Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Iron

How to create vlan on eth2-05 interface via clish on primary MHO

Jump to solution

Hi experts,

I want to create the following configuration via clish, by connecting to one MHO only.
(Single-site DUAL-MHO setup, R80.20SP)

2020-05-23_21-00-30.png

I can create vlan 100 on eth1-05 and vlan 200 on eth1-06, but I can not configure the vlans for eth2-05 and eth2-06 interfaces.
It looks like the MHO has no "access" to the interfaces on the other MHO.
As you can see in the output below, I can configure the interfaces of the local-MHO, but not of the other MHO

MHO-1> add maestro port 1/5/1 vlan 100

MHO-1> add maestro port 2/5/1 vlan 100
NMSSG0001 Port 2/5/1 is invalid.
add maestro port 2/5/1
------------^^^^^^^^^^

MHO-1> add maestro port <TAB>

1/42/1 1/48/1 1/43/1 1/55/1 1/56/1 1/49/1 1/51/1 1/24/1 1/25/1
1/26/1 1/27/1 1/20/1 1/21/1 1/22/1 1/23/1 1/46/1 1/47/1 1/44/1
1/45/1 1/28/1 1/29/1 1/40/1 1/41/1 1/1/1 1/3/1 1/2/1 1/5/1
1/4/1 1/7/1 1/6/1 1/9/1 1/8/1 1/50/1 1/39/1 1/38/1 1/54/1
1/11/1 1/10/1 1/13/1 1/12/1 1/15/1 1/14/1 1/17/1 1/16/1 1/19/1
1/18/1 1/31/1 1/30/1 1/37/1 1/36/1 1/35/1 1/34/1 1/33/1 1/52/1
1/32/1 1/53/1

note:
I found out that I can connect to the other MHO and issue the "add maestro port 1/5/1 vlan 100" command to make it create the eth2-05.100 interface. I do not want to ssh arount to all MHO's

How can I build this SG via clish?

Thanks,
Erwin

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Iron

Re: How to create vlan on eth2-05 interface via clish on primary MHO

Jump to solution

I just got confirmed that this is a known limitation.

  • I should assign vlans to 1/x/y interfaces via clish on MHO-1
  • I should assign vlans to 2/x/y interfaces via clish on MHO-2
  • Or I should use the WebUI

Intermediate solution 1 is to use trunk-mode (sk165172), however this has some limitations.

Intermediate solution 2 is to assign only eth1-05 + eth2-05 to the SG and not define vlan interfaces.
This will forward all tagged and untagged traffic to the SG. (sk165172)

Both solutions seem to have the limitation that you can not use "auto-topology" as the distribution-mode,


In future JHF releases the procedure where you have to assign vlans on MHO-level and SMO-level will be improved so that you have to assign vlans once. We have to watch upcoming release notes for that small improvement.

 

Thanks @MartijnElzenaar

View solution in original post

6 Replies
Highlighted
Iron

Re: How to create vlan on eth2-05 interface via clish on primary MHO

Jump to solution

After upgrading MHO's to Jumbo-take-273 the challenge remains, however the interface numbering on MHO-2 is improved:

On R80.20SP:

MHO-1> add maestro port <TAB>
1/42/1 1/48/1 1/43/1 1/55/1 1/56/1 1/49/1 1/51/1 1/24/1 1/25/1
1/26/1 1/27/1 1/20/1 1/21/1 1/22/1 1/23/1 1/46/1 1/47/1 1/44/1
1/45/1 1/28/1 1/29/1 1/40/1 1/41/1 1/1/1 1/3/1 1/2/1 1/5/1
1/4/1 1/7/1 1/6/1 1/9/1 1/8/1 1/50/1 1/39/1 1/38/1 1/54/1
1/11/1 1/10/1 1/13/1 1/12/1 1/15/1 1/14/1 1/17/1 1/16/1 1/19/1
1/18/1 1/31/1 1/30/1 1/37/1 1/36/1 1/35/1 1/34/1 1/33/1 1/52/1
1/32/1 1/53/1

MHO-2> add maestro port <TAB>
1/42/1 1/48/1 1/43/1 1/55/1 1/56/1 1/49/1 1/51/1 1/24/1 1/25/1
1/26/1 1/27/1 1/20/1 1/21/1 1/22/1 1/23/1 1/46/1 1/47/1 1/44/1
1/45/1 1/28/1 1/29/1 1/40/1 1/41/1 1/1/1 1/3/1 1/2/1 1/5/1
1/4/1 1/7/1 1/6/1 1/9/1 1/8/1 1/50/1 1/39/1 1/38/1 1/54/1
1/11/1 1/10/1 1/13/1 1/12/1 1/15/1 1/14/1 1/17/1 1/16/1 1/19/1
1/18/1 1/31/1 1/30/1 1/37/1 1/36/1 1/35/1 1/34/1 1/33/1 1/52/1
1/32/1 1/53/1

 

On R80.20SP + take 273:

MHO-1> add maestro port <TAB>
1/42/1 1/48/1 1/43/1 1/55/1 1/56/1 1/49/1 1/51/1 1/24/1 1/25/1
1/26/1 1/27/1 1/20/1 1/21/1 1/22/1 1/23/1 1/46/1 1/47/1 1/44/1
1/45/1 1/28/1 1/29/1 1/40/1 1/41/1 1/1/1 1/3/1 1/2/1 1/5/1
1/4/1 1/7/1 1/6/1 1/9/1 1/8/1 1/50/1 1/39/1 1/38/1 1/54/1
1/11/1 1/10/1 1/13/1 1/12/1 1/15/1 1/14/1 1/17/1 1/16/1 1/19/1
1/18/1 1/31/1 1/30/1 1/37/1 1/36/1 1/35/1 1/34/1 1/33/1 1/52/1
1/32/1 1/53/1

MHO-2> add maestro port <TAB>
2/42/1 2/48/1 2/43/1 2/55/1 2/56/1 2/49/1 2/51/1 2/24/1 2/25/1
2/26/1 2/27/1 2/20/1 2/21/1 2/22/1 2/23/1 2/46/1 2/47/1 2/44/1
2/45/1 2/28/1 2/29/1 2/40/1 2/41/1 2/1/1 2/3/1 2/2/1 2/5/1
2/4/1 2/7/1 2/6/1 2/9/1 2/8/1 2/50/1 2/39/1 2/38/1 2/54/1
2/11/1 2/10/1 2/13/1 2/12/1 2/15/1 2/14/1 2/17/1 2/16/1 2/19/1
2/18/1 2/31/1 2/30/1 2/37/1 2/36/1 2/35/1 2/34/1 2/33/1 2/52/1
2/32/1 2/53/1

 

Still curios how to add a vlan for 2/5/1 from within clish on the MHO-1 . . . 

0 Kudos
Highlighted
Employee++
Employee++

Re: How to create vlan on eth2-05 interface via clish on primary MHO

Jump to solution

How are the MHO connected to one another and have you setup any host access restrictions?

 

Example procedure:

https://sc1.checkpoint.com/documents/R80.30SP/WebAdminGuides/EN/CP_R80.30SP_Maestro_GettingStartedGu...

0 Kudos
Highlighted
Iron

Re: How to create vlan on eth2-05 interface via clish on primary MHO

Jump to solution

There are no restrictions applied. See below the applied configuration to both MHO's.
Configuration can be succesfully done via the WebUI, so I do not expect a cabling issue.
(port 48 is used between MHO-1 and MHO-2 as required by single-site dual-mho setup)


MHO-1 config statements:

set hostname MHO-1
set interface Mgmt1 ipv4-address 172.23.9.31 mask-length 24
set static-route default nexthop gateway address 172.23.9.1 on
set static-route default nexthop gateway address 192.168.1.254 off
save config

MHO-2 config statements:

set hostname MHO-2
set interface Mgmt1 ipv4-address 172.23.9.32 mask-length 24
set static-route default nexthop gateway address 172.23.9.1 on
set static-route default nexthop gateway address 192.168.1.254 off
save config

Is studied the referenced documentation. In the documentation there is no example on how the add a vlan to an interface of the other MHO.

I have the feeling that you can only do "set maestro port 1/x/y . . . " commands on MHO-1 and only "set maestro port 2/x/y . . . " commands on MHO-2.

 

 

0 Kudos
Highlighted
Employee++
Employee++

Re: How to create vlan on eth2-05 interface via clish on primary MHO

Jump to solution

Was it added before and you removed it and how?

Please test on another port/interface/vlan that has not yet been added to the security group before.

Example.png

0 Kudos
Highlighted
Iron

Re: How to create vlan on eth2-05 interface via clish on primary MHO

Jump to solution

Hi Chris,

I think I did not explain the issue correctly, so I try the show as clearly as possible that the interfaces can not reference the port 2/*/* numbers from the clish on MHO-1

Let's take port eth2-05 as an example: (from a working configuration)
208_1.png

I'll:
- removed the vlan
- apply the change

208_2.png

We now have this as a starting point:

208_3.png

Here you can see that I do not have access to ethe 2/* ports from clish on the MHO-1

3.gif

So the only way to configure port 2/5 is to do it is on MHO-2?

Thanks,

Erwin

 

0 Kudos
Highlighted
Iron

Re: How to create vlan on eth2-05 interface via clish on primary MHO

Jump to solution

I just got confirmed that this is a known limitation.

  • I should assign vlans to 1/x/y interfaces via clish on MHO-1
  • I should assign vlans to 2/x/y interfaces via clish on MHO-2
  • Or I should use the WebUI

Intermediate solution 1 is to use trunk-mode (sk165172), however this has some limitations.

Intermediate solution 2 is to assign only eth1-05 + eth2-05 to the SG and not define vlan interfaces.
This will forward all tagged and untagged traffic to the SG. (sk165172)

Both solutions seem to have the limitation that you can not use "auto-topology" as the distribution-mode,


In future JHF releases the procedure where you have to assign vlans on MHO-level and SMO-level will be improved so that you have to assign vlans once. We have to watch upcoming release notes for that small improvement.

 

Thanks @MartijnElzenaar

View solution in original post