This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Kilian_Huber
Contributor
‎2023-10-31 08:56 AM

Mastro Mgmt Bond (magg) - dual Orchestrator and multiple Security Groups

Hello Maestro Masters,

I have a question regarding the use of bonded interfaces on the MHO for SMO management traffic.

consider the following setup:

  • Dual Site and Dual Orchestrator Setup (MHO-140)
  • 2 Security Groups, deployed as VSX
  • Management Port 1 on the Orchestrators connected to a network switch

The following layout illustrates the setup (for simplicity, the layout contains only one site):

 

Maestro-Dual-Orch-magg.png

In this setup, both security groups share a physical Management port.

According to the Admin Guide, configuring a Bond interface on the Management port is possible. Step 3 of Use Case - Editing an Existing Security Group states:

  • Connect through the console port to the Security Appliance with Member ID 1 in this Security Group.

This indicates that the Bonding interface is created on the Security Group level. As a consequence, this means that the Bond is only available to one Security Group. When using LACP, this is a known limitation (ID: 02003875 and PMTR-97008).

My question is: is there another way to achieve the desired setup (ACTIVE/BACKUP Bond) or do we need to use physical Mgmt uplinks for every Security Group?

0 Kudos
8 Replies
Wolfgang
Authority
Authority
‎2023-10-31 11:40 AM

@Kilian_Huber Please check your design, are you sure you are running a dual site environment? In dual site environment there is no connection from SGMs to the MHO on the other site. In a dual site environment  you have an active/passive MGMT port between one MGMT interface (same interface on both sites). If you need a bond, you have to use only ports from one site, meaning eth1-mgmt & eth2-mgmt from one site. The same bond is created automatically on the other site, but this comes active only if a site failover occurs.

0 Kudos
Kilian_Huber
Contributor
‎2023-11-01 12:32 AM
In response to Wolfgang

Thanks @Wolfgang. As I wrote: "for simplicity, the layout contains only one site".

The full setup looks like this:

Maestro-Dual-Orch-Dual-Site-magg.png

0 Kudos
Wolfgang
Authority
Authority
‎2023-11-01 12:45 AM
In response to Kilian_Huber

@Kilian_Huber thanks for more detailed description. As I know the limitation PMTR-97008 exist only for a bond with LACP as bonding protocol. active/backup- or XOR-BOND should work.

@Lari_Luoma    @Chris_Atkinson please, can you assist and confirm.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-11-01 02:30 AM
In response to Wolfgang

MAGG (bond of management interfaces) working in LACP mode is supported from R81.10

However, sharing between security group of this MAGG or its slaves is NOT supported you must use an alternate Bond flavor in such cases.

MAGG.PNG

Refer also: MAGG Interfaces (checkpoint.com)

CCSM R77/R80/ELITE
Kilian_Huber
Contributor
‎2023-11-01 02:32 AM
In response to Chris_Atkinson

@CHROthanks for the feedback. What flavor can I use and how/where is the Bond configured?

0 Kudos
Wolfgang
Authority
Authority
‎2023-11-02 01:17 PM
In response to Kilian_Huber

Which flavour of the bond depends on your switch infrastructure. Active/backup does work with most of the switch vendors and setting xmit-hash-polish to MAC address will be fine for the VSX management magg. You can follow the configuration guide mentioned by @Chris_Atkinson . Magg is configured via your SG.

0 Kudos
Kilian_Huber
Contributor
‎2023-11-02 01:20 PM
In response to Wolfgang

Okay, and if the magg is shared accross several SGs, it needs to be configured on every SG. Correct?

0 Kudos
Wolfgang
Authority
Authority
‎2023-11-02 01:39 PM
In response to Kilian_Huber

Yes, you have to configure this on every SG. You have to configure an own IP-address for every SecurityGroup and they get assigned an own MAC-address.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events