Shared Uplink Ports on a Maestro Security Group

You can assign each uplink interface to multiple Security Groups, with different VLANs assigned to the interface on each Security Group. For example: you can assign eth1-05 to Security Groups 3 and 4, with VLAN interface eth1-05.30 configured on Security Group 3, and VLAN interface eth1-05.40 configured on Security Group 4.

Prerequisites

R82 must be installed on the Management Server.
R82 must be installed on the Maestro Orchestrators.
R82 must be installed on all Security Appliances in the Security Group.

Known Limitations

LACP mode is not supported on a MAGG (bond of Management interfaces), which is shared between different Security Groups.
Having an LACP bond shared between multiple Security Groups decreases the segregation between these Security Groups.

For example, if Security Group 3 and Security Group 4 share eth1-05 and eth2-05 as subordinates of an LACP bond, and for some reason Security Group 3 stops sending LACP packets to the external switch, then traffic in VLAN interface eth1-05.40 could be affected. Using shared bonds in other bond modes (for example: XOR) does not decrease the segregation.

Requirements for LACP bond that contains shared interfaces

If a shared uplink interface is part of an LACP bond in a Security Group, then this shared uplink interface must be part of an identical LACP bond in every Security Group to which it is assigned.

Example:

eth1-05 is assigned to Security Group 3.
eth1-05 is a subordinate of bond1.30, which is an LACP bond in Security Group 3.
eth1-05 is assigned to Security Group 4.

In such a scenario, eth1-05 in Security Group 4 must also be part of an LACP bond.

In the configuration example above, this configuration would be incorrect:

bond1.30 is an LACP bond in Security Group 3, and it contains eth1-05

bond1.40 is a non-LACP bond in Security Group 4, and it contains eth1-05

Every LACP bond, which contains shared interfaces, must have exactly the same configuration in each Security Group to which it belongs. The LACP bond must have the same subordinate interfaces, and in the same order.

In the configuration example above, if the order of subordinate interfaces in bond1.30 is "eth1-05, eth2-05", then the order of subordinate interfaces in bond1.40 must also be "eth1-05, eth2-05".

Configuration

Configuring an LACP bond that contains shared uplink interfaces

To create a bond interface with subordinate interfaces that are shared between Security Groups, the shared uplinks feature must first be enabled on all the Security Groups sharing the bond, using Gaia Clish. Afterward, the subordinate interfaces in the bond must be added to each Security Group through the Maestro Orchestrator’s Gaia Portal or Gaia Clish. The bonds must be configured in each corresponding Security Group (using the Gaia gClish shell), with VLAN interfaces configured for each Security Group.

The Security Group with the lowest ID, which has been assigned the shared subordinate interfaces, is responsible for the LACP negotiation for these interfaces.

For example, to share a bond interface with subordinate interfaces eth1-05 and eth2-05 between Security Group 3 and Security Group 4:

On the Maestro Orchestrator:

Enable the shared uplinks feature on Security Group 3 and Security Group 4:

MHO_1_1> set maestro security-group id 3 shared-uplinks state enabled

MHO_1_1> set maestro security-group id 4 shared-uplinks state enabled

Apply the configuration:

MHO_1_1> set maestro security-group apply-new-config

On the Maestro Orchestrator (in Gaia Portal or Gaia Clish):
1. Assign interface eth1-05 to Security Group 3.
2. Assign interface eth2-05 to Security Group 3.
3. Assign interface eth1-05 to Security Group 4.
4. Assign interface eth2-05 to Security Group 4.

In both Security Group 3 and Security Group 4:

Connect to the command line of the Security Group.
Log in.

If your default shell is the Expert mode (/bin/bash), then go to Gaia gClish:

gclish

Create a bonding group which contains the physical interfaces eth1-05 and eth2-05.

Note - The bonding group ID does not have to be identical in the different Security Groups.

In Security Group 3, run:

[Global] sg3-s01-01 > add bonding group 1 interface eth1-05

[Global] sg3-s01-01 > add bonding group 1 interface eth2-05

[Global] sg3-s01-01 > set bonding group 1 mode 8023AD

In Security Group 4, run:

[Global] sg4-s01-01 > add bonding group 1 interface eth1-05

[Global] sg4-s01-01 > add bonding group 1 interface eth2-05

[Global] sg4-s01-01 > set bonding group 1 mode 8023AD

Create a VLAN interface on top of the bond interface.

In Security Group 3, run:

[Global] sg3-s01-01 > add interface bond1 vlan 30

In Security Group 4, run:

[Global] sg4-s01-01 > add interface bond1 vlan 40

Configure IP addresses for the bond VLAN interfaces.

Update the Security Gateway objects in SmartConsole:
1. From the left navigation panel, click Gateways & Servers.
2. Open the Security Gateway object for each Security Group.
3. In the left panel, click Network Management > Topology.
4. From the top, click Get Interfaces > Get Interfaces with topology.
5. Click Close to approve the new topology (example: bond1.30).
6. If required, edit the interface to configure its topology settings.
7. Click OK to close the Security Gateway object.
Install the Access Control Policy.

This also updates the Orchestrator’s configuration.
The Orchestrator starts to forward the tagged traffic to the Security Group.

According to the above configuration:

Each packet that arrives at VLAN interfaces eth1-05.30 and eth2-05.30 is forwarded to Security Group 3.
Each packet that arrives at VLAN interfaces eth1-05.40 and eth2-05.40 is forwarded to Security Group 4.

Notes:

No traffic goes through the bond until VLAN interfaces are configured on the Security Group, and the firewall policy is installed.

An interface shared between two Security Groups cannot have the same VLAN configured on top of it in both Security Groups. In the example above, configuring bond1.30 on both Security Group 3 and Security Group 4 (when bond1 contains eth1-05 and eth2-05 as subordinates on both Security Groups), or configuring no VLAN on top of the bond in either Security Group, would be invalid.

LACP bond verification

To make sure an LACP bond, which contains shared interfaces, is configured correctly, run this command from the Maestro Orchestrator (in the Expert mode):

lacp_verify

Removing subordinate interfaces from LACP bonds

When a subordinate interface is added to an LACP bond interface, it is assigned an index called "Port Number".

For example, the first subordinate added to bond1 is assigned the Port Number 1, the second subordinate added to bond1 is assigned the Port Number 2, and so on.

When subordinate interfaces are removed from an LACP bond, the remaining subordinate interfaces in the bond keep sending LACP PDUs with the original Port Number that was assigned when each subordinate interface was added to the bond.

Example

In Security Group 1:
1. The physical interfaces were added to bond1 in this order: eth1-05, eth1-06, eth1-07, and eth1-08.
  This means that eth1-05 has Port Number 1, eth1-06 has Port Number 2, eth1-07 has Port Number 3, and eth1-08 has Port Number 4.
2. Later, subordinate interfaces eth1-05 and eth1-06 were removed from bond1.
  
  In this scenario, subordinate interface eth1-07 still has Port Number 3, and subordinate interface eth1-08 still has Port Number 4 in the LACP PDUs they send to an external switch.
In Security Group 2:
1. The physical interfaces were added to bond1 in this order: eth1-07 and eth1-08.
  
  This means that eth1-07 has Port Number 1, and eth1-08 has Port Number 2.
2. No subordinate interfaces were removed from bond1.
  
  In this scenario, subordinate interface eth1-07 has Port Number 1, and subordinate interface eth1-08 has Port Number 2 in the LACP PDUs they send to an external switch.
This inconsistency can cause traffic loss. Therefore, all bonds that use shared subordinates must be created exactly in the same way. In the example above, this means that the bonds in Security Group 1 and Security Group 2 must be created as follows:
- In Security Group 1:
  1. Create bond1.
  2. Add eth1-07 to bond1.
  3. Add eth1-08 to bond1.
- In Security Group 2:
  1. Create bond1.
  2. Add eth1-07 to bond1.
  3. Add eth1-08 to bond1.
  If subordinate interfaces eth1-05 and eth1-06 must be removed from bond1 in Security Group 1, then bond1 in Security Group 1 must be recreated from scratch to match the configuration of bond1 in Security Group 2.

Removing an LACP bond that contains shared uplink interfaces from a Security Group

To remove a bond interface with subordinate interfaces that are shared between Security Groups, first the bond interface must be removed from the Security Group, and only afterwards from the Orchestrator.

Example:

In Security Group 3:
1. bond1 is an LACP bond.
2. bond1 contains subordinate interfaces eth1-05 and eth2-05.
3. bond1.30 is a VLAN interface on top of bond1.

Goal:

Remove bond1 in Security Group 4.

Procedure:

In Security Group 4:

Connect to the command line of Security Group 4.
Log in.

If your default shell is the Expert mode (/bin/bash), then go to Gaia gClish:

gclish

Remove the VLAN 40 interface from bond1.

[Global] sg4-s01-01 > delete interface bond1 vlan 40

Remove the subordinate interfaces eth1-05 and eth2-05 from bond1:

[Global] sg4-s01-01 > delete bonding group 1 interface eth1-05

[Global] sg4-s01-01 > delete bonding group 1 interface eth2-05

Remove bond1:

[Global] sg4-s01-01 > delete bonding group 1

On the Maestro Orchestrator (in Gaia Portal or Gaia Clish):
1. Remove interface eth1-05 from Security Group 4.
2. Remove interface eth2-05 from Security Group 4.