Wow @Anatoly this is weird, when I was trying to change the base-vlan for the sync but got this:
set maestro configuration security-appliances inter-site base-vlan 3800
NMSSG 1 Invalid VLAN ID. Security Appliances inter-site base VLAN ID must be a number in the range of 3600-3650

This would mean that we need 3600-3601 for the sync and 3951, 3952 with 2 sec groups.

However I can tell you it does NOT work with the ranges 3600-3650  and 3950-3970 on the trunks

We do have this setting to disable QinQ:
set maestro configuration security-appliances inter-site vlan encapsulation disable

Hi,

That is because these 3800 VLANs are reserved for inter-SGMs sync. In general - please avoid using following vlans:

So the simple question is which VLAN's need to be allowed on the trunk between the sites when inter-site vlan encryption is disabled?

For first pair of MHOs: 3951 and 3801; for second pair - 3952 and 3801 (assuming you have only 1 security group). For any next security group add 3800+security group number

That is weird then as all documents say its using 3600 and up instead of 3800 and up, but it explains a lot why it is not working.

Thanks a lot @Anatoly 

Documentation is correct. This is 3600, but 3600 is external VLAN tag.

That means, sync vlans of SGMs are coming with double-tag: [3600(3801)], [3600(3802)], etc.

When you disable QnQ, it does not wrap 380x VLANs into 360x tags, so it comes as I explained above

Thanks @Anatoly

It would be nice to update all documentation regarding the possibility to avoid requirements Q-in-Q tunneling since R81.10, after disabling vlan encapsulation on MHO's.

But as I understand it still limited to environment with no already existing vlans 3800+SG and 3951/3952, right?

BR
Daniel

I agree. We will work on it

@Anatoly it woulf really be helpful to have a R81.10 version of sk168092 with the above information incorporated.

@Maarten_Sjouw  I already asked about update through sk168092. I hope sk owner will do it.

BR,

Daniel.

@Anatoly 1 question left, how big is the chance that VLAN 370x will appear on the inter-site link?

VLAN 370x is used for correction layer. So, it's crucial. 

but above you did not mention it being used on the inter-site link, so let me rephrase my question: do I need to add 370x to the allowed VLAN list for the inter-site sync?

I suppose correction layer communication should remain only in active site.

BR

Daniel.

No, because we do not run correction traffic between sites

Hello,

What about cli command in sk168092 how to disable QinQ encapsulation on MHOs ?

Hello,

Unfortunately they didn't mention about it. Regarding sk we have always a little possibility to give feedback without overall chance to choose how sk will be corrected.

The command on MHO was already mentioned in this thread:

set maestro configuration security-appliances inter-site vlan encapsulation disable

BR

Daniel.

Hi,

Shouldn't also vlan 395X be included in this sentence:

In version R81.10 there is an option to disable QnQ encapsulation. In this case you have to trunk all Sync vlans (380x) of all security groups all the way between sites.

Also, like mentioned before, the information on how to configure a dual site Maestro setup without using a QinQ tunnel should be made clear and complete without searching different SK's, documentation and Checkmates articles.

For example this text could be mentioned:
On the switches, configure vlans 3801-3804 (for 4 security groups) and 3951-3952.
On the MHO, use the following command: set maestro configuration security-appliances inter-site vlan encapsulation disable

Just my two cents.

Grtz Jones

Hi,

Yes, it should be added info that trunk must consists MHO Sync vlans (3951, 3952) and all used SecGrp Sync vlans (3800 + number of SecGrp) as well cmd to disable encapsulation on MHO's.

Unfortunately as patner I can only send them feedback through sk without possibility to check what they finally are going to add. 

Anyway, thanks Jones for raising this as this thread consists all required information but sk not. Also I totally agree that sk/documentation should be complete before any article on checkmates.

BR

Daniel.

Hi,

I added this feedback to sk168092. Let's keep our fingers crossed.

Grtz Jones

I did it as well 🙂

BR

Daniel.

Hi,

Try to check it now. I pushed feedback twice and now subject for "Disabling site-sync VLAN encapsulation" looks better.

BR

Daniel

Hi,

This looks way better indeed. Well done Check Point.

Grtz Jones