Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kamiar_Sh
Contributor
Jump to solution

HA cluster interfaces move to Cisco switch

I have a cluster Checkpoint firewall (R77.30) with 8 Interfaces and connected to two old Nortel switches and now I am going to move two cables ( Eth4 and 5) to new Cisco switch and there are 5 VLANs assigned to Eth 4 so the question is what  are the steps should be to this approach?  any outage or failover may appear?

FW1 active

FW2 standby

appreciate if I get some advise. 

0 Kudos
1 Solution

Accepted Solutions
Daniel_Taney
Advisor

I hate to fall back on the age-old response of "it shouldn't have an impact on production traffic, but I'd still do it in a maintenance window!" But that would be my advice. Smiley Happy

Anecdotally,  I believe I did this on a live Cluster and did not see an adverse effect but starting with the Standby cluster first and then changing it on the Primary.

R80 CCSA / CCSE

View solution in original post

4 Replies
Vladimir
Champion
Champion

You really not giving us enough information to work with. Topology map would've been useful.

That being said, please make sure that:

Two switches (Nortel and Cisco) are interconnected by a trunk with all the VLANs present in Nortel also present on Cisco and allowed on that trunk.

Depending on particulars of your implementation you may want to switch CCP to a broadcast from multicast, if not already done.

Move standby member to Cisco and attempt the failover. I suggest doing it in a maintenance window approved by the company.

Once the unit connected to Cisco is active and you have verified the health state of the cluster, move the remaining unit from Nortel to Cisco.

These are suggestions, not instructions, so use them at your own risk.

Daniel_Taney
Advisor

I recently upgraded the core switches in our network and did it exactly how Vladimir suggested. We were already using CCP in broadcast mode, but you can read how to change and/or change that in this SK (sk20576).

Test and make sure connectivity between new and old switches is good and that all VLANS are defined and accessible. 

Once you know all the connectivity is good, move all the links from the Standby gateway to the new switch. When all the links come up, run cphaprob -a if to make sure ClusterXL sees all VLANs and Interfaces as "UP". I'd also just check in Smart Console and make sure the Gateway status is good there, too. If it all checks out, fail it over and test!

I kept pings running during the switch migration and did not see any interruption to service during the move. That said, I'd still do it in a maintenance window just in case!! 

Good luck! 

R80 CCSA / CCSE
0 Kudos
Kamiar_Sh
Contributor

Thanks for your reply, I have a question:

1-CCP mode is multicast now so for this change do I need to to change it to broadcast? if yes, does it have any impact to existing traffic?

0 Kudos
Daniel_Taney
Advisor

I hate to fall back on the age-old response of "it shouldn't have an impact on production traffic, but I'd still do it in a maintenance window!" But that would be my advice. Smiley Happy

Anecdotally,  I believe I did this on a live Cluster and did not see an adverse effect but starting with the Standby cluster first and then changing it on the Primary.

R80 CCSA / CCSE

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events