topic Re: Move Vlans to new Interface (10G-Bond) in General Topics

Move Vlans to new Interface (10G-Bond)

Christian — Fri, 01 May 2020 12:27:22 GMT

Hi CheckMates

We're currently running a clustered Firewall (4800, R80.20) with three connected 1G-interfaces

External (eth1): Vlan-Trunk, 1 Vlan
Internal (eth2), Vlan-Trunk, 8 Vlans
Sync (eth3), Access-Port

The Firewalls were now upgraded with a 2x10G-Module (eth1-01, eth1-02) each. I will create a LACP-bond (2x10G) and would like to move all Vlans from the External- and Internal Interfaces to the new 10G-Bond. The Sync-Traffic will remain on the separate 1G-Interface for now.

My next steps would be:

Create the new LACP-Bond (bond1) on both members and make sure it is UP
Standby-Node: Remove first Vlan-Interface (e.g. eth2.32) including IP-configuration in Web-UI
Standby-Node: Create new Vlan-Interface (e.g. bond1.32) on 10G-Bond with IP-address in Web-UI
Magic in SmartConsole and Policy Push *
Failover
Repeat Steps 2-4
Now repeat steps 1-6 for every Vlan or maybe do all in one run

* Now the part where i'm struggling..

Should i now get the new topology of that cluster-interface (Int.32) in SmartConsole?
Or rather update the Interface-Name by hand? (see screenshot below)
Is it even possible to configure a VIP over two different ports for a short time (member1: eth2.32, member2: bond1.32)

Or is there another better and easier way? It wouldn't be a problem to announce a small downtime.

Thanks and regards
Christian

Re: Move Vlans to new Interface (10G-Bond)

Maarten_Sjouw — Fri, 01 May 2020 17:28:15 GMT

First do this on all interfaces to be moved, of your backup gateway, in the clusterinterface in SmartConsole just update the name, do not in any case run the get interfaces with topology!!
Once the first member is done, flip the cluster and move the other member to the 10G interface Bond.

Re: Move Vlans to new Interface (10G-Bond)

Christian — Mon, 04 May 2020 07:15:16 GMT

Hi Maarten

Thanks! Do i need to take precautions before starting with the procedure (like cphastop)?

According to your reply i would now do the following:

Standby-Node: Create new lacp-bond (bond1) and make sure it is UP
Standby-Node: Delete and Re-Create all Vlan-Interfaces (e.g. eth2.32) on new bond1 Interface
Ping-Check to IPs of Vlan-Interfaces / SIC-Test
SmartConsole: Change Interface-Name of all moved interfaces (e.g. eth2.32 => bond1.32)
SmartConsole: Install Policy on both members
Initiate Failover
Run Steps 1-6 on new Standby-Node

And we are done? No need to change the Interface-Names somewhere else?
I'm surprised, this procedure looks pretty easy and straightforward to me.

Regards,
Christian

Re: Move Vlans to new Interface (10G-Bond)

Maarten_Sjouw — Mon, 04 May 2020 07:42:48 GMT

You will see at some point that the cphaprob will have an issue, you could insert a cphastop before changing the interfaces on the node and cpahastart just before the failover, which can then be initiated by a cphastop on the other node.
Just make sure you do it in a sevice window as you will probaly drop all running connections when failing over.

Re: Move Vlans to new Interface (10G-Bond)

lambda04 — Tue, 15 Nov 2022 05:07:47 GMT

Hi Chris,

Could you please share how was your activity ? did you follow same method or any changes ?

Re: Move Vlans to new Interface (10G-Bond)

CheckPointerXL — Tue, 29 Nov 2022 10:49:13 GMT

I performed these steps:

Standby: add new vlan, delete old vlan, conf new subinterface
Get interface without topology
Install policy
Cphastop;cphastart Standby node (now you will have desidered output in cphaprob -a if)
cphastop on active node (trigger failover)