topic Re: Changing bond mode on Security Group ports in Hyperscale Firewall (Maestro)

Changing bond mode on Security Group ports

Stephen_Schickl — Mon, 22 Jul 2024 23:43:54 GMT

Hello,

I am working with an HA pair of MHO-175s and a single site using a clustered pair of 23900s for my SGMs. Per sk178045, In order to perform an upgrade from R81.10 to R81.20, the bond ports will need to be changed to anything other than 802.3ad. Will doing this cause an interruption in traffic flow?

I'm wanting to know if I can perform this action during work hours, or wait until after hours or the weekend.

Re: Changing bond mode on Security Group ports

Nir_Shamir — Tue, 23 Jul 2024 07:12:21 GMT

how does the management server connected to the SG ? via the Data ports of via the Mgmt ports ?

Re: Changing bond mode on Security Group ports

Stephen_Schickl — Tue, 23 Jul 2024 14:42:14 GMT

Hello Nir,

The Maestro's management bonded port magg0 set at XOR.

Stephen

Re: Changing bond mode on Security Group ports

Nir_Shamir — Tue, 23 Jul 2024 15:45:11 GMT

ok,

so if you change the magg0 bond configuration it won't affect data traffic only management traffic, as I hope you data traffic is passing on other bonds.

I usually configure magg0 as active-standby with eth1-mgmt as primary.

Re: Changing bond mode on Security Group ports

Stephen_Schickl — Tue, 23 Jul 2024 16:16:41 GMT

Nir,

The bonds I need to change are the inside network, bond1, and the outside network, bond 2. They are the bonds set at 802.3ad. I've attached a simple diagram.

Re: Changing bond mode on Security Group ports

Nir_Shamir — Tue, 23 Jul 2024 18:12:17 GMT

But where does your Management Server is ? behind bond1/2 or behind magg0 ?

Re: Changing bond mode on Security Group ports

Stephen_Schickl — Tue, 23 Jul 2024 18:56:38 GMT

That would be magg0. Either way, I have console access to the appliances.

My original question was, would changing the bond ports 1 and 2 from 802.3ad to XOR have an effect traffic flow?

Re: Changing bond mode on Security Group ports

emmap — Wed, 24 Jul 2024 04:03:16 GMT

Yes, because the switches will likely take the bond down due to no LACP negotiation.

You don't need to change the configuration of your data ports, the SK only applies when the SG communicates to the management server via an LACP bond. In your case you've already stated that your administration comms go via magg0 which is configured as XOR.

Re: Changing bond mode on Security Group ports

Stephen_Schickl — Wed, 24 Jul 2024 21:07:31 GMT

So there will be a loss of internet connectivity after changing the inside and outside bonds?

Re: Changing bond mode on Security Group ports

Tom_Kendrick — Wed, 24 Jul 2024 21:43:37 GMT

Hi Stephen, what Emma and Nir are asking saying is - the SK you are worrying about, it talking about taking LACP off your Mgmt (MAGG) port. If your inside / outside bonds are LACP, and are "data only" (not used for management) then you dont need to make any changes to them.

So, YES if you change the non-Magg port - in your case, inside and outside to non-LACP, it will cause disruption, and that's not related to CP/Maestro, but LACP. but, they are saying you dont need to change those non-Magg ports.

So, if you DONT change the mode on the data ports/bonds, then they wont have loss of connectivity, and you can/should leave them as they are, and change only the Mgmt/MAGG bond mode.

Re: Changing bond mode on Security Group ports

Stephen_Schickl — Thu, 25 Jul 2024 00:58:06 GMT

Thank you all for guiding me through this. 😉