This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
PrasannaRout
Explorer
7 hours ago

Maestro Failover Test Scenario

Our single site environment is setup with 2x MHO-140 Orchestrator with 3x 6200 Scalable gateways running on R81.20 Take 89 in VSX mode.

we wanted to validate different failover test scenario . wanted to some input on specific below questions -

  1. Sync Cable Failover - what should be the expected behavior when we disconnect Sync Cable between MHO's. How & what should we validate .
  2. Downlink DAC Cable Failover – we have 2x 10G DAC each from gateway to both Orchestrator. we see gateway went to lost/detached state when one DAC cable removed. We still have other DAC cable connected to other orchestrator . Something is wrong here. need clarification.
  3. SMO Mgmt. Cable Failover - we have 2 Mgmt. connections going to the same switch and configured as XOR. we see multiple MAC address for Mgmt1/2/Magg. – Few clarifications required.

Below is the mac address we learn from switch side for our SMO Mgmt connection (Eth1-Mgmt1 & Eth2-Mgmt1) .

What is 0000.0000.9201  & 3c41.71df.2d3f ? and why one switch port is showing all mac which is matching firewall side?

 

Switch

Firewall

switch#sh mac address-table interface te1/0/11

          Mac Address Table

-------------------------------------------

 

Vlan    Mac Address       Type        Ports

----    -----------       --------    -----

964    0000.0000.9201    DYNAMIC     Te1/0/11

964    3c41.71df.2d3f    DYNAMIC     Te1/0/11

Total Mac Addresses for this criterion: 2

switch#sh mac address-table interface te2/0/11

          Mac Address Table

-------------------------------------------

 

Vlan    Mac Address       Type        Ports

----    -----------       --------    -----

964    001c.7fa2.ee04    DYNAMIC     Te2/0/11

964    001c.7fa2.f184    DYNAMIC     Te2/0/11

964    001c.7fa2.f99c    DYNAMIC     Te2/0/11

Total Mac Addresses for this criterion: 3

Global] smo-ch01-01:0> show interface eth1-Mgmt1 mac-addr

1_01:mac-addr 00:1c:7f:a2:f1:84

1_02:mac-addr 00:1c:7f:a2:f9:9c

1_03:mac-addr 00:1c:7f:a2:ee:04

[Global] smo-ch01-01:0> show interface eth2-Mgmt1 mac-addr

1_01: mac-addr 00:1c:7f:a2:f1:84

1_02: mac-addr 00:1c:7f:a2:f9:9c

1_03: mac-addr 00:1c:7f:a2:ee:04

[Global] smo-ch01-01:0> show interface magg10 mac-addr

1_01:mac-addr 00:1c:7f:a2:f1:84

1_02:mac-addr 00:1c:7f:a2:f9:9c

1_03:mac-addr 00:1c:7f:a2:ee:04

[Global] smo-ch01-01:0>

0 Kudos
1 Reply
emmap
Employee
Employee
11m ago

For your failover tests:

1: No impact to the security group is expected, but you won't be able to make any configuration changes on the MHOs. 

2: The behaviour you observed is expected, assuming 1 DAC to each MHO. If an SGM loses connection to an MHO but everything else is still up, that SGM will go down. It should be down though rather than lost, assuming you had reconnected the MHO sync cable before testing this. 

3: Each SGM has its own MAC on the magg interface, so that part is expected. The other two MACs I don't know off the top of my head, but if you do some packet captures with MACs recorded you might be able to find what they are for/from.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events