Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kilian_Huber
Contributor

Mastro Mgmt Bond (magg) - dual Orchestrator and multiple Security Groups

Hello Maestro Masters,

I have a question regarding the use of bonded interfaces on the MHO for SMO management traffic.

consider the following setup:

  • Dual Site and Dual Orchestrator Setup (MHO-140)
  • 2 Security Groups, deployed as VSX
  • Management Port 1 on the Orchestrators connected to a network switch

The following layout illustrates the setup (for simplicity, the layout contains only one site):

 

Maestro-Dual-Orch-magg.png

In this setup, both security groups share a physical Management port.

According to the Admin Guide, configuring a Bond interface on the Management port is possible. Step 3 of Use Case - Editing an Existing Security Group states:

  • Connect through the console port to the Security Appliance with Member ID 1 in this Security Group.

This indicates that the Bonding interface is created on the Security Group level. As a consequence, this means that the Bond is only available to one Security Group. When using LACP, this is a known limitation (ID: 02003875 and PMTR-97008).

My question is: is there another way to achieve the desired setup (ACTIVE/BACKUP Bond) or do we need to use physical Mgmt uplinks for every Security Group?

0 Kudos
8 Replies
Wolfgang
Authority
Authority

@Kilian_Huber Please check your design, are you sure you are running a dual site environment? In dual site environment there is no connection from SGMs to the MHO on the other site. In a dual site environment  you have an active/passive MGMT port between one MGMT interface (same interface on both sites). If you need a bond, you have to use only ports from one site, meaning eth1-mgmt & eth2-mgmt from one site. The same bond is created automatically on the other site, but this comes active only if a site failover occurs.

0 Kudos
Kilian_Huber
Contributor

Thanks @Wolfgang. As I wrote: "for simplicity, the layout contains only one site".

The full setup looks like this:

Maestro-Dual-Orch-Dual-Site-magg.png

0 Kudos
Wolfgang
Authority
Authority

@Kilian_Huber thanks for more detailed description. As I know the limitation PMTR-97008 exist only for a bond with LACP as bonding protocol. active/backup- or XOR-BOND should work.

@Lari_Luoma    @Chris_Atkinson please, can you assist and confirm.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

MAGG (bond of management interfaces) working in LACP mode is supported from R81.10

However, sharing between security group of this MAGG or its slaves is NOT supported you must use an alternate Bond flavor in such cases.

MAGG.PNG

Refer also: MAGG Interfaces (checkpoint.com)

CCSM R77/R80/ELITE
Kilian_Huber
Contributor

@CHROthanks for the feedback. What flavor can I use and how/where is the Bond configured?

0 Kudos
Wolfgang
Authority
Authority

Which flavour of the bond depends on your switch infrastructure. Active/backup does work with most of the switch vendors and setting xmit-hash-polish to MAC address will be fine for the VSX management magg. You can follow the configuration guide mentioned by @Chris_Atkinson . Magg is configured via your SG.

0 Kudos
Kilian_Huber
Contributor

Okay, and if the magg is shared accross several SGs, it needs to be configured on every SG. Correct?

0 Kudos
Wolfgang
Authority
Authority

Yes, you have to configure this on every SG. You have to configure an own IP-address for every SecurityGroup and they get assigned an own MAC-address.