topic Re: VSX hardware upgrade from 5600 to 7000 in Firewall and Security Management

VSX hardware upgrade from 5600 to 7000

DR_74 — Fri, 26 Apr 2024 22:17:38 GMT

Hello

We are planning to change a VSX cluster running r81.10 on 2x5600 gateway with a new 7000 cluster running r81.20.

The actual cluster has only 3 VS (some IPSEC vpn) and some virtual switches.

The management server is already in r81 20.

We were thinking of building a new cluster in parallel with different IPs.

Then provisionning new VS with different names and dummy IPs the time to create them and to avoid conflict.

Finally attaching the existing policies to these new VS.

The migration would be to shutdown the interfaces on the legacy cluster, modify the IP addresses on the new VS with the ones of the older VS.

When migration is done, deleting the old cluster from the management

Does this look possible?

Thanks

Re: VSX hardware upgrade from 5600 to 7000

the_rock — Fri, 26 Apr 2024 22:19:23 GMT

Im sure one of the VSX experts will confirm it for you, but to me, that all sounds logical.

Best,

Andy

Re: VSX hardware upgrade from 5600 to 7000

Mattias_Jansson — Sat, 27 Apr 2024 09:21:43 GMT

I have been using that method too. Works fine. I use the real ip adresses on the new vs’s but have all interfaces in shutdown on the switch. Then I shutdown the old vsx gateways for gratuitous arp to work. (Sometimes it dont). Then enable the interfaces on the new machines

Re: VSX hardware upgrade from 5600 to 7000

Ruan_Kotze — Sat, 27 Apr 2024 14:38:54 GMT

Just a quick note - you can "force" an arp update through the following commands:

arping -c 4 -A -I eth1 1.2.3.4

For Proxy ARP addresses you do it like so:

Expert# echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
Expert# arping -c 4 -A -I eth1 1.2.3.4

For every address the gateway is proxy arping for:

Expert# fw ctl arp | cut -d\( -f2 | cut -d\) -f1 | xargs -i -t arping -c 4 -A -I eth1 {}

Re: VSX hardware upgrade from 5600 to 7000

Bob_Zimmerman — Sat, 27 Apr 2024 21:32:00 GMT

If you add '-P 256' to the xargs invocation, it can run multiple instances (up to 256 with that exact string) of the called tool in parallel. In environments with a lot of proxy ARP entries, this can speed things up substantially.

Re: VSX hardware upgrade from 5600 to 7000

Vincent_Bacher — Mon, 29 Apr 2024 05:02:28 GMT

Both provided solutions should do it.
We usually first setup hardware with different management IPs, configure them without VSes and then we prepare scripts to remove the VSes from one device and add them to the other devices.
But that effort would not be feasible running just few VSes.

Re: VSX hardware upgrade from 5600 to 7000

emmap — Mon, 29 Apr 2024 07:09:17 GMT

That's the long way, but it'll work. Alternatively, you can look at using 'vsx_util reconfigure' to reuse all the existing stuff and push it out to the new gateways.

Re: VSX hardware upgrade from 5600 to 7000

Vincent_Bacher — Mon, 29 Apr 2024 08:08:08 GMT

This is what we usually do in our scripts 👍