Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HeikoAnkenbrand
Champion Champion
Champion

Maestro - Dual Side Question?

Check Point support L2 connectivity via switches for dual side integration, however, it must support Q-in-Q as well.
Latency requirement is <100ms and <5% loss.

Maestro_1.png

Now my questions:

  • In all documentation I only found the following IP scheme. Can this be changed on the orchestrator side? The background to the question is that the customer uses 192.0.2.0/24 this network and would like to use other IP's.

  • I can change the "inter-side-sync" with the following command:
           > set maestro port 1/47/1 type site_sync
           > set maestro configuration orchestrator-site-vlan 1000
    I would also define a trunk port on the cisco switch and add VLAN 1000 (red arrow in the picture).
           switch# configure terminal
           switch(config)# interface ethernet 3/1
           switch(config-if)# switchport trunk allow vlan 1000

    Is that all or is there more to configure here on orchestrator and cisco side.
➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
3 Replies
Kim_Moberg
Advisor

Heiko, AFAIK the 192.0.2.0/24 representative SGM internal vlan without affecting you existing network. this is network between your MHO and SGM downlinks.

D8EBA5E4-9304-4895-81E4-B76159E3BDB6.jpeg

maybe other Maestro users know more about this

 

Best Regards
Kim
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Hi @Kim_Moberg 

thanks for the answer.

It is not a question about a down link but about an "inter-side-sync" link over a switch from  datacenter 1 to datacenter 2.

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
(1)
Alex_Shpilman
Collaborator

Hi @HeikoAnkenbrand 

I believe the Cisco config is missing the QinQ and LLDP tunnelling, should be something like below:

Interface EthX/Y

switchport access vlan xyz

switchport mode dot1q-tunnel

l2protocol tunnel all (or you can limit to the appropriate ones for you).

Not sure if the 192.0.2.0/24 addresses are changeable but not supposed to participate in any routing outside the MHO...