Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Erwin
Contributor
Contributor
Jump to solution

How to create vlan on eth2-05 interface via clish on primary MHO

Hi experts,

I want to create the following configuration via clish, by connecting to one MHO only.
(Single-site DUAL-MHO setup, R80.20SP)

2020-05-23_21-00-30.png

I can create vlan 100 on eth1-05 and vlan 200 on eth1-06, but I can not configure the vlans for eth2-05 and eth2-06 interfaces.
It looks like the MHO has no "access" to the interfaces on the other MHO.
As you can see in the output below, I can configure the interfaces of the local-MHO, but not of the other MHO

MHO-1> add maestro port 1/5/1 vlan 100

MHO-1> add maestro port 2/5/1 vlan 100
NMSSG0001 Port 2/5/1 is invalid.
add maestro port 2/5/1
------------^^^^^^^^^^

MHO-1> add maestro port <TAB>

1/42/1 1/48/1 1/43/1 1/55/1 1/56/1 1/49/1 1/51/1 1/24/1 1/25/1
1/26/1 1/27/1 1/20/1 1/21/1 1/22/1 1/23/1 1/46/1 1/47/1 1/44/1
1/45/1 1/28/1 1/29/1 1/40/1 1/41/1 1/1/1 1/3/1 1/2/1 1/5/1
1/4/1 1/7/1 1/6/1 1/9/1 1/8/1 1/50/1 1/39/1 1/38/1 1/54/1
1/11/1 1/10/1 1/13/1 1/12/1 1/15/1 1/14/1 1/17/1 1/16/1 1/19/1
1/18/1 1/31/1 1/30/1 1/37/1 1/36/1 1/35/1 1/34/1 1/33/1 1/52/1
1/32/1 1/53/1

note:
I found out that I can connect to the other MHO and issue the "add maestro port 1/5/1 vlan 100" command to make it create the eth2-05.100 interface. I do not want to ssh arount to all MHO's

How can I build this SG via clish?

Thanks,
Erwin

0 Kudos
1 Solution

Accepted Solutions
Erwin
Contributor
Contributor

I just got confirmed that this is a known limitation.

  • I should assign vlans to 1/x/y interfaces via clish on MHO-1
  • I should assign vlans to 2/x/y interfaces via clish on MHO-2
  • Or I should use the WebUI

Intermediate solution 1 is to use trunk-mode (sk165172), however this has some limitations.

Intermediate solution 2 is to assign only eth1-05 + eth2-05 to the SG and not define vlan interfaces.
This will forward all tagged and untagged traffic to the SG. (sk165172)

Both solutions seem to have the limitation that you can not use "auto-topology" as the distribution-mode,


In future JHF releases the procedure where you have to assign vlans on MHO-level and SMO-level will be improved so that you have to assign vlans once. We have to watch upcoming release notes for that small improvement.

 

Thanks @MartijnElzenaar

View solution in original post

9 Replies
Erwin
Contributor
Contributor

After upgrading MHO's to Jumbo-take-273 the challenge remains, however the interface numbering on MHO-2 is improved:

On R80.20SP:

MHO-1> add maestro port <TAB>
1/42/1 1/48/1 1/43/1 1/55/1 1/56/1 1/49/1 1/51/1 1/24/1 1/25/1
1/26/1 1/27/1 1/20/1 1/21/1 1/22/1 1/23/1 1/46/1 1/47/1 1/44/1
1/45/1 1/28/1 1/29/1 1/40/1 1/41/1 1/1/1 1/3/1 1/2/1 1/5/1
1/4/1 1/7/1 1/6/1 1/9/1 1/8/1 1/50/1 1/39/1 1/38/1 1/54/1
1/11/1 1/10/1 1/13/1 1/12/1 1/15/1 1/14/1 1/17/1 1/16/1 1/19/1
1/18/1 1/31/1 1/30/1 1/37/1 1/36/1 1/35/1 1/34/1 1/33/1 1/52/1
1/32/1 1/53/1

MHO-2> add maestro port <TAB>
1/42/1 1/48/1 1/43/1 1/55/1 1/56/1 1/49/1 1/51/1 1/24/1 1/25/1
1/26/1 1/27/1 1/20/1 1/21/1 1/22/1 1/23/1 1/46/1 1/47/1 1/44/1
1/45/1 1/28/1 1/29/1 1/40/1 1/41/1 1/1/1 1/3/1 1/2/1 1/5/1
1/4/1 1/7/1 1/6/1 1/9/1 1/8/1 1/50/1 1/39/1 1/38/1 1/54/1
1/11/1 1/10/1 1/13/1 1/12/1 1/15/1 1/14/1 1/17/1 1/16/1 1/19/1
1/18/1 1/31/1 1/30/1 1/37/1 1/36/1 1/35/1 1/34/1 1/33/1 1/52/1
1/32/1 1/53/1

 

On R80.20SP + take 273:

MHO-1> add maestro port <TAB>
1/42/1 1/48/1 1/43/1 1/55/1 1/56/1 1/49/1 1/51/1 1/24/1 1/25/1
1/26/1 1/27/1 1/20/1 1/21/1 1/22/1 1/23/1 1/46/1 1/47/1 1/44/1
1/45/1 1/28/1 1/29/1 1/40/1 1/41/1 1/1/1 1/3/1 1/2/1 1/5/1
1/4/1 1/7/1 1/6/1 1/9/1 1/8/1 1/50/1 1/39/1 1/38/1 1/54/1
1/11/1 1/10/1 1/13/1 1/12/1 1/15/1 1/14/1 1/17/1 1/16/1 1/19/1
1/18/1 1/31/1 1/30/1 1/37/1 1/36/1 1/35/1 1/34/1 1/33/1 1/52/1
1/32/1 1/53/1

MHO-2> add maestro port <TAB>
2/42/1 2/48/1 2/43/1 2/55/1 2/56/1 2/49/1 2/51/1 2/24/1 2/25/1
2/26/1 2/27/1 2/20/1 2/21/1 2/22/1 2/23/1 2/46/1 2/47/1 2/44/1
2/45/1 2/28/1 2/29/1 2/40/1 2/41/1 2/1/1 2/3/1 2/2/1 2/5/1
2/4/1 2/7/1 2/6/1 2/9/1 2/8/1 2/50/1 2/39/1 2/38/1 2/54/1
2/11/1 2/10/1 2/13/1 2/12/1 2/15/1 2/14/1 2/17/1 2/16/1 2/19/1
2/18/1 2/31/1 2/30/1 2/37/1 2/36/1 2/35/1 2/34/1 2/33/1 2/52/1
2/32/1 2/53/1

 

Still curios how to add a vlan for 2/5/1 from within clish on the MHO-1 . . . 

0 Kudos
Chris_Atkinson
Employee Employee
Employee

How are the MHO connected to one another and have you setup any host access restrictions?

 

Example procedure:

https://sc1.checkpoint.com/documents/R80.30SP/WebAdminGuides/EN/CP_R80.30SP_Maestro_GettingStartedGu...

CCSM R77/R80/ELITE
0 Kudos
Erwin
Contributor
Contributor

There are no restrictions applied. See below the applied configuration to both MHO's.
Configuration can be succesfully done via the WebUI, so I do not expect a cabling issue.
(port 48 is used between MHO-1 and MHO-2 as required by single-site dual-mho setup)


MHO-1 config statements:

set hostname MHO-1
set interface Mgmt1 ipv4-address 172.23.9.31 mask-length 24
set static-route default nexthop gateway address 172.23.9.1 on
set static-route default nexthop gateway address 192.168.1.254 off
save config

MHO-2 config statements:

set hostname MHO-2
set interface Mgmt1 ipv4-address 172.23.9.32 mask-length 24
set static-route default nexthop gateway address 172.23.9.1 on
set static-route default nexthop gateway address 192.168.1.254 off
save config

Is studied the referenced documentation. In the documentation there is no example on how the add a vlan to an interface of the other MHO.

I have the feeling that you can only do "set maestro port 1/x/y . . . " commands on MHO-1 and only "set maestro port 2/x/y . . . " commands on MHO-2.

 

 

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Was it added before and you removed it and how?

Please test on another port/interface/vlan that has not yet been added to the security group before.

Example.png

CCSM R77/R80/ELITE
0 Kudos
Erwin
Contributor
Contributor

Hi Chris,

I think I did not explain the issue correctly, so I try the show as clearly as possible that the interfaces can not reference the port 2/*/* numbers from the clish on MHO-1

Let's take port eth2-05 as an example: (from a working configuration)
208_1.png

I'll:
- removed the vlan
- apply the change

208_2.png

We now have this as a starting point:

208_3.png

Here you can see that I do not have access to ethe 2/* ports from clish on the MHO-1

3.gif

So the only way to configure port 2/5 is to do it is on MHO-2?

Thanks,

Erwin

 

0 Kudos
Erwin
Contributor
Contributor

I just got confirmed that this is a known limitation.

  • I should assign vlans to 1/x/y interfaces via clish on MHO-1
  • I should assign vlans to 2/x/y interfaces via clish on MHO-2
  • Or I should use the WebUI

Intermediate solution 1 is to use trunk-mode (sk165172), however this has some limitations.

Intermediate solution 2 is to assign only eth1-05 + eth2-05 to the SG and not define vlan interfaces.
This will forward all tagged and untagged traffic to the SG. (sk165172)

Both solutions seem to have the limitation that you can not use "auto-topology" as the distribution-mode,


In future JHF releases the procedure where you have to assign vlans on MHO-level and SMO-level will be improved so that you have to assign vlans once. We have to watch upcoming release notes for that small improvement.

 

Thanks @MartijnElzenaar

Yasushi_Kono1
Contributor
Contributor

Hi Erwin,

I am curious if you got some clarification in the meanwhile.

What happens, if you typed the following command:

MHO-1> add maestro security-group id 1 interface [TAB]

?

Can you only see the interfaces associated to the local orchestrator?

Kind regards,

Yasushi

 

0 Kudos
Erwin
Contributor
Contributor

Hi Yashushi,

I do not have a dual-MHO setup at hand, so I can not tell you.
The issue is not relevant anymore. When you are using trunk-mode you do not have to assign a vlan to a port.

Good luck!

0 Kudos
Maarten_Sjouw
Champion
Champion

If you installed the latest Jumbo's there is no need and you should not add the VLANs on the MHO interfaces. You just add them to the interfaces in the Security Group(s) or if you use VSX in the Virtual systems. With the latest JHF you will even be shown the assigned VLANs when you hover the assigned interfaces on the MHO WebUI.

Regards, Maarten
0 Kudos