This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Alex-
Leader Leader
Leader
‎2022-11-20 12:52 PM

Maestro dual site basic topology

Mates,

 

I've been tasked with a Maestro analysis based on the attached and would like to confirm my assumptions are correct.

 

- The MHO are in different DC and will communicate through SFP for long distance between them

- The 4 6200 are full meshed with the 2 MHO to form a security group, locally DAC and remotely SFP long distance

- The 2 MHO have a full mesh with the internal and external L3 switches to form LACP bonds

- Since everything is full mesh to the MHO, the 4 6200 can form a single security group with all capacity used

- Internal Router and External router have a lot of VLAN and each will do BGP with the MHO systems

 

Any remarks are welcome and regards.

Preview file
362 KB
0 Kudos
3 Replies
Chris_Atkinson
Employee Employee
Employee
‎2022-11-20 04:19 PM

Note the MHO doesn't host the BGP sessions, the SGM with the SMO role does - likely you will need to configure graceful restart.

Per sk168814 section "7. Maestro supported and recommended deployment examples" sounds like you are describing the "Multi Room" topology? e.g.

Multi Room202011060952452.png

Refer also: 

sk92755: Compatibility of transceivers for Check Point appliances

CCSM R77/R80/ELITE
0 Kudos
Danny
Champion Champion
Champion
‎2022-11-20 04:28 PM

Your cabling doesn't seem to be correct. Please refer to this guide and my CPX presentation.

Also a dual-site active/active full-mesh topology is currently not supported.

See sk168814 and Maestro Intro & Best Practices 2022.

In order to form a full mesh active/active solution you'll need to switch to a single site (dual/multi room) topology.

Alex-
Leader Leader
Leader
‎2022-11-21 09:48 AM

Thank you both for the advice and references. I will follow-up with the requester and local SE. Actually the PDF was misleading, the cabling is indeed meant to be full-mesh but there it looks like it's running through the local MHO to reach the second site which isn't the case.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events