Solved: have different physical interfaces in a cluster in...

TOM_MORAN

Hi I am moving an interface from a single 1 gb interface eg eth5 to 2 x10gb interface in a bond.

The ip addresses assigned are staying the same.

MGT is R81.20 & firewalls are R81.10 hfa 147

The issue is that topology needs an interface, can we have different ip addresses in topolgy? has anyone done this ?

The aim in to do this without a major outage

Any help is appreciated

What i would like to do is :

Standby fw :

1) remove ip address from eth5

2) add bond

3) assign ip address

4) add bond to topolgy

5) confirm fw in h/a

6) failover to primary firewall

7) do steps 1 -6

Danny

This kind of interface migration is quite common when upgrading from 1Gb to 10Gb links. Since you're keeping the same IP addresses, the key challenge is updating the topology in SmartCenter correctly and ensuring anti-spoofing doesn't interfere during the transition.

I suggest an updated step-by-step guide:

backup your SmartCenter and security gateway configuration
in SmartCenter, update the interface topology of your cluster in advance (if possible)
- navigate to the cluster object
- under Network Management, locate the interface you're replacing (e.g., eth5)
- replace it with the new bonded interface (bondX) and assign the same IP
- make sure the topology reflects the correct IP and netmask
- if you can't update the topology before the physical change, be ready to do it immediately after
- on the relevant interface (eth5 or bondX), set anti-spoofing to Detect or Disabled during the change
  - this prevents drops due to topology mismatch while the interface is being reconfigured
on your Standby firewall
- perform the steps you prepared
- push the new Security Policy from your SmartCenter and untick the checkbox that would cancel policy installation if one cluster member reports an error
- failover to the standby member to make it active
on your second firewall (now standby)
- repeat steps 1–7
- once both firewalls are updated and stable, re-enable anti-spoofing on the bond interfaces and push policy again
- ensure bond interface names are consistent across both cluster members
- verify that the cluster is synchronized and both members show the correct interface status

View solution in original post

Bob_Zimmerman

I find this process I shared last month easier. There's no need to mess with antispoofing at all. It relies on the fact the members of a cluster don't actually need to use the same interface name to back a given cluster interface and VIP. As long as your cluster is working properly, there isn't any risk to traffic at all.

View solution in original post

Danny

This kind of interface migration is quite common when upgrading from 1Gb to 10Gb links. Since you're keeping the same IP addresses, the key challenge is updating the topology in SmartCenter correctly and ensuring anti-spoofing doesn't interfere during the transition.

I suggest an updated step-by-step guide:

backup your SmartCenter and security gateway configuration
in SmartCenter, update the interface topology of your cluster in advance (if possible)
- navigate to the cluster object
- under Network Management, locate the interface you're replacing (e.g., eth5)
- replace it with the new bonded interface (bondX) and assign the same IP
- make sure the topology reflects the correct IP and netmask
- if you can't update the topology before the physical change, be ready to do it immediately after
- on the relevant interface (eth5 or bondX), set anti-spoofing to Detect or Disabled during the change
  - this prevents drops due to topology mismatch while the interface is being reconfigured
on your Standby firewall
- perform the steps you prepared
- push the new Security Policy from your SmartCenter and untick the checkbox that would cancel policy installation if one cluster member reports an error
- failover to the standby member to make it active
on your second firewall (now standby)
- repeat steps 1–7
- once both firewalls are updated and stable, re-enable anti-spoofing on the bond interfaces and push policy again
- ensure bond interface names are consistent across both cluster members
- verify that the cluster is synchronized and both members show the correct interface status

TOM_MORAN

very appreciated

the_rock

I would also add...always do "get interfaces WITHOUT topology"

Andy

Bob_Zimmerman

I find this process I shared last month easier. There's no need to mess with antispoofing at all. It relies on the fact the members of a cluster don't actually need to use the same interface name to back a given cluster interface and VIP. As long as your cluster is working properly, there isn't any risk to traffic at all.

the_rock

Very detailed process, thanks Bob!

Are you a member of CheckMates?

have different physical interfaces in a cluster in same ip range