Support Center > Search Results > SecureKnowledge Details
Maestro Dual Site configuration using a direct connection and via L2 switches Technical Level
Solution

Introduction

There are three main scenarios for Dual-Site configuration:
  1. Direct connectivity between remote site Orchestrators
  2. Two Orchestrators on the same site which are connected to the remote site Orchestrators via two different switches
  3. Two Orchestrators on the same site which are connected to the remote site Orchestrators via a single switch
If there is only one Orchestrator per site and it is connected via switches, scenarios (2) and (3) are the same.


Orchestrator Configuration


To configure a Dual-Site environment, configure the following parameters on each one of the Orchestrators in the environment:
  • orchestrator-amount: how many Orchestrators you have per site (must be identical on all Orchestrators)
  • orchestrator-site-amount: how many sites you have
  • orchestrator-site-id: The site id on which the local Orchestrator is located
  • orchestrator-site-vlan (default = 3600): base VLAN for inter-site VLAN calculation. The Orchestrators use this base value internally in order to calculate their site-sync VLAN. It is calculated as <site-sync VLAN> + 0 for the first Orchestrator and as <site-sync VLAN> + 1 for the second Orchestrator at the same site. As a result, this parameter must be the same on all Orchestrators in the setup.
For example, orchestrator-site-vlan value: 3600
MHOs internal site-sync VLAN calculation:
MHO1 MHO2
Site #1 3600 3601
Site #2 3600 3601

  • Site-Sync port: The Orchestrator port for inter-site communication (Configuration example: # set maestro port 1/31/1 type site_sync)

Dual-Site Sync Packets


There are 2 categories of Sync packets in a Dual-Site environment.
  • Orchestrator Sync packets
    These Sync packets contain information about available and assigned resources in each site.
    These packets are transmitted from the Site-Sync port with a single existing VLAN tag (3951 or 3952 by default)

  • Security Group Sync packets
    These Sync packets are ClusterXL Sync packets between Security Group members
    These packets are transmitted from the Site-Sync port with two existing VLAN tags.
    The inner tag is an internal VLAN associated with the specific Security Group. The outer tag is the Site VLAN (3600 or 3601 as explained above)

External Switch Configuration


If Orchestrators are connected via external switches, ports on the external switches must be configured accordingly.

External switches must support 802.1ad ("QinQ") and allow packets with more than 1 VLAN tag. It must not remove any of the existing VLAN tags.

If necessary, you can configure the external switch to add another VLAN tag to the Dual-Site Sync packets.
If you do this, keep these requirements in mind:
  • Security Group Sync packets are transmitted from the Site-Sync port with 2 existing VLAN tags. Adding another VLAN tag will cause the packet to have 3 VLAN tags. The external switches must not drop packets with more than 2 VLAN tags or Dual-Site will not work.
  • All Dual-Site Sync packets must arrive to the other site in the same state they were transmitted. If an additional VLAN tag was added, it must be stripped by the final switch before being forwarded to the Orchestrator at the other site.
  • Each additional VLAN tag will increase the size of the packet. It may be necessary to increase the MTU between sites in order for Dual-Site to work properly.


Configure the ports on external switches as described below.

Scenario # 1 - Direct Connection between Orchestrators




When you use a direct connection between Orchestrators, only a basic configuration is required on each Orchestrator:
  • orchestrator-amount (1 or 2)
  • orchestrator-site-amount (2)
  • orchestrator-site-id
MHO 1_1 and MHO 1_2 – 1
MHO 2_1 and MHO 2_2 – 2
  • orchestrator-site-vlan (default = 3600)
  • site_sync port configuration (e.g.: # set maestro port 1/31/1 type site_sync)

Scenario #2 - Two Orchestrators on the same site which are connected to the remote site Orchestrators via two different switches



When you work with different switches (separate switch per Orchestrator), both the Orchestrator and the switch configuration are required. Switches must be transparent for double-tagged packets. However, it must not modify the existing VLAN tags on Orchestrator Sync packets.


Orchestrators’ Configuration

  • orchestrator-amount (1 or 2)
  • orchestrator-site-amount (2)
  • orchestrator-site-id
MHO 1_1 and MHO 1_2 – 1
MHO 2_1 and MHO 2_2 – 2
  • orchestrator-site-vlan (default = 3600)
  • site_sync port configuration (e.g.: # set maestro port 1/31/1 type site_sync)

Switches’ Configuration (according to the diagram)

  • Port leading to MHO 1_1: VLAN trunk 3600, 3951
  • Port leading to MHO 1_2: VLAN trunk 3601, 3952
  • Port leading to MHO 2_1: VLAN trunk 3600, 3951
  • Port leading to MHO 2_2: VLAN trunk 3601, 3952
  • Link between Switches 1_1 and 2_1: VLAN trunk 3600, 3951
  • Link between Switches 1_2 and 2_2: VLAN trunk 3601, 3952

Scenario #3 - Two Orchestrators on the same site which are connected to the remote site Orchestrators via a single switch



When you work with the same switches for both Orchestrators at the same site, both the Orchestrator and the switch configuration are required. Switches must be transparent for double-tagged packets. However, it must not modify the existing VLAN tags on Orchestrator Sync packets.

Orchestrators Configuration

  • orchestrator-amount (1 or 2)
  • orchestrator-site-amount (2)
  • orchestrator-site-id
MHO 1_1 and MHO 1_2 – 1
MHO 2_1 and MHO 2_2 – 2
  • orchestrator-site-vlan (default = 3600)
  • site_sync port configuration (e.g.: # set maestro port 1/31/1 type site_sync)

Switches’ Configuration  (according to the diagram)

  • Port leading to MHO 1_1: VLAN trunk 3600, 3951
  • Port leading to MHO 1_2: VLAN trunk 3601, 3952
  • Port leading to MHO 2_1: VLAN trunk 3600, 3951
  • Port leading to MHO 2_2: VLAN trunk 3601, 3952
  • Link between Switches: VLAN trunk 3600, 3601, 3951, 3952

Important Notes

  • All switches (scenarios #2 and #3) must support 802.1ad ("QinQ") and allow packets with more than 1 VLAN tag. MTU increment may be required on relevant ports.
  • orchestrator-site-vlan can be changed using orchestrator’s CliSh.
  • VLANs 3951 and 3952 are currently hard-coded and cannot be changed

Testing Dual-Site infrastructure

Connectivity between Orchestrators at different sites:

  • From MHO1_1 ping MHO 2_1: ping 203.0.113.15
  • From MHO1_2 ping MHO 2_2: ping 203.0.113.16
         If there is no ping, check VLANs 3951 and 3952 accordingly

Connectivity between Orchestrators at the same site:
  • From MHO1_1 ping MHO1_2: ping 192.0.2.2
  • From MHO2_1 ping MHO2_2: ping 192.0.2.16
          If there is no ping, check the Sync cable between Orchestrators within the same site. 

Connectivity between SGMs (appliances)
  • From SGM1_1 ping SGM2_1 on sync network: ping 192.0.2.15
          If there is no ping, check VLANs 3600 and 3601.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment