In the last two articles (, ) we have considered the principle of operation , as well as the technical and economic advantages of this solution. Now I would like to move on to a specific example and describe a possible scenario for implementing Check Point Maestro. I will show a typical specification as well as a network topology (L1, L2 and L3 diagrams) using Maestro. In fact, you will see a ready-made standard project.
Suppose we decide that we will use the Check Point Maestro scalable platform. To do this, take a bundle of three 6500 gateways and two orchestrators (for complete fault tolerance) - CPAP-MHS-6503-TURBO + CPAP-MHO-140. The physical connection diagram (L1) will look like this:
Please note that it is mandatory to connect the Management ports of the orchestrators, which are located on the rear panel.
I suspect that a lot of things may not be very clear from this picture, so Iβll immediately give a typical diagram of the second level of the OSI model:
A few key points about the scheme:
- Two orchestrators are usually installed between core switches and external switches. Those. physical isolation of the Internet segment.
- It is assumed that the βcoreβ is a stack (or VSS) of two switches on which a PortChannel of 4 ports is organized. For Full HA, each orchestrator connects to each switch. Although you can use one link at a time, as is done with VLAN 5 - network management (red links).
- The links responsible for the transmission of productive traffic (yellow) are connected to 10 gigabit ports. For this, SFP modules are used - CPAC-TR-10SR-B
- In a similar (Full HA) way, orchestrators are connected to external switches (blue links), but using gigabit ports and the corresponding SFP modules - CPAC-TR-1T-B.
The gateways themselves are connected to each of the orchestrators using special DAC cables that come with the kit (Direct Attach Cable (DAC), 1m - CPAC-DAC-10G-1M):
As you can see from the diagram, there must be a synchronization connection between the orchestrators (pink links). The required cable is also included. The final specification looks like this:
Unfortunately, I cannot publish prices in the public domain. But you can always .
As for the L3 scheme, it looks much simpler:
As you can see, all gateways at the third level look like a single device. Access to the orchestrators is only available through the Management network.
This concludes our short article. If you have questions about the schemes or you need source codes, then leave comments or .
In the next article, we will try to show how Check Point Maestro deals with balancing and perform load testing. So stay tuned, , , )!
PS I express my gratitude to Anatoly Masover and Ilya Anokhin (Check Point company) for their help in preparing these schemes!
Source: habr.com