Making in that way also allows you to run it in parallel, making rollback if needed much easier and if also possible to rollback single VS if needed (if you use linknetworks to reach the vs and not vr).

only issue with this solution as I see it, is that you may need to generate a lot of demo licenses as a dmnvsx will not allow you to have 2 vs within the same cma.

well worth it and this is how we have replaced 10+ physical VSX clusters the last year.

You mean set vsx off, shutdown current cluster interfaces and enable new?

1. Export current VS config (vsx_provisioning_tool -o show vd name blah)
2. Adapt transactions for new interfaces (I use sed for this, and wrap the relevant transaction begin and end statements around the config)
3. Build new VS (vsx_provisioning_tool -f <transaction>)
4. Shutdown interfaces on new cluster (set vsx off, set interface bond0.blah state off, set interface wrpblah state off etc.)
5. Install policy on new cluster
6. Shutdown interfaces on old cluster
7. Enable interfaces on new cluster

My original plan was to export the VS configs, adapt interfaces and import to the new cluster running in parallel, and stop short of installing policy. During the maintenance window, stop each VS on the old cluster while policy gets installed on the new VS (a new VS doesn't get real IPs until it gets a policy). It's not elegant that's for sure.

To make matters worse, the MDS and MLMs are behind the Mgmt interface of the current cluster and reach the outside world via VS0 --> wrp link --> another VS, this is also our path in from management clients. So the migration also involves vsx_util change_mgmt_subnet (this allows both clusters to exist during transition) and moving vs0:wrp1's IP to the new cluster (via vsx_provisioning_tool).  We will have direct access to that VLAN for the change fortunately.

I've resorted to sk86121 to rebuild the lab, which comes with its own personality (only the first 10 interfaces stick after reboot, on a box with 18 in use).

No, i feel like you overcomplicate things.

I mean set it up in paralell with VS0 connection to the mgmt server.
Install it like you would any new cluster, fixing bonds, patches and all that is needed.

Run vsx_provisioning_tool on the old box to get out the configuration.
Edit in in notepad++ so you get correct VS name and interface number. (the vs name would need to be diff from excisting)
The MAIN IP would also need to be diff so you don't destroy any VPN tunnels.

Then run vsx_provisioning_tool on the new cluster and add all the VS.
But dont allow the VLAN on the BOND interfaces so production traffic is still on the old one.
Push the policy to the new VS to see that all looks good.

As they are diff VS0 these clusters should be able to run in paralell.
And if needed use demo licenses until you finished empty the cluster.

And when you are ready you remove the VLAN in the switches to the old VSX cluster and open it to the new VSX Cluster.
You will need to flip the main IP and such before the maintenance window, just make sure noone else is playing around in the mgmt server at this time.
Doing this way allows you to prepp all in advance and also rollback very easy.

Thanks Magnus. One cluster connects to several different switch fabrics all of which are managed by a separate team. The main fabric is Cisco ACI, managed via the APIC directly - while I would prefer to use the ACI API and prepare port profiles to add/remove VLANs from the network fabric (or modify the VLAN ACL from a non-ACI switch) unfortunately it's not that simple and we have to lock in our add/remove VLAN changes days in advance with that team.

Hence my desire to manage the interface state from the gateway - we've successfully done this on non-VSX gateways managed in-band (i.e. managed via a sub-interface on a bond) and was hoping to apply the same principle here, however it's not supported in VSX without either "set vsx off" (which I will most likely need) or stopping/starting individual Virtual Systems. I think my above plan is as simple as it can get, but will probably be best to shut down the new bond rather than each individual interface on the new cluster. The old cluster will still need 14 individual interfaces shut down. Due to the inherited, unnecessarily complicated path used to access the manager via a Citrix published app behind another VS, we will also need to flip the VS0 management IP to the new cluster, remove the default route and add a bunch of statics via that management VS - I have vsx_provisioning_tool transactions prepared for this and they work well (at least they did on the R80 build I tested 6 months ago, I have since found the provisioning tool output has changed just to keep us on our toes).

I use sed (Linux stream editor) instead of NP++/vscode as we have 50+ VS and several hundred interfaces to re-map (including access ports to a VLAN on the new port channel), with the number of lines automation is key to accuracy.

I find these jobs seem simple on the surface but once you get into the detail nothing works as expected (R80 change_interface script regressions from R77, bugs in fw vsx sicreset, an SK to resolve another SK that doesn't work in R80, renamed interfaces disappearing, output from Gaia show config not usable as input, unable to restore MDS because the source machine has _AUTOUDPATE hotfixes, the reconfigure script failing due to a bad copy of appi_db.C after reset_gw and having to find a good copy from a working VSX member of the exact same FW and HF version...).

We also built run sheets for the changes, test plans, rollback, time the operations, establish comms plans, DR plans, all the good stuff. To migrate all virtual systems for one cluster with maximum resources applied to the MDS takes... hold on to your undies.... up to 12 hours! And because it's VSX that's several outages for flows that touch multiple VS. I don't know many people with that amount of patience for the colour pink haha

Turns out the unlisted interfaces were still in the object after change_interfaces and the reconfigure failed.

We ended up changing the interface names per sk86121 however the change only survives one reboot - once booted the gateway has the new interfaces but we found the file got overwritten on the next reboot. The fix? chmod -w /etc/udev/rules.d/00-OS-XX.rules. I'm sure it's another bug but alas I have bigger fish to fry.

Absolutely, target state uses bundles (LACP LAGs with vPC on the switch end), as all good designs should 🙂

Also worth noting, if using Cisco ACI L3 outs over vPC, the SVI needs 5 IPs for a cluster spanning multiple DCs. We've had to expand some /29's to accommodate this for non-VSX clusters (5 for the vPC, 3 for the cluster). It's not a problem for VSX where the members use the internal communication network.

Non-VSX firewalls can actually do the same off-net member IP thing which VSX does. The members need to be on the same network as each other, but you only need one address on the functional network for the VIP.