Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Alex-
Leader Leader
Leader

Maestro - Mix & Match and Interface types

We would like to clarify a question we didn't find in the known limitations pertaining to Maestro.

It is our understanding that if we mix-and-match appliances in a security group (sk162373), the speed of the downlink of each SGM has to be the same.

What then if we mix a MHS with a non-MHS in a security group, like a new 16600 with an existing 16200 Plus, could we set the speed of the DAC of the 16600 to 40G and use the existing 40G QSFP of the 16200 and have them all working in the same Security Group?

0 Kudos
5 Replies
emmap
Employee
Employee

I don't know that the speeds have to be the same, but it's best that they are. If you want to use 40G downlinks on 16600 you'd need 40G QSFPs or DACs. 

Alex-
Leader Leader
Leader

It comes from a discussion with our SE that the SG members must have the same speed to the MHO.

We don't have experience yet with Mix & Match, so the 16600 (Maestro) would be DAC set to 40G and the 16200 (Non-Maestro) would be the existing 40G in their adapter.

0 Kudos
Wolfgang
Authority
Authority

Following Known Limitations for Scalable Platforms (Maestro Appliances and Chassis)  every SGM in a SG has to use the same cards and speed. 

  • On a Maestro Security Group with different appliance models (supported starting R81.10): all Security Group Appliances must have cards with the same speed and number of ports installed in similar slots and connected to a Maestro Hyperscale Orchestrator using ports on cards in the same slots.

We got the information from our SE that mixing speeds are also not allowed in migration scenarios. Old and new appliances must have identical downlinks.

0 Kudos
Alex-
Leader Leader
Leader

Thank you all @emmap @Timothy_Hall @Wolfgang for the insights.

 

We will have the SG with the 16600 QHS having their DAC set to 40G and the 16200 with the QSFP in the same slot on both systems.

0 Kudos
Timothy_Hall
Legend Legend
Legend

Yes the speeds of all downlink interfaces between the MHO and Security Group members must be identical.  This is because the load distribution hash function on the MHO assumes that all interfaces have equal speed capability and there is no way to weight them for differences in bandwidth.  If doing mix and match you can weight the distribution by CPU processing capability but not bandwidth.  I don't see a problem with dropping a 100G-capable interface down to 40G to match other Security Group members.

In theory, I'd assume that if the downlink speeds were different (let's say a mixture of 10G and 100G interfaces to make it extreme) things would probably work OK in the Security Group until the load increased to the point where the 10G interfaces are saturated (or starting to get overrun if not fully saturated ) but the 100G interfaces are not.  This would probably lead to strange-looking performance issues for some connections and not others depending how they were distributed.  Not fun.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos