- CheckMates
- :
- Products
- :
- Quantum
- :
- Maestro Masters
- :
- Re: L3 Uplink non vendor device status
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
L3 Uplink non vendor device status
Hi Team,
Consider that maestro uplink l3 devices are from other vendor. In single site dual deployment we have two rooms and it's 2 km away. We have 2 Maestro and 4 security gateway. There are 2 security group and one uplink connecting to l3 device which configured as VSX between two room. Other uplink bond planning to connect on different l3 device where no vsx between these device between two room. Will this work? Or do I need to suggest to connect uplink to same L3 devices which configured as VSX. Please share a checkpoint link for further clarification.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let me try to understand
- Do you have 2 maestros? maestro is solution with orchestrator and security gateways, maybe you have 2 orchestrators and 4 Security Gateways on site one (no other side)?
- Device uplink for other vendor it does mean the SFP is other than Check Point or you mean the SFP is Check Point and connects to switch (other vendor)?
- When you say single site dual deployment you mean 2 MHO per site?
- 2 Security Groups one uplink connected? are you sharing the same interface on both Security group or is one per SG?
- 2 SG connected to 3party device connected to L3 as VSX? this is other check point gateway with maestro VSX Dual Site?
A topology might help here
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Do you have 2 maestros? maestro is solution with orchestrator and security gateways, maybe you have 2 orchestrators and 4 Security Gateways on site one (no other side)? ==> We have 2 maestro and four security gateways. In one room one maestro and 2 security gateways from two different security groups and in the other which is far from room 1 one maestro and 2 security gateway.
- Device uplink for other vendor it does mean the SFP is other than Check Point or you mean the SFP is Check Point and connects to switch (other vendor)? ==> Other vendor side it's vendor SFP and in checkpoint it will be checkpoint SFP
- When you say single site dual deployment you mean 2 MHO per site? Yes. 1 MHO in each room.
- 2 Security Groups one uplink connected? are you sharing the same interface on both Security group or is one per SG? No sharing uplink. MGMT(SMS) will be same. Please refer the diagram I attached for other reply.
- 2 SG connected to 3party device connected to L3 as VSX? this is other check point gateway with maestro VSX Dual Site?One security group will connect to 3rd part device connected as VSX. My understanding its work well. Problem with the other security group which is currently planning to connect on L3 device which not configured as VSX between two different room. Need to know best practice from 3rd party vendor side.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please elaborate you scenario, then we can try to answer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A diagram might help to understand the proposed topology
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
High level Uplink topology
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Attached high level uplink design
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok I think I understand now.
So, you have single site, with dual orchestrator all 4 gateways on 2 Security Group 2km? do you have the lattency less than 100ms? else should change to Multi-room
the VSX is I think Aruba technology to segregate VLANs.
I see the topology for MHO but what about Security Group?
The HLD is for current or proposal?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm looking for a document related to third-party L3 third-party device configuration best practices while connecting maestro uplink. That's the reason not to include downlink and related security groups. HLD is the proposed one. Would like to know what is the drawback if L3 third-party vendor is not configured as VSX/LAG. Why its recommending to configure L3 switches as one virtual switch (VSX/LAG) even its away for couple of kilometers.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On Maestro, the uplink bonds are configured and managed at the security group level, not the MHOs. This means that when you create a bond using interfaces over both MHOs (which is recommended so that you have high availability on this bond interface in the event of an MHO going down) it has to be configured as a single bond on the neighbouring devices.
If you create two separate bonds to your neighbour devices, they are just two separate interfaces onto the security group. They would need to be in separate IP address spaces and you'll need some sort of dynamic routing running to achieve proper HA.
If your uplink neighbour devices cannot act as one virtual switch, you can use Active/Standby bonds at the security group. In that case you only need to have regular interfaces configured on the neighbour devices in the same VLANs. The security group will use the primary interface when it's up (make sure you configure this) by default.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks emmap. Will you able to share the URL where the checkpoint recommendation is to configure L3 switches as one virtual switch?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's not that there's an explicit recommendation to do that, it's just understanding that if you're creating a load sharing bond with interfaces on two MHOs, it's a single bond. If those two MHOs are connected to two different switches, those switches logically have to be acting as a single switch to present back to the MHOs a single load sharing bond. It's an architectural understanding more than it is a Check Point recommendation.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As the guys said, if you share network diagram, would certainly help.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
UPLINK design network diagram already shared earlier.
