Solved: Re: Changing bond mode on Security Group ports

Stephen_Schickl

Hello,

I am working with an HA pair of MHO-175s and a single site using a clustered pair of 23900s for my SGMs. Per sk178045, In order to perform an upgrade from R81.10 to R81.20, the bond ports will need to be changed to anything other than 802.3ad. Will doing this cause an interruption in traffic flow?

I'm wanting to know if I can perform this action during work hours, or wait until after hours or the weekend.

Tom_Kendrick

Hi Stephen, what Emma and Nir are asking saying is - the SK you are worrying about, it talking about taking LACP off your Mgmt (MAGG) port. If your inside / outside bonds are LACP, and are "data only" (not used for management) then you dont need to make any changes to them.

So, YES if you change the non-Magg port - in your case, inside and outside to non-LACP, it will cause disruption, and that's not related to CP/Maestro, but LACP. but, they are saying you dont need to change those non-Magg ports.

So, if you DONT change the mode on the data ports/bonds, then they wont have loss of connectivity, and you can/should leave them as they are, and change only the Mgmt/MAGG bond mode.

View solution in original post

Nir_Shamir

how does the management server connected to the SG ? via the Data ports of via the Mgmt ports ?

Stephen_Schickl

Hello Nir,

The Maestro's management bonded port magg0 set at XOR.

Stephen

Nir_Shamir

ok,

so if you change the magg0 bond configuration it won't affect data traffic only management traffic, as I hope you data traffic is passing on other bonds.

I usually configure magg0 as active-standby with eth1-mgmt as primary.

Stephen_Schickl

Nir,

The bonds I need to change are the inside network, bond1, and the outside network, bond 2. They are the bonds set at 802.3ad. I've attached a simple diagram.

Nir_Shamir

But where does your Management Server is ? behind bond1/2 or behind magg0 ?

Stephen_Schickl

That would be magg0. Either way, I have console access to the appliances.

My original question was, would changing the bond ports 1 and 2 from 802.3ad to XOR have an effect traffic flow?

emmap

Yes, because the switches will likely take the bond down due to no LACP negotiation.

You don't need to change the configuration of your data ports, the SK only applies when the SG communicates to the management server via an LACP bond. In your case you've already stated that your administration comms go via magg0 which is configured as XOR.

Stephen_Schickl

So there will be a loss of internet connectivity after changing the inside and outside bonds?

Tom_Kendrick

Hi Stephen, what Emma and Nir are asking saying is - the SK you are worrying about, it talking about taking LACP off your Mgmt (MAGG) port. If your inside / outside bonds are LACP, and are "data only" (not used for management) then you dont need to make any changes to them.

So, YES if you change the non-Magg port - in your case, inside and outside to non-LACP, it will cause disruption, and that's not related to CP/Maestro, but LACP. but, they are saying you dont need to change those non-Magg ports.

So, if you DONT change the mode on the data ports/bonds, then they wont have loss of connectivity, and you can/should leave them as they are, and change only the Mgmt/MAGG bond mode.

Stephen_Schickl

Thank you all for guiding me through this. 😉