Create a Post
Showing results for 
Search instead for 
Did you mean: 

Maestro dual site basic topology



I've been tasked with a Maestro analysis based on the attached and would like to confirm my assumptions are correct.


- The MHO are in different DC and will communicate through SFP for long distance between them

- The 4 6200 are full meshed with the 2 MHO to form a security group, locally DAC and remotely SFP long distance

- The 2 MHO have a full mesh with the internal and external L3 switches to form LACP bonds

- Since everything is full mesh to the MHO, the 4 6200 can form a single security group with all capacity used

- Internal Router and External router have a lot of VLAN and each will do BGP with the MHO systems


Any remarks are welcome and regards.

0 Kudos
3 Replies
Employee Employee

Note the MHO doesn't host the BGP sessions, the SGM with the SMO role does - likely you will need to configure graceful restart.

Per sk168814 section "7. Maestro supported and recommended deployment examples" sounds like you are describing the "Multi Room" topology? e.g.

Multi Room202011060952452.png

Refer also: 

sk92755: Compatibility of transceivers for Check Point appliances

0 Kudos
Champion Champion

Your cabling doesn't seem to be correct. Please refer to this guide and my CPX presentation.

Also a dual-site active/active full-mesh topology is currently not supported.

See sk168814 and Maestro Intro & Best Practices 2022.

In order to form a full mesh active/active solution you'll need to switch to a single site (dual/multi room) topology.


Thank you both for the advice and references. I will follow-up with the requester and local SE. Actually the PDF was misleading, the cabling is indeed meant to be full-mesh but there it looks like it's running through the local MHO to reach the second site which isn't the case.

0 Kudos