Configuring Link State Propagation (LSP) on a Maestro Orchestrator

Introduction to LSP

Example traffic flow from a Client to a Server through a Maestro Security GroupClosed A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected.:

(Client) > (Switch) > (Port 4 on Orchestrator) > (Security Group) > (Port 6 on Orchestrator) > (Switch) > (Server)

  • If Port 4 on the Orchestrator goes down, traffic outage occurs.

  • If Port 6 on the Orchestrator goes down, traffic outage occurs.

With the Link State Propagation (LSP) feature you can configure these two required ports on the Orchestrator (Port 4 and Port 4) as one LSP Group.

If one of the ports in the LSP Group goes down, then all other ports in the LSP Group go down. As a result, the surrounding switches will not forward traffic for these ports. This eliminates or limits the traffic outage.

Configuration

You configure the LSP Groups in Gaia Clish on the Orchestrator.

Notes:

  • You must configure the LSP settings manually on each Orchestrator on each Maestro Site.

  • The log file is: /var/log/lsp_cli.log

Syntax to add a new LSP Group

add maestro lsp

      group <1-1024> [<Port Number 1>,<Port Number 2>,<...>,<Port Number N>]

Syntax to configure an existing LSP Group

set maestro lsp

      apply

      group <1-1024> ports <Port Number 1>,<Port Number 2>,<...>,<Port Number N>

      revert

      state {on | off}

Syntax to show LSP configuration

show maestro lsp

      configuration {all | group <1-1024>}

      history <1-1000>

      status

Syntax to delete an existing LSP Group or ports from an LSP Group

delete maestro lsp

      group <1-1024> [port <Port Number 1>,<Port Number 2>,<...>,<Port Number N>]

Parameters

Parameter

Description

apply

Applies the changes in the LSP configuration.

group <1-1024>

Specifies the ID of the LSP Group.

Important - The "set maestro lsp group" command overwrites the LSP Group if such LSP Group ID already exists.

ports <Port>,<Port>,...

Specifies the IDs of the Orchestrator Ports.

Press the TAB key to see the available port numbers.

To add multiple ports, separate them with commas (,) without spaces.

revert

Reverts the changes in the LSP configuration that were not applied yet.

state {on | off}

Enables (on) and disables (off) the LSP configuration.

configuration {all | group <1-1024>}

Shows the LSP configuration for all LSP Groups or only for the specified LSP Group.

The output shows the applied configuration and the changes that were not applied yet.

history <1-1000>

Show the specified number of the recent LSP events from this log file:

/var/log/lsp_history.log

The output table shows these columns:

  • Time: When the event happened.

  • Port: The port on which the event has been received.

  • Event: The event that occurred.

  • Group: The affected LSP group.

  • Group Status: The reflection of the event on the LSP group state.

 

LSP events:

Event

Meaning

Down

The port state changed from "up" to "down".

admin-down

The port state changed from "up" to "administratively down".

The LSP mechanism forces this state to manage the LSP Groups.

recovered down->up

The port state changed from "down" to "up".

moved to admin-down, preparing for group recovery

The port state changed from "up" to "administratively down" to prepare the LSP Group for recovery.

moved to admin-up

The port state changed from "administratively down" to "administratively up" after preparing the LSP Group for recovery.

has recovered after <Time in Seconds>

The port state changed (recovered) from "down" to "up" after the specified number of seconds.

found down in initializing

While loading the LSP configuration, detected a port in the state "down".

admin-down in initializing

While loading the LSP configuration, detected a port in the state "down" and changed its stae from "down" to "administratively down".

Configuration change event received

LSP configuration changed for this specific LSP Group.

Resetting ports monitoring

While loading the LSP configuration, started to reassessthe port states (not per port event).

status

Shows:

  1. The status of the LSP daemon.

  2. If there are configuration changes that were not applied yet.

Workflow

  1. Connect to the command line on each Orchestrator.

  2. Log in.

  3. If your default shell is the Expert mode, then go to Gaia Clish:

    clish

  4. Create the required LSP Group with the required ports:

    add maestro lsp group <1-1024> ports <Port Number 1>,<Port Number 2>,...,<Port Number N>

  5. Apply the LSP configuration changes:

    set maestro lsp apply

  6. Enable LSP:

    set maestro lsp state on

  7. Examine the LSP configuration:

    show maestro lsp configuration {all | group <1-1024>}