Maestro - Dual Side Question?

HeikoAnkenbrand · ‎2021-04-22

Check Point support L2 connectivity via switches for dual side integration, however, it must support Q-in-Q as well.
Latency requirement is <100ms and <5% loss.

Now my questions:

In all documentation I only found the following IP scheme. Can this be changed on the orchestrator side? The background to the question is that the customer uses 192.0.2.0/24 this network and would like to use other IP's.
I can change the "inter-side-sync" with the following command:
       > set maestro port 1/47/1 type site_sync
       > set maestro configuration orchestrator-site-vlan 1000
I would also define a trunk port on the cisco switch and add VLAN 1000 (red arrow in the picture).

       switch# configure terminal
       switch(config)# interface ethernet 3/1
       switch(config-if)# switchport trunk allow vlan 1000

Is that all or is there more to configure here on orchestrator and cisco side.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Kim_Moberg · ‎2021-04-22

Heiko, AFAIK the 192.0.2.0/24 representative SGM internal vlan without affecting you existing network. this is network between your MHO and SGM downlinks.

maybe other Maestro users know more about this

Best Regards
Kim

HeikoAnkenbrand · ‎2021-04-22

Hi @Kim_Moberg

thanks for the answer.

It is not a question about a down link but about an "inter-side-sync" link over a switch from datacenter 1 to datacenter 2.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Alex_Shpilman · ‎2021-04-23

Hi @HeikoAnkenbrand

I believe the Cisco config is missing the QinQ and LLDP tunnelling, should be something like below:

Interface EthX/Y

switchport access vlan xyz

switchport mode dot1q-tunnel

l2protocol tunnel all (or you can limit to the appropriate ones for you).

Not sure if the 192.0.2.0/24 addresses are changeable but not supposed to participate in any routing outside the MHO...