This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
teckwahlee
Explorer
‎2024-02-21 09:24 AM

Is that Check Point Maestro Deployment Bonding Group Support with Connecting to Cascading Switches?

Hi all,

 

Currently we are to deploying the Check Point Maestro with single site dual MHO. We know that Maestro is running on Active-Active mode, however the internal and external switch connected is actually a cascading switch which is not support creating any port channel or LACP like stacking switch. Meanwhile, in the design due to insufficient port, we must bond the interface from each security group to provide redundancy within MHO1 & MHO2, but we unable to configure Bond operating mode 802.3ad LACP (load sharing) with both link is Active-Active, it will have issue with cascading switch as it is not like stacking switch.

 

Please refer to the diagram of the topology, MHO1 & MHO2 connecting straight link to switch 1 & switch 2 separately without cross.

Diagram1.png

 

This is the first time we meet maestro with Cascade Switches, so we are not sure whether it is supported? 

Is there any similar setup? and What is the best way to configure for this scenario?

Is there any concern Maestro with bonding group connecting to cascaded switch that need to be highlighted? 

 

 

The Maestro is running Active-Active, but the all the bonding group link is configured with Active-Backup which all active link will at MHO1 while backup link at MHO2 like normal clusterXL deployment. Its quite confusing. 

 

We have tried to configure the bonding group with operating mode 802.3ad but it is totally not workable at all when connected to cascaded switch, unable to ping.  Therefore, when we try to change the operating mode to Active-Backup and XOR is able to ping within upstream and downstream. 

 

Maestro Quantum Maestro 

 

Best Regards,

Keon

Maestro
Maestro
Quantum Maestro
Quantum Maestro
Quantum
0 Kudos
4 Replies
cassiomaciel
Contributor
Contributor
‎2024-02-22 03:57 AM

Hi, 

 

I think the best option in this deployment is configure 2 bonds as active - backup.

Each mho will have one port active on different switches, in this way you could use both as Active-active.

In both ends you need to configure duplicate routes to balance between the bonds, depend on routing protocol used,  maybe you need to enable ecmp in both ends.

But just a guess 🙂 

 

Cassio 

0 Kudos
teckwahlee
Explorer
‎2024-03-05 08:51 AM
In response to cassiomaciel

Hi cassiomaciel,

 

Yes, we would like to configure both link as Active-backup, e.g. all link from MHO1 is Active and connect to the Switch1 meanwhile all link from MHO2 is Backup will connect to Switch2. Which means the traffic coming from switch it will always go through MHO1 only, by right it wont have any traffic go through MHO2 as all the link from there is backup link just like normal clusterXL firewall even though it is Maestro with Active-Active. Theoretically/Logically it should running like this, am I right? Is there any other concern if there's VLAN trunk on the switch with this setup? 


Best Regards.

0 Kudos
emmap
Employee
Employee
‎2024-03-06 11:27 PM
In response to teckwahlee

This will work fine, the ports on the switches should be set up with no bonding configuration. It should work as either Access or Trunk ports, as long as all the right VLANs are on both switch ports.

0 Kudos
emmap
Employee
Employee
‎2024-02-22 04:31 AM

In order to do an LACP bond, the switches also have to be acting as a single switch (like VSS or VPC) and present a single LACP bond back to the MHOs. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events