This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Alex-
Leader Leader
Leader
‎2024-06-28 02:37 AM
Jump to solution

Maestro and Shared Uplinks

I was ready about Shared Uplinks on Maestro R81.20 and I would like to check if my understanding is correct.

 

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Maestro_AdminGuide/Content/T...

 

Let's say we have 2 MHO and 2 Security Groups.

We could connect 1 40G uplink on each MHO and bond them in each SG, let's say bond1.

SG 1 could then configure bond1.<first vlan range> and SG2 could have bond1.<second vlan range>.

In effect, we share the physical capacity between Security Groups.

Now what we wonder:

- Any issues doing with SG1 being cluster and SG2 being VSX?

The Security Group with the lowest ID, which has been assigned the shared subordinate interfaces, is responsible for the LACP negotiation for these interfaces. Does this mean that one SG is responsible for the correct function of all LACP bonds?

- Any production tips & tricks which go beyond the user manual?

- Is the MHO deployment relevant to this feature, like single-room, dual-room, multisite?

We're still pondering the use of shared uplinks or dedicated interfaces in a broader cost vs functionality context.

0 Kudos
1 Solution

Accepted Solutions
emmap
Employee
Employee
‎2024-06-30 11:37 PM
Jump to solution

Hi Alex

Shared uplinks will work across SG types and deployment types, but as you say there one of the SGs ends up being responsible for maintaining LACP for everyone. While this is fine when everything is running well, you can end up in a situation where a little problem has a large impact due to it affecting all SGs sharing the uplinks. As such I'd generally suggest avoiding it especially in cases of highly critical uptime requirements or like that. 

View solution in original post

1 Reply
emmap
Employee
Employee
‎2024-06-30 11:37 PM
Jump to solution

Hi Alex

Shared uplinks will work across SG types and deployment types, but as you say there one of the SGs ends up being responsible for maintaining LACP for everyone. While this is fine when everything is running well, you can end up in a situation where a little problem has a large impact due to it affecting all SGs sharing the uplinks. As such I'd generally suggest avoiding it especially in cases of highly critical uptime requirements or like that. 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events