Solved: Maestro R81.10SP design questions

Nikodemus · ‎2022-03-24

Hi all,

Anyone who can help me with following questions?

On R81.10SP:

- Can I share an uplink (bond) between multiple security groups? Or do I create, for every security group, another uplink (bond)?

- If bond sharing between SG's is possible: Can I share VLAN's between SG's? (example: Assign VL400 to SG1 and SG2)

- Is there a good reason to skip ports on the MHO's for the downlinks? (example on MHO140: port 27 to SGM1, port 29 to SGM2, port 31 to SGM3, ...) Why not using port 28, 30, 32, ... ? To be able to increase bandwidth to SGM1 in the future? (limitation: 2 downlinks per MHO to a single SGM) I'm aware of the limitation when using breakout cables.

- Is there a good reason to have MHO sync bonding? It is supported, but not done it the 'recommended' setup as seen here (point 17). What happens when the MHO sync is down? Does it cause downtime? It is only used for Security group configuration synchronisation...

- How many 10Gbps downlinks do we need when an SGM has a maximum throughput of 20Gbps (Gen V - ATP) in a dual MHO setup? 1 on MHO1 and 1 on MHO2? Or 2 downlinks per MHO?

Thanks for the help.

Chris_Atkinson · ‎2022-03-24

* This feature is in Early Availability starting in R81.10 (suggest discussing it's use further with your local SE).

e.g. set maestro security-group id 3 shared-uplinks state enabled

* No the individual VLANs must be unique to an SG.

* The downlink cost when using DACs is such you'd probably do this from day-1 if you think its warranted. Ideally you would add additional SGMs in future.

* Sync bonding isn't mandatory, how many MHO are in your setup and what is the geography / topology involved - same or different room/site etc?

* It depends on how redundant/resilient you want to design it in part and also what your anticipated total traffic is and how many SGMs you plan to have.

Refer also: sk147853: Maestro Frequently Asked Questions (FAQ)

CCSM R77/R80/ELITE

View solution in original post

Chris_Atkinson · ‎2022-03-24

* This feature is in Early Availability starting in R81.10 (suggest discussing it's use further with your local SE).

e.g. set maestro security-group id 3 shared-uplinks state enabled

* No the individual VLANs must be unique to an SG.

* The downlink cost when using DACs is such you'd probably do this from day-1 if you think its warranted. Ideally you would add additional SGMs in future.

* Sync bonding isn't mandatory, how many MHO are in your setup and what is the geography / topology involved - same or different room/site etc?

* It depends on how redundant/resilient you want to design it in part and also what your anticipated total traffic is and how many SGMs you plan to have.

Refer also: sk147853: Maestro Frequently Asked Questions (FAQ)

CCSM R77/R80/ELITE

Nikodemus · ‎2022-03-25

Hi Chris, thanks for the reply. Much appreciated.

So, no shared VLAN's within a shared uplink.

But a VLAN can be assigned to multiple SG's if each SG has dedicated uplinks assigned, correct?

So, there is no good reason why the Check Point documentation leaves ports open in between the downlinks? See attached drawing, grabbed from the manual... (I marked the free ports with red crosses)

Chris_Atkinson · ‎2022-03-25

No issue with dedicate uplinks in this regard to my knowledge.

Presumably just to make the diagram clearer but if you can share the source link I will confirm.

CCSM R77/R80/ELITE

Nikodemus · ‎2022-03-25

Ok, makes sense.

The diagram is available here, section 'Connecting to the Downlink Ports with DAC or Fiber Cables'.

Thanks for your help!