- CheckMates
- :
- Products
- :
- Quantum
- :
- Maestro Masters
- :
- Re: Maestro R81.10 QinQ requirement for Dual site ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maestro R81.10 QinQ requirement for Dual site through external L2 switches
Hello All,
Based on yesterday Maestro Masters Round Table June 2022:
https://community.checkpoint.com/t5/Maestro/Maestro-Masters-Round-Table-June-2022-Video-Slides-and-Q...
There was a question and answer related to Q-in-Q requirement for Dual site architecture through external L2 switches:
===
Q: Do we still need to use QinQ VLAN for dual site Maestro configurations?
A: QinQ is not required as of R81.10.
===
May I request more details regarding above answer?
Based on available information like: sk168092, sk168814 or Quantum Maestro Getting Started Guide
there is still info that Layer 2 switches must support VLAN Q-in-Q Tunneling for Dual site architecture.
Thanks and BR
Daniel.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Tal_Ben_Avraham & @Anatoly can you please answer?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The default setting is to use QnQ. That mean, the default VLAN 3600 (or 3601 for a second pair of MHOs) will include all Sync vlans of security groups (3801,3802, etc..).
If you disable QnQ, then you have to configure vlans 3801, 3802, etc,,, in trunk with 3951 (or 3952 for a second pair of MHOs) instead of 3600 (or 3601).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wow @Anatoly this is weird, when I was trying to change the base-vlan for the sync but got this:
set maestro configuration security-appliances inter-site base-vlan 3800
NMSSG 1 Invalid VLAN ID. Security Appliances inter-site base VLAN ID must be a number in the range of 3600-3650
This would mean that we need 3600-3601 for the sync and 3951, 3952 with 2 sec groups.
However I can tell you it does NOT work with the ranges 3600-3650 and 3950-3970 on the trunks
We do have this setting to disable QinQ:
set maestro configuration security-appliances inter-site vlan encapsulation disable
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
That is because these 3800 VLANs are reserved for inter-SGMs sync. In general - please avoid using following vlans:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So the simple question is which VLAN's need to be allowed on the trunk between the sites when inter-site vlan encryption is disabled?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For first pair of MHOs: 3951 and 3801; for second pair - 3952 and 3801 (assuming you have only 1 security group). For any next security group add 3800+security group number
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is weird then as all documents say its using 3600 and up instead of 3800 and up, but it explains a lot why it is not working.
Thanks a lot @Anatoly
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Documentation is correct. This is 3600, but 3600 is external VLAN tag.
That means, sync vlans of SGMs are coming with double-tag: [3600(3801)], [3600(3802)], etc.
When you disable QnQ, it does not wrap 380x VLANs into 360x tags, so it comes as I explained above
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @Anatoly
It would be nice to update all documentation regarding the possibility to avoid requirements Q-in-Q tunneling since R81.10, after disabling vlan encapsulation on MHO's.
But as I understand it still limited to environment with no already existing vlans 3800+SG and 3951/3952, right?
BR
Daniel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agree. We will work on it
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Anatoly it woulf really be helpful to have a R81.10 version of sk168092 with the above information incorporated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Anatoly 1 question left, how big is the chance that VLAN 370x will appear on the inter-site link?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VLAN 370x is used for correction layer. So, it's crucial.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
but above you did not mention it being used on the inter-site link, so let me rephrase my question: do I need to add 370x to the allowed VLAN list for the inter-site sync?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I suppose correction layer communication should remain only in active site.
BR
Daniel.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, because we do not run correction traffic between sites
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FYI - sk168092 was finally updated:
===
If Orchestrators are connected via external switches, ports on the external switches must be configured accordingly.
In versions lower than R81.10, external switches must support 802.1ad ("QinQ") and allow packets with more than 1 VLAN tag. It must not remove any of the existing VLAN tags.
In version R81.10 there is an option to disable QnQ encapsulation. In this case you have to trunk all Sync vlans (380x) of all security groups all the way between sites.
===
BR,
Daniel.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
What about cli command in sk168092 how to disable QinQ encapsulation on MHOs ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Unfortunately they didn't mention about it. Regarding sk we have always a little possibility to give feedback without overall chance to choose how sk will be corrected.
The command on MHO was already mentioned in this thread:
set maestro configuration security-appliances inter-site vlan encapsulation disable
BR
Daniel.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Shouldn't also vlan 395X be included in this sentence:
In version R81.10 there is an option to disable QnQ encapsulation. In this case you have to trunk all Sync vlans (380x) of all security groups all the way between sites.
Also, like mentioned before, the information on how to configure a dual site Maestro setup without using a QinQ tunnel should be made clear and complete without searching different SK's, documentation and Checkmates articles.
For example this text could be mentioned:
On the switches, configure vlans 3801-3804 (for 4 security groups) and 3951-3952.
On the MHO, use the following command: set maestro configuration security-appliances inter-site vlan encapsulation disable
Just my two cents.
Grtz Jones
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Yes, it should be added info that trunk must consists MHO Sync vlans (3951, 3952) and all used SecGrp Sync vlans (3800 + number of SecGrp) as well cmd to disable encapsulation on MHO's.
Unfortunately as patner I can only send them feedback through sk without possibility to check what they finally are going to add.
Anyway, thanks Jones for raising this as this thread consists all required information but sk not. Also I totally agree that sk/documentation should be complete before any article on checkmates.
BR
Daniel.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I added this feedback to sk168092. Let's keep our fingers crossed.
Grtz Jones
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did it as well 🙂
BR
Daniel.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Try to check it now. I pushed feedback twice and now subject for "Disabling site-sync VLAN encapsulation" looks better.
BR
Daniel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
This looks way better indeed. Well done Check Point.
Grtz Jones