Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
anikaralam
Participant

L3 Uplink non vendor device status

Hi Team,

Consider that maestro uplink l3 devices are from other vendor.  In single site dual deployment we have two rooms and it's 2 km away. We have 2 Maestro and 4 security gateway. There are 2 security group and one uplink connecting to l3 device which configured as VSX between two room. Other uplink bond planning to connect on different l3 device where no vsx between these device between two room. Will this work? Or do I need to suggest to connect uplink to same L3 devices which configured as VSX. Please share a checkpoint link for further clarification. 

0 Kudos
13 Replies
Dario_Perez
Employee Employee
Employee

Let me try to understand

  1. Do you have 2 maestros? maestro is solution with orchestrator and security gateways, maybe you have 2 orchestrators and 4 Security Gateways on site one (no other side)?
  2. Device uplink for other vendor it does mean the SFP is other than Check Point or you mean the SFP is Check Point and connects to switch (other vendor)?
  3. When you say single site dual deployment you mean 2 MHO per site?
  4. 2 Security Groups one uplink connected? are you sharing the same interface on both Security group or is one per SG?
  5. 2 SG connected to 3party device connected to L3 as VSX? this is other check point gateway with maestro VSX Dual Site?

 

A topology might help here

0 Kudos
anikaralam
Participant

  1. Do you have 2 maestros? maestro is solution with orchestrator and security gateways, maybe you have 2 orchestrators and 4 Security Gateways on site one (no other side)?  ==> We have 2 maestro and four security gateways. In one room one maestro and 2 security gateways from two different security groups and in the other which is far from room 1 one maestro and 2 security gateway.
  2. Device uplink for other vendor it does mean the SFP is other than Check Point or you mean the SFP is Check Point and connects to switch (other vendor)?  ==> Other vendor side it's vendor SFP and in checkpoint it will be checkpoint SFP
  3. When you say single site dual deployment you mean 2 MHO per site? Yes. 1 MHO in each room.
  4. 2 Security Groups one uplink connected? are you sharing the same interface on both Security group or is one per SG? No sharing uplink. MGMT(SMS) will be same. Please refer the diagram I attached for other reply.
  5. 2 SG connected to 3party device connected to L3 as VSX? this is other check point gateway with maestro VSX Dual Site?One security group will connect to 3rd part device connected as VSX. My understanding its work well. Problem with the other security group which is currently planning to connect on L3 device which not configured as VSX between two different room. Need to know best practice from 3rd party vendor side.
0 Kudos
Dario_Perez
Employee Employee
Employee

Please elaborate you scenario, then we can try to answer

0 Kudos
Chris_Atkinson
Employee Employee
Employee

A diagram might help to understand the proposed topology

CCSM R77/R80/ELITE
0 Kudos
anikaralam
Participant

High level Uplink topology

 

 

0 Kudos
anikaralam
Participant

Attached high level uplink design

0 Kudos
Dario_Perez
Employee Employee
Employee

Ok I think I understand now. 

So, you have single site, with dual orchestrator all 4 gateways on 2 Security Group 2km? do you have the lattency less than 100ms? else should change to Multi-room 

the VSX is I think Aruba technology to segregate VLANs. 

I see the topology for MHO but what about Security Group?

The HLD is for current or proposal? 

0 Kudos
anikaralam
Participant

I'm looking for a document related to third-party L3 third-party device configuration best practices while connecting maestro uplink. That's the reason not to include downlink and related security groups. HLD is the proposed one. Would like to know what is the drawback if L3 third-party vendor is not configured as VSX/LAG. Why its recommending to configure L3 switches as one virtual switch (VSX/LAG) even its away for couple of kilometers.

0 Kudos
emmap
Employee
Employee

On Maestro, the uplink bonds are configured and managed at the security group level, not the MHOs. This means that when you create a bond using interfaces over both MHOs (which is recommended so that you have high availability on this bond interface in the event of an MHO going down) it has to be configured as a single bond on the neighbouring devices.

If you create two separate bonds to your neighbour devices, they are just two separate interfaces onto the security group. They would need to be in separate IP address spaces and you'll need some sort of dynamic routing running to achieve proper HA. 

If your uplink neighbour devices cannot act as one virtual switch, you can use Active/Standby bonds at the security group. In that case you only need to have regular interfaces configured on the neighbour devices in the same VLANs. The security group will use the primary interface when it's up (make sure you configure this) by default. 

anikaralam
Participant

Thanks emmap. Will you able to share the URL where the checkpoint recommendation is to configure L3 switches as one virtual switch?

0 Kudos
emmap
Employee
Employee

It's not that there's an explicit recommendation to do that, it's just understanding that if you're creating a load sharing bond with interfaces on two MHOs, it's a single bond. If those two MHOs are connected to two different switches, those switches logically have to be acting as a single switch to present back to the MHOs a single load sharing bond. It's an architectural understanding more than it is a Check Point recommendation.

the_rock
Legend
Legend

As the guys said, if you share network diagram, would certainly help.

Andy

0 Kudos
anikaralam
Participant

UPLINK design network diagram already shared earlier.

0 Kudos