This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Marco32
Contributor
‎2022-06-27 03:27 AM

Port switch configuration for inter-site communication (Dual Site)

hello,
I ask your support to better understand how to configure switch (ex. Cisco) to perform q-in-q for configure the Scenario 2 (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...)
Assuming we use default Maestro vlan, wha are the correct commands to configure the switch port ?
Regards

M

0 Kudos
5 Replies
MadMike61
Participant
‎2022-06-27 08:40 AM

Marco,

I think your answer is in the important notes section. 

  • In case of multiple site-sync interfaces between MHO and switch, XOR bond will be automatically created on Orchestrator. This will require creation of a static port-channel(mode on) per Orchestrator site-sync ports on the switch.

For a Nexus 5k switch,

To configure the LACP link mode, perform this task:

 

  Command Purpose

Step 1

switch# configure terminal

Enters configuration mode.

Step 2

switch(config)# interface type slot / port

Specifies the interface to configure, and enters the interface configuration mode.

Step 3

switch(config-if)# channel-group number mode { active | on | passive }

Specifies the port mode for the link in a port channel. After LACP is enabled, you configure each link or the entire channel as active or passive.

When you run port channels with no associated protocol, the port-channel mode is always on.

The default port-channel mode is on.

switch(config-if)# no channel-group number mode

Returns the port mode to on for the specified interface.

This example shows how to set the LACP-enabled interface to active port-channel mode for Ethernet interface 1/4 in channel group 5:

switch# configure terminal
switch (config)# interface ethernet 1/4
switch(config-if)# channel-group 5 mode on This will effectively turn off LACP. FYI, watch your uplink router for excessive logs due to bouncing MAC addresses. I have seen this before on our 64000 platform but hopefully you won't experience that. 

0 Kudos
Marco32
Contributor
‎2022-06-27 09:34 AM
In response to MadMike61

Hi MadMike61, thanks for your support.

Maybe I dont explained good. I'm looking for the cisco configuration of the ports that I have to use to connect switch-mho and switch-switch (inside L2 fiber channel).

How to configure q-in-q incapsulation?

Looking the sk posted, it's scenario n°2

0 Kudos
Wolfgang
Mentor
Mentor
‎2022-06-27 12:02 PM
In response to Marco32

@Marco32 you’re trying to implement a really complex environment. Maestro and especially Maestro Dual-Site requires a lot of networking and Check Point know how. I think you should get some more lessons to better understand such solutions. 

switchport mode dot1q-tunnel“ will be the key for QinQ in Nexus environment. Cisco Nexus 9000 Series NX-OS Interfaces Configuration Guide, Release 7.x  I don’t know your exact Nexus type and version but this should help or will show  you a hint.

0 Kudos
Marco32
Contributor
‎2022-06-28 01:16 AM
In response to Wolfgang

Hi @Wolfgang ,

I read some days ago the link you shared but I need some help to use q-in-q in Maestro configuration because the CheckPoint documentation is not so exhaustive about this item.

We are speaking of encapsulate one VLAN inside another and the behavior of eth linked to MHO is different of eth linked to the other switch on second site. For this reason, I'm looking for someone can help me to understand this.

Let me say, I don't understand your statement "I think you should get some more lessons to better understand such solutions", this is not a contribute and it's not very frendly I think.

Anyway, every contribute about q-in-q will be appreciate.

 

M.

0 Kudos
Wolfgang
Mentor
Mentor
‎2022-06-28 11:55 AM
In response to Marco32

@Marco32 you mentioned the difference. The uplinks must be configured as normal VLAN trunk and the sync ports has to be set to  support QinQ, this can be done with command "switchport mode dot1q-tunnel" on the needed interface. The interfaces which connects the switches between the dual sites must be configured with QinQ. I think everything you need to know about the QinQ configuration could be found in the nexus documentation. Be aware of the limitations, which ports and which versions are supported.

Following the new discussion Maestro R81.10 QinQ requirement for Dual site through external L2 switches there is no need for QinQ if you enable all VLANs all all sync ports. But at the moment there isn't a good documentation regarding this feature 😞

Following your other questions regarding the LACP channel I thought you need to have some more networking knowledge to better understand how it works. That's why I mentioned to do some courses. But maybe I'm wrong.

0 Kudos
 
Upcoming Maestro Events

    CheckMates Events ≫