Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
JozkoMrkvicka
Mentor
Mentor
Jump to solution

Changing of External interface

Hello mates,

We have 1 cluster where we need to change physical cabling of External Interface on both members of cluster. IPs and netmask will be exactly the same for both members and cluster. The only thing what will be changed from FW point of view is physical interface.

Currently we have External interface eth4 and we need to change it to eth2. 

I need to change Topology in Dashboard, set IP on eth2, delete IP from eth4, change management interface and push the policy.

Default route will be the same.

Is there any way how to do it without outage? We have dozens of VPNs established via External interface.

If I will do the job with IPs on Standby member only, modify Topology and push the firewall... how will cluster react? It will push the policy on both members or only on Standby ?

We are running R77.30.

Kind regards,
Jozko Mrkvicka
0 Kudos
1 Solution

Accepted Solutions
JozkoMrkvicka
Mentor
Mentor

something just come to my mind - what about to add both eth4 and eth2 as bond interface? Not sure if this will work as on the other side there will be no LACP configured.

Another very elegant solution would be just to move cable on the other site (from old router) to another router (the new one). In fact this will be outage tollerant as this can be one on standby member and once done, we can also test the connectivity from standby member to the world. After all is green on standby member, just do failover and repeat for another member.

Kind regards,
Jozko Mrkvicka

View solution in original post

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

Generally speaking when you push policy, it happens to all members of the cluster.

There is an option not to do this, but I'm pretty sure you'd have to take the cluster member offline to prevent the policy from being pushed to the other member.

What you are describing is going to be fairly disruptive no matter how you do it.

Even if someone here has a procedure to accomplish this with minimal disruption, I would still not do it outside of an outage window.

0 Kudos
JozkoMrkvicka
Mentor
Mentor

something just come to my mind - what about to add both eth4 and eth2 as bond interface? Not sure if this will work as on the other side there will be no LACP configured.

Another very elegant solution would be just to move cable on the other site (from old router) to another router (the new one). In fact this will be outage tollerant as this can be one on standby member and once done, we can also test the connectivity from standby member to the world. After all is green on standby member, just do failover and repeat for another member.

Kind regards,
Jozko Mrkvicka
0 Kudos
Roman_Niewiado1
Contributor

Dont forget to set the new interface as external, because of anti-spoofing.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events