendation) and we've not had any issues since.
  • Not an ACI-specific issue, but definitely a Maestro & VSX one is the use of Generic Data Centre objects in policy. If you're planning on using them in your Virtual System firewall policies, you'll need to create a dummy drop rule on VS0 as a workaround in order for the feature to work (R&D are currently working on a fix for this).
  • Integrating the SMS/MDS with the Cisco APIC (using the Cloudguard Controller Cisco ACI object) is a great way of automating parts of your rulebase. It allows you to use the EPGs/ESGs as objects in the firewall policy, meaning if a new endpoint is added to an EPG on the fabric, it will automatically be included in any firewall rules associated with the EPG/ESG. This feature is not impacted by the Generic Data Centre issue mentioned above.

If I think of any more, I'll add them here.

Thanks,

Aaron.

View solution in original post

6 Replies
_Val_
Admin
Admin
‎2025-04-22 03:28 AM
Jump to solution

@Lari_Luoma@Anatoly can you advise?

0 Kudos
Lari_Luoma
Ambassador Ambassador
Ambassador
‎2025-04-22 11:25 AM
Jump to solution

Hello @katarina_ 

With ACI service graphing and PBR is the recommended setup. You are correctly using VSX with a VS per tenant in one-arm mode. That's the best practice. Using trunked bonds is more scalable solution in my opinion. It needs fewer physical interfaces, and you can add more VLANs into a trunk when necessary. Then you would assign a VLAN from the trunk to each VS. With one-arm mode you should keep anti-spoofing disabled from the interface.

The only limitation with LACP is that the bond members need to be connected to the same logical switch. In ACI you most likely have vPC enabled on leaf switches anyway, so you should be covered. My recommendation is to hard code the speed for the uplinks at the MHO.

katarina_
Participant
‎2025-04-28 01:55 AM
In response to Lari_Luoma
Jump to solution

Hi @Lari_Luoma,

Thank you  very much for your response, I have already hard-coded the speed, as I encountered this issue at the beginning.

0 Kudos
Lari_Luoma
Ambassador Ambassador
Ambassador
‎2025-04-22 11:28 AM
Jump to solution

Let me also add that you might want to engage with Check Point Professional Services. PS has a long experience with the best practices setups including the ACI environments.

0 Kudos
AaronCP
Advisor
‎2025-04-23 11:47 AM
Jump to solution

Hi @katarina_,

We've recently deployed Maestro & VSX with Cisco ACI using Symmetric PBR and have deployed it similar to how you've described. Here are a couple of things I've learned during the process:

  • You'll need to add a rule to permit Service Graph Health Group probes. You can configure the probe on the APIC to use ICMP, HTTPS, etc. If the rule doesn't exist, the Service Graph won't work.
  • If your magg0 interface is connected to the leaf switches, you'll need to disable the "IP dataplane learning" feature for the magg0 bridge domain subnet on the APIC to avoid management connectivity issues.
  • If you're planning to enable dynamic balancing, there's a known issue where the mq_mng process runs multiple times, causing high CPU. I believe this is resolved in T99 (I'll try and dig out the PRJ reference).
  • The 25G autonegotiation issue is an ACI-side issue. We found by hardcoding the leaf switch interface, bouncing the interface, then setting it back to autonegotiation and bouncing the interface again sorted it. That's far from ideal. We were concerned about what the potential impact would be if the leaf switch reloaded and multiple interfaces failed to negotiate correctly. A case was raised with Cisco TAC who confirmed it is a bug. We've now set the interfaces on the leaf switch to use the "Inherit" setting (Cisco's recommendation) and we've not had any issues since.
  • Not an ACI-specific issue, but definitely a Maestro & VSX one is the use of Generic Data Centre objects in policy. If you're planning on using them in your Virtual System firewall policies, you'll need to create a dummy drop rule on VS0 as a workaround in order for the feature to work (R&D are currently working on a fix for this).
  • Integrating the SMS/MDS with the Cisco APIC (using the Cloudguard Controller Cisco ACI object) is a great way of automating parts of your rulebase. It allows you to use the EPGs/ESGs as objects in the firewall policy, meaning if a new endpoint is added to an EPG on the fabric, it will automatically be included in any firewall rules associated with the EPG/ESG. This feature is not impacted by the Generic Data Centre issue mentioned above.

If I think of any more, I'll add them here.

Thanks,

Aaron.

AaronCP
Advisor
‎2025-04-23 01:13 PM
In response to AaronCP
Jump to solution

To clarify, the dummy drop rule for VS0 should contain the objects pulled in from the Generic Data Centre object. This is so the objects get loaded on VS0 so that they can be used by the Virtual System(s).

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events