- Products
- Learn
- Local User Groups
- Partners
- More
Maestro Masters
Round Table session with Maestro experts
Hi experts,
I want to create the following configuration via clish, by connecting to one MHO only.
(Single-site DUAL-MHO setup, R80.20SP)
I can create vlan 100 on eth1-05 and vlan 200 on eth1-06, but I can not configure the vlans for eth2-05 and eth2-06 interfaces.
It looks like the MHO has no "access" to the interfaces on the other MHO.
As you can see in the output below, I can configure the interfaces of the local-MHO, but not of the other MHO
MHO-1> add maestro port 1/5/1 vlan 100
MHO-1> add maestro port 2/5/1 vlan 100
NMSSG0001 Port 2/5/1 is invalid.
add maestro port 2/5/1
------------^^^^^^^^^^
MHO-1> add maestro port <TAB>
1/42/1 1/48/1 1/43/1 1/55/1 1/56/1 1/49/1 1/51/1 1/24/1 1/25/1
1/26/1 1/27/1 1/20/1 1/21/1 1/22/1 1/23/1 1/46/1 1/47/1 1/44/1
1/45/1 1/28/1 1/29/1 1/40/1 1/41/1 1/1/1 1/3/1 1/2/1 1/5/1
1/4/1 1/7/1 1/6/1 1/9/1 1/8/1 1/50/1 1/39/1 1/38/1 1/54/1
1/11/1 1/10/1 1/13/1 1/12/1 1/15/1 1/14/1 1/17/1 1/16/1 1/19/1
1/18/1 1/31/1 1/30/1 1/37/1 1/36/1 1/35/1 1/34/1 1/33/1 1/52/1
1/32/1 1/53/1
note:
I found out that I can connect to the other MHO and issue the "add maestro port 1/5/1 vlan 100" command to make it create the eth2-05.100 interface. I do not want to ssh arount to all MHO's
How can I build this SG via clish?
Thanks,
Erwin
I just got confirmed that this is a known limitation.
Intermediate solution 1 is to use trunk-mode (sk165172), however this has some limitations.
Intermediate solution 2 is to assign only eth1-05 + eth2-05 to the SG and not define vlan interfaces.
This will forward all tagged and untagged traffic to the SG. (sk165172)
Both solutions seem to have the limitation that you can not use "auto-topology" as the distribution-mode,
In future JHF releases the procedure where you have to assign vlans on MHO-level and SMO-level will be improved so that you have to assign vlans once. We have to watch upcoming release notes for that small improvement.
Thanks @MartijnElzenaar
After upgrading MHO's to Jumbo-take-273 the challenge remains, however the interface numbering on MHO-2 is improved:
On R80.20SP:
MHO-1> add maestro port <TAB>
1/42/1 1/48/1 1/43/1 1/55/1 1/56/1 1/49/1 1/51/1 1/24/1 1/25/1
1/26/1 1/27/1 1/20/1 1/21/1 1/22/1 1/23/1 1/46/1 1/47/1 1/44/1
1/45/1 1/28/1 1/29/1 1/40/1 1/41/1 1/1/1 1/3/1 1/2/1 1/5/1
1/4/1 1/7/1 1/6/1 1/9/1 1/8/1 1/50/1 1/39/1 1/38/1 1/54/1
1/11/1 1/10/1 1/13/1 1/12/1 1/15/1 1/14/1 1/17/1 1/16/1 1/19/1
1/18/1 1/31/1 1/30/1 1/37/1 1/36/1 1/35/1 1/34/1 1/33/1 1/52/1
1/32/1 1/53/1
MHO-2> add maestro port <TAB>
1/42/1 1/48/1 1/43/1 1/55/1 1/56/1 1/49/1 1/51/1 1/24/1 1/25/1
1/26/1 1/27/1 1/20/1 1/21/1 1/22/1 1/23/1 1/46/1 1/47/1 1/44/1
1/45/1 1/28/1 1/29/1 1/40/1 1/41/1 1/1/1 1/3/1 1/2/1 1/5/1
1/4/1 1/7/1 1/6/1 1/9/1 1/8/1 1/50/1 1/39/1 1/38/1 1/54/1
1/11/1 1/10/1 1/13/1 1/12/1 1/15/1 1/14/1 1/17/1 1/16/1 1/19/1
1/18/1 1/31/1 1/30/1 1/37/1 1/36/1 1/35/1 1/34/1 1/33/1 1/52/1
1/32/1 1/53/1
On R80.20SP + take 273:
MHO-1> add maestro port <TAB>
1/42/1 1/48/1 1/43/1 1/55/1 1/56/1 1/49/1 1/51/1 1/24/1 1/25/1
1/26/1 1/27/1 1/20/1 1/21/1 1/22/1 1/23/1 1/46/1 1/47/1 1/44/1
1/45/1 1/28/1 1/29/1 1/40/1 1/41/1 1/1/1 1/3/1 1/2/1 1/5/1
1/4/1 1/7/1 1/6/1 1/9/1 1/8/1 1/50/1 1/39/1 1/38/1 1/54/1
1/11/1 1/10/1 1/13/1 1/12/1 1/15/1 1/14/1 1/17/1 1/16/1 1/19/1
1/18/1 1/31/1 1/30/1 1/37/1 1/36/1 1/35/1 1/34/1 1/33/1 1/52/1
1/32/1 1/53/1
MHO-2> add maestro port <TAB>
2/42/1 2/48/1 2/43/1 2/55/1 2/56/1 2/49/1 2/51/1 2/24/1 2/25/1
2/26/1 2/27/1 2/20/1 2/21/1 2/22/1 2/23/1 2/46/1 2/47/1 2/44/1
2/45/1 2/28/1 2/29/1 2/40/1 2/41/1 2/1/1 2/3/1 2/2/1 2/5/1
2/4/1 2/7/1 2/6/1 2/9/1 2/8/1 2/50/1 2/39/1 2/38/1 2/54/1
2/11/1 2/10/1 2/13/1 2/12/1 2/15/1 2/14/1 2/17/1 2/16/1 2/19/1
2/18/1 2/31/1 2/30/1 2/37/1 2/36/1 2/35/1 2/34/1 2/33/1 2/52/1
2/32/1 2/53/1
Still curios how to add a vlan for 2/5/1 from within clish on the MHO-1 . . .
How are the MHO connected to one another and have you setup any host access restrictions?
Example procedure:
There are no restrictions applied. See below the applied configuration to both MHO's.
Configuration can be succesfully done via the WebUI, so I do not expect a cabling issue.
(port 48 is used between MHO-1 and MHO-2 as required by single-site dual-mho setup)
MHO-1 config statements:
set hostname MHO-1
set interface Mgmt1 ipv4-address 172.23.9.31 mask-length 24
set static-route default nexthop gateway address 172.23.9.1 on
set static-route default nexthop gateway address 192.168.1.254 off
save config
MHO-2 config statements:
set hostname MHO-2
set interface Mgmt1 ipv4-address 172.23.9.32 mask-length 24
set static-route default nexthop gateway address 172.23.9.1 on
set static-route default nexthop gateway address 192.168.1.254 off
save config
Is studied the referenced documentation. In the documentation there is no example on how the add a vlan to an interface of the other MHO.
I have the feeling that you can only do "set maestro port 1/x/y . . . " commands on MHO-1 and only "set maestro port 2/x/y . . . " commands on MHO-2.
Was it added before and you removed it and how?
Please test on another port/interface/vlan that has not yet been added to the security group before.
Hi Chris,
I think I did not explain the issue correctly, so I try the show as clearly as possible that the interfaces can not reference the port 2/*/* numbers from the clish on MHO-1
Let's take port eth2-05 as an example: (from a working configuration)
I'll:
- removed the vlan
- apply the change
We now have this as a starting point:
Here you can see that I do not have access to ethe 2/* ports from clish on the MHO-1
So the only way to configure port 2/5 is to do it is on MHO-2?
Thanks,
Erwin
I just got confirmed that this is a known limitation.
Intermediate solution 1 is to use trunk-mode (sk165172), however this has some limitations.
Intermediate solution 2 is to assign only eth1-05 + eth2-05 to the SG and not define vlan interfaces.
This will forward all tagged and untagged traffic to the SG. (sk165172)
Both solutions seem to have the limitation that you can not use "auto-topology" as the distribution-mode,
In future JHF releases the procedure where you have to assign vlans on MHO-level and SMO-level will be improved so that you have to assign vlans once. We have to watch upcoming release notes for that small improvement.
Thanks @MartijnElzenaar
Hi Erwin,
I am curious if you got some clarification in the meanwhile.
What happens, if you typed the following command:
MHO-1> add maestro security-group id 1 interface [TAB]
?
Can you only see the interfaces associated to the local orchestrator?
Kind regards,
Yasushi
Hi Yashushi,
I do not have a dual-MHO setup at hand, so I can not tell you.
The issue is not relevant anymore. When you are using trunk-mode you do not have to assign a vlan to a port.
Good luck!
If you installed the latest Jumbo's there is no need and you should not add the VLANs on the MHO interfaces. You just add them to the interfaces in the Security Group(s) or if you use VSX in the Virtual systems. With the latest JHF you will even be shown the assigned VLANs when you hover the assigned interfaces on the MHO WebUI.
 
					
				
				
			
		
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count | 
|---|---|
| 14 | |
| 5 | |
| 4 | |
| 3 | |
| 3 | |
| 2 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | 
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY