topic Re: Zero touch and 1500 appliances in Spark Firewall (SMB)

Zero touch and 1500 appliances

Greg_Harbers — Fri, 22 May 2020 05:31:27 GMT

Hi All,

Has anyone done anything with the zerotouch deployment service and 1500 series appliances, specifically around defined addresses on vlan sub interfaces.

the clish script I am deploying sets ntp servers, dns settings, adminstrators etc all successfully, and creates some vlan sub interfaces. These parts all work perfectly, however thus far any attempt to set an ip address on the vlan interfaces fails, and the interfaces are always assigned a 192.168.x.x address

eg, zero touch script has this...

add interface LAN1 vlan 100
set interface LAN1.100 state on
set dhcp server interface "LAN1.100" disable
set interface "LAN1.100" ipv4-address "10.100.100.1" subnet-mask "255.255.255.0"
set interface "LAN1.100" description "Trusted_VLAN100"

I end up with this...

set interface "LAN1.100" ipv4-address "192.168.200.1" subnet-mask "255.255.255.0"
add interface "ASSIGNMENT.SEPARATE_NETWORK" vlan "100" ipv4-address "192.168.200.1" mask-length "24"
set interface "LAN1.100" mtu "1500" 802dot1x-authentication "off" 802dot1x-re-authentication-frequency "0" lan-mac-filtering "on"
set dhcp server interface "LAN1.100" dns "auto"
set interface "LAN1.100" exclude-from-dns-proxy "off"
set interface "LAN1.100" lan-access "accept" lan-access-track "log"
set dhcp server interface "LAN1.100" assign-addresses-for-known-hosts-only "off"
set dhcp server interface "LAN1.100" lease-time "4"
set dhcp server interface "LAN1.100" include-ip-pool "192.168.200.1-192.168.200.254"
set interface "LAN1.100" hotspot "off"

Once the gateway is built and I run this command from clish

set interface "LAN1.100" ipv4-address "10.100.100.1" subnet-mask "255.255.255.0"

I will get this....

set interface "LAN1.100" ipv4-address "10.100.100.1" subnet-mask "255.255.255.0"
add interface "ASSIGNMENT.SEPARATE_NETWORK" vlan "100" ipv4-address "10.100.100.1" mask-length "24"
set interface "LAN1.100" mtu "1500" 802dot1x-authentication "off" 802dot1x-re-authentication-frequency "0" lan-mac-filtering "on"
set dhcp server interface "LAN1.100" dns "auto"
set interface "LAN1.100" exclude-from-dns-proxy "off"
set interface "LAN1.100" lan-access "accept" lan-access-track "log"
set dhcp server interface "LAN1.100" assign-addresses-for-known-hosts-only "off"
set dhcp server interface "LAN1.100" lease-time "4"
set dhcp server interface "LAN1.100" include-ip-pool "192.168.200.1-192.168.200.254"
set interface "LAN1.100" hotspot "off"

One thing I need to determine is if this problem is just limited to vlan interfaces, or all interfaces, will test that and update when I have know the results

Any assistance would be appreciated

Regards

Greg

Re: Zero touch and 1500 appliances

alexeyn — Sun, 24 May 2020 11:37:12 GMT

Hi Greg,

Have you tried to delete LAN1 switch before assigning vlan? (delete switch LAN1_Switch)

Are those commands work for different LAN interface?

Thanks,

Alexey

Re: Zero touch and 1500 appliances

Greg_Harbers — Sun, 24 May 2020 20:45:16 GMT

Hi Alexei,

This is what I have in the script....

delete interface LAN1_Switch
set interface LAN1 unassigned
set interface LAN1 state on
set dhcp server interface LAN1 disable

add interface LAN1 vlan 100
set interface LAN1.100 state on
add interface LAN1 vlan 101
set interface LAN1.101 state on

set dhcp server interface "LAN1.100" disable
set interface "LAN1.100" ipv4-address "10.100.100.1" subnet-mask "255.255.255.0"
set interface "LAN1.100" description "VLAN100"

set dhcp server interface "LAN1.612" disable
set interface "LAN1.101" ipv4-address "10.100.110.1" subnet-mask "255.255.255.0"
set interface "LAN1.101" description "VLAN101"

Note that the vlan interfaces are being created correctly, it is simply the addressing and descriptions that are not being applied. Once the device has completed the build and I logon via the console, I am able to paste the commands in as above and the addresses and descriptions are applied.

Thanks

Greg

Re: Zero touch and 1500 appliances

Maarten_Sjouw — Mon, 25 May 2020 06:47:03 GMT

A typo in the second VLAN?

set dhcp server interface "LAN1.612" disable
set interface "LAN1.101" ipv4-address "10.100.110.1" subnet-mask "255.255.255.0"
set interface "LAN1.101" description "VLAN101"