This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Noah_T
Participant
‎2019-01-17 03:51 PM

Removing a VLAN from Interface

One of physical interface on a SG 15000 Series firewall cluster is trunked with 1 vlan and I need to remove that vlan and turn off the interface . What is the correct procedure to do that ?

 Cluster with active/standby setup. Gateways are on GAIA R77.30 , managed by R80 CMA. 

Reply
8 Replies
Gomboragchaa
Advisor
‎2019-01-17 04:59 PM

Delete the VLAN Interface from GAiA Web portal or Clish..

Turn off the physical interface. 

All changes must do on each member of gateways.

Then Update Topology Table on Smartconsole

0 Kudos
Reply
Noah_T
Participant
‎2019-01-17 05:47 PM
In response to Gomboragchaa

Gomboragchaa Jamganjav

Should it be removed 1st on Standby Gateway ?

After updating the topology table should a policy push be required ?

0 Kudos
Reply
Norbert_Bohusch
Advisor
‎2019-01-18 04:24 AM
In response to Gomboragchaa

if you update topology after removing it from gateways, this will break cluster status for sure!

Reply
Noah_T
Participant
‎2019-01-18 08:54 AM
In response to Norbert_Bohusch

Thanks Norbert.

I would like to follow the steps you outlined. Below is my Plan,

1) Remove the interface from the topology table in SmartConsole and push the policy.

( Current output of cphaprob -a if is below & cphaprb stat - Active/Standby )

Required interfaces: 4
Required secured interfaces: 1)

after step 1 would the output be as below ?

( Current output of cphaprob -a if is below & cphaprb stat - Active/Standby )

Required interfaces: 3
Required secured interfaces: 1)

2) delete IF from standby (clish)

3) delete IF from active (clish)

4) admin down the physical interface on both nodes

0 Kudos
Reply
LadislavNemecek
Participant
‎2019-01-18 03:14 AM

Delete vlan then admin down interface on both members.

Would prefer to start with standby node, especially if interface/vlan set as a cluster monitored

After changes on firewall nodes level, update topology on cluster object in CMA  and push policy

0 Kudos
Reply
Gaurav_Pandya
Advisor
‎2019-01-18 03:44 AM

Hi,

As it is in cluster, I would suggest to follow instruction as per sk57100.

 

0 Kudos
Reply
Norbert_Bohusch
Advisor
‎2019-01-18 04:22 AM

sk57100 is a good choice.

But I must admit, that I never followed it completely. So I never stopped a member for this type of maintenance. 

I normally use the following to remove an interface:

- remove it from topology in cluster object through SmartConsole

- check chaprob -a if for the change on both members

- delete IF from standby (clish)

- delete IF from active (clish)

0 Kudos
Reply
Gaurav_Pandya
Advisor
‎2019-01-18 04:30 AM
In response to Norbert_Bohusch

This seems to be Good steps

0 Kudos
Reply