This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Alex-
MVP Silver
MVP Silver
‎2024-10-01 01:41 AM

Maestro - Mix & Match and Interface types

We would like to clarify a question we didn't find in the known limitations pertaining to Maestro.

It is our understanding that if we mix-and-match appliances in a security group (sk162373), the speed of the downlink of each SGM has to be the same.

What then if we mix a MHS with a non-MHS in a security group, like a new 16600 with an existing 16200 Plus, could we set the speed of the DAC of the 16600 to 40G and use the existing 40G QSFP of the 16200 and have them all working in the same Security Group?

0 Kudos
5 Replies
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-10-13 11:47 PM

I don't know that the speeds have to be the same, but it's best that they are. If you want to use 40G downlinks on 16600 you'd need 40G QSFPs or DACs. 

Alex-
MVP Silver
MVP Silver
‎2024-10-18 03:39 AM
In response to emmap

It comes from a discussion with our SE that the SG members must have the same speed to the MHO.

We don't have experience yet with Mix & Match, so the 16600 (Maestro) would be DAC set to 40G and the 16200 (Non-Maestro) would be the existing 40G in their adapter.

0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2024-10-20 03:40 AM
In response to Alex-

Following Known Limitations for Scalable Platforms (Maestro Appliances and Chassis)  every SGM in a SG has to use the same cards and speed. 

  • On a Maestro Security Group with different appliance models (supported starting R81.10): all Security Group Appliances must have cards with the same speed and number of ports installed in similar slots and connected to a Maestro Hyperscale Orchestrator using ports on cards in the same slots.

We got the information from our SE that mixing speeds are also not allowed in migration scenarios. Old and new appliances must have identical downlinks.

0 Kudos
Alex-
MVP Silver
MVP Silver
‎2024-10-22 12:47 AM
In response to Wolfgang

Thank you all @emmap @Timothy_Hall @Wolfgang for the insights.

 

We will have the SG with the 16600 QHS having their DAC set to 40G and the 16200 with the QSFP in the same slot on both systems.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2024-10-18 06:53 AM

Yes the speeds of all downlink interfaces between the MHO and Security Group members must be identical.  This is because the load distribution hash function on the MHO assumes that all interfaces have equal speed capability and there is no way to weight them for differences in bandwidth.  If doing mix and match you can weight the distribution by CPU processing capability but not bandwidth.  I don't see a problem with dropping a 100G-capable interface down to 40G to match other Security Group members.

In theory, I'd assume that if the downlink speeds were different (let's say a mixture of 10G and 100G interfaces to make it extreme) things would probably work OK in the Security Group until the load increased to the point where the 10G interfaces are saturated (or starting to get overrun if not fully saturated ) but the 100G interfaces are not.  This would probably lead to strange-looking performance issues for some connections and not others depending how they were distributed.  Not fun.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events