topic Re: VSX hardware replacment in Firewall and Security Management

VSX hardware replacment

Arthur_DENIS1 — Thu, 30 Jul 2020 10:16:05 GMT

Hi,

I need you advise about one of my coming migration.

I have currently 1 VSX cluster running version R80.20 under 12600 appliance, and we planned to replace the hardware with 7000.
Current interfaces used 10Gb directly on the config, and now we want to use 2Gb under bond interface for each VS.

My idea is this:
- deploy new boxes with GAIA settings (interfaces, bond, users, DNS, routing for VS0, backups, licenses etc)
- integrate into management
- create all VS/vlan with other unused IP
- assign same policy package for actual and new VS

Day of the migration:
- unplug actual box
- use VSX provisionning tool to replace all temporary IP on new boxes by actual one

Could you please give me you're thinking about this plan? Any better ideas?

Thanks,
Arthur

Re: VSX hardware replacment

G_W_Albrecht — Thu, 30 Jul 2020 14:59:26 GMT

I would ask TAC, backed by the local CP SE you should receive any help you need from there. VSX is a complicated product so i would be extreme carefull here...

Re: VSX hardware replacment

Arthur_DENIS1 — Fri, 31 Jul 2020 09:39:56 GMT

Indeed, I'm already in liase with my local SE, but get another idea and feedback from previous migration is already great to have 🙂

Re: VSX hardware replacment

Magnus-Holmberg — Fri, 31 Jul 2020 11:51:56 GMT

First of all we connect the new VSX to MAIN01 so all the configuration can be done and box is up and ready for production.

When we do hardware replacement we more or less copy paste with help of VSX provisioning.
We create the VS the same with all IP and everything but we dont allow the VLAN on the bond interfaces in the switches.
Communicate with the VSX over VS0 so you are able to push policys etc.
(We have VS0 on dedicated interface)

Before cut over we normally turn off statefull inspection.
2-3 hours before the cutover we "freeze" the mgmt station and move all VPN communities etc.
The only as we see it is that we need to generate a massive amount of eval licenses to put on the CMA as we use DMN VSX licens in all CMA.
During migration its "only" to remove the VLAN on the trunks to old boxes and add the VLAN on the trunk to the new boxes.

Regards,
Magnus

Re: VSX hardware replacment

Michal_Gans — Fri, 31 Jul 2020 12:17:16 GMT

I would suggest to designate new IPs for new VSX mng inf and configured whole boxes before migration day (all inf expect mng unpluged).

So whole migration take only to unplug old box and plug new ones.

We used this scenario many times and it make around 2 mins of downtime.

Re: VSX hardware replacment

Arthur_DENIS1 — Mon, 03 Aug 2020 13:23:38 GMT

Thanks, seems great !

Only 2 min of downtime would be amazing 🙂