Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
vinceneil666
Advisor

Maestro, interfaces, management

Hi guys,

 

So I have connected my port 1 on the orchestrator, and defined a security group. But I am struggeling getting the interfaces up ? 

For the datacenter switch I am plugged into... Since I am using the management interfaces.. .Will the datacenter folks need to configure this as a trunk (tagged).. I am guessing that the answer is no - since I am not able to create vlan interfaces for the management interfaces.

But how shall the switch on the datacenter end be configured ? LACP ? regular access ports ? ?? - I have a singe site, dual orchestrator setup. - how on earth shal I configure the uplinks from the orchestrator to the datacenter switch ? regular access ports ? lacp ? trunk ? 🙂

 

 

0 Kudos
10 Replies
Maarten_Sjouw
Champion
Champion

On the management interface what type of SFP did you put in? You only need 1 interface, this will only be used for the communication between management server and Security Group. So policy pushes, logging etc. management is a access port and does not use VLANs, when you assign 2 Security Groups the same management port you need to assign IP's in the same network as they will be in the same VLAN, determined by the switchport.
Do you want to have this setup as a bonding? I don't. I have a UTP SFP plugged in for a 1Gb standard switchport.

Regards, Maarten
0 Kudos
Maarten_Sjouw
Champion
Champion

The Uplinks on the other hand are completely depending on your needs, when you hook up to 2 switches you can setup trunks with bonding in which ever form you like and prefer, i.e. if your traffic will never be more than 3Gb you can setup Active-Standby Bonding / portchannel.
It really depends on your situation and needs.
Regards, Maarten
0 Kudos
vinceneil666
Advisor

But the thing is. That if you have a dual orch single site, and then just add the ip not using the bond - this interface will not be available when you loose the master orchestrator. (I got this verified by Check Point)

So if you want to make sure that you have access to the system, even if an orch fails, You need to create a bond on them - and then - I think- that will negate the option for creating vlan interfaces on the maestro itself, and you will have to move to the option of creating interfaces on the appliance itself (which is the best pratice, but until recentley was affected by not beeing able to create more that 42 vlans)

 

I have to say, that the Maestro documentation is really one of a kind 🙂

0 Kudos
Maarten_Sjouw
Champion
Champion

In a dual Maestro setup You put port 1 of both device in the same VLAN and indeed create Bond between eth1-Mgmt1 (MHO1) and eth2-Mgmt1 (MHO2) that should do the trick for you and the port remains a Access port.
I will test it without the Bond and drop the primary of the 2 MHO's that I have in my test setup here. I only added the 2 Mgmt1 interfaces so see if the SG will remain accessible .
Regards, Maarten
Maarten_Sjouw
Champion
Champion

Ok, problem here is that the 2 interfaces have their own specific IP unless you indeed put them in a Bonding group with active/standby that should work ok, in my tests it did indeed, issue is that removing an IP from a ethx-Mgmt1 interface in a Security group is not working:
delete interface eth1-Mgmt1 ipv4-address
NMSETH0029 Interface not in the right format, assuming it's invalid interface eth1-Mgmt1
Regards, Maarten
0 Kudos
Maarten_Sjouw
Champion
Champion

This would make this setup work:
add bonding group 1 mgmt
set interface eth1-Mgmt2 state on
add bonding group 1 mgmt interface eth2-Mgmt1
set bonding group 1 mode active-backup
set interface magg1 ipv4-address 1.2.3.11 mask-length 26
set management interface magg1
delete interface eth1-Mgmt1 ipv4-address
add bonding group 1 mgmt interface eth1-Mgmt1
set bonding group 1 primary eth1-Mgmt1

I will add it to the basic setup manual.

Regards, Maarten
0 Kudos
vinceneil666
Advisor

Thanks for all input guys. For me I will proceede with this :

https://sc1.checkpoint.com/documents/R80.30SP/WebAdminGuides/EN/CP_R80.30SP_Maestro_GettingStartedGu...

 

I do think that there are a few point where Check Point could improve on its documentation, and most of them is related to the interface between the Maestro and the datacenter.

1. LACP - why not bring in some text on how the datacenter switches should be configured. LACP does have quite a few options, so to give a few pointers for some of the larger vendors (Cisco, HP, Extreme) would be nice.

2. It is very hard, reading all doc - to really grasp what you actually need to do again related to interfaces. I do get that it is understood by CP that the appliance should be configured as before, just now the Orchestrator will provide the interface/trunk. There should be some text in the doc stating where you need to create bond's. Most people will start out spending lots of time on the orchestrator looking into interface issues - when you actually should look at the appliance itself.

 

Maarten_Sjouw
Champion
Champion

Did you see this:
https://community.checkpoint.com/t5/Maestro/Maestro-basic-setup-documentation/m-p/75354
As I said in my last post I will put some updates regarding the need for portbonding in this manual.
Regards, Maarten
0 Kudos
vinceneil666
Advisor

Hi, yes I saw this. But as stated I have dual orchestrators.
Excelent with the update on the manual 🙂
0 Kudos
Lari_Luoma
Ambassador Ambassador
Ambassador

Hi!

I have to admit that I didn't read the entire discussion here, but some points.

Management bonding (MAGG) doesn't support LACP until Jumbo Hotfix take 210 (if I remember it right). Configure it as active-backup or XOR. In active-backup-mode the switch side is configured as access ports.

Genrally about bonding. With dual orchestrator connect bond slaves bto both orchestrators. E.g. eth1-05 and eth2-05 are in the same bond. Eth1 means orchestrator 1 and eth2 orchestrator 2.

The most common LACP configuration is to share load between the bond slaves. When using LACP the datacenter switch must be a logical entity. This means that you will have to run VPC on the switch side in order to spread the bond members to different physical switches.

0 Kudos