Solved: security group management port in dual site

Marco32 · ‎2022-06-23

Hello,

I'm starting building a dual site, dual MHO infrastructure and I need some tips.

I want to configure a SG cross site, but I don't undestand how to configure management port for it.

In a singole site, dual MHO the documentation (Maestro basic setup) explain how to create a bond active standby using port 1 of both MHO. In this scenario, I have redundancy to access SMO.

But, how to setup it in a SG cross site? Do I need to use port 1 of both MHO of the second site too? So I have 4 port in this bond?

Regards

M

Daniel_Szydelko · ‎2022-06-23

Yes, magg0 as management bond is relevant for Security Group. As particular SecGrp exists on both sites and ports connections are the same on both sites you are adding / using the same interfaces for both sites.

Mgmt IP is used by SMO Master SGM on active site. You can think about two cases:

- regular Security Group - SMO Master (lowest SGM ID in active site) from active site is using magg0 IP for communication

- VSX Security Group - then it represents magg0 IP for VS0 on active site. No matter if you are using VSX HA or VSLS, there is one site, where SMO Master SGM is active for VS0.

When you create another Security Group then you can create another magg (new interfaces) or share the same magg (create magg with Mgmt interfefaces used by first SecGrp) with different IP address.

BR

Daniel.

View solution in original post

Daniel_Szydelko · ‎2022-06-23

Hello,

Setup is the same. On second site you need need to attach corespondig mgmt ports (the same as in site 1). Physical connections should be mirrored between sites.

So configuration prompt is using two interfaces in magg (from site perspective) but in reality consist 4 ports (one Mgmt per MHO).

BR

Daniel.

Marco32 · ‎2022-06-23

Hi Daniel,

if I understand correctly, the magg0 configuration (make with eth1-Mgmt1 and eth2-Mgmt1) is for Security Gateway, so I don't need to do anything on MHO (both site).

When the magg0 of site2 start to work? In which case?

One more thing, if I install a VSX on this SG, and with VSLS balance some VS on site1 and some other VS on site2, when access on the IP assigned to to the SG witch magg0 I use? Site1 or Site2?

And if I whant to create a second SG on site1 only with another IP, may I create another magg (like magg1) or can I use the same?

How to see this from SG prospective?

Regards

Daniel_Szydelko · ‎2022-06-23

Yes, magg0 as management bond is relevant for Security Group. As particular SecGrp exists on both sites and ports connections are the same on both sites you are adding / using the same interfaces for both sites.

Mgmt IP is used by SMO Master SGM on active site. You can think about two cases:

- regular Security Group - SMO Master (lowest SGM ID in active site) from active site is using magg0 IP for communication

- VSX Security Group - then it represents magg0 IP for VS0 on active site. No matter if you are using VSX HA or VSLS, there is one site, where SMO Master SGM is active for VS0.

When you create another Security Group then you can create another magg (new interfaces) or share the same magg (create magg with Mgmt interfefaces used by first SecGrp) with different IP address.

BR

Daniel.

Marco32 · ‎2022-06-23

Very helful Daniel,

how to find in which site VSX VS0 is active in case of SG cross site?

And, for othes SG if I create a new magg have I to name it as magg0 , magg1, magg2 and so on?

M

Daniel_Szydelko · ‎2022-06-23

It shoud be enough to use cmd from SecGrp bash: asg stat vs all

No, each SecGrp is isolated from each other so on each you can configure magg0.

BR

Daniel

Marco32 · ‎2022-06-23

Many thanks for your support Daniel

Regards

M

Daniel_Szydelko · ‎2022-06-23

No problem and Good luck with implementation!

BR

Daniel.