Migrating from sub-interface to L3 interface

Reply
L0 Member

Migrating from sub-interface to L3 interface

Hi,

 

We have pair of PA in HA mode, we are going to move one of the sub-interface to a L3 interface. is it possible to do this without any downtime? I am considering below steps

 

  • take out sub-interface from monitored interface (to prevent failover)
  • configured L3 interface on standby firewall (is this possible to have a different config between active/passive firewall?)
  • failover to standby firewall (not sure if session table will be sync correctly since now it is configured on an l3 interface instead on sub-interface)
  • sync configuration from now active firewall ( previously standby) to passive firewall.

any suggestion or thoughts?

 

Thanks

Tags (2)
Highlighted
L7 Applicator

Re: Migrating from sub-interface to L3 interface

Hello,

I would say do this in a maintenance window where you can have down time and this could cause issues especially if something is missed in the config. I would not recomnmend having a different config for active/passive units. 

 

Just my thoughts.

L7 Applicator

Re: Migrating from sub-interface to L3 interface

@filterfilter,

You could do it the way you describe perfectly fine baring that you toggle a few settings on the firewalls to temporarily break configuration sync. Although as @OtakarKlier has already mentioned there are certain risks that go along with this that really best to being done in a maintenance window. You aren't going to know for 100% if you have the configuration done properly until you actually failover traffic, and if it's not dialed in properly you could cause a momentary outage as you move things back to the other HA member. 

L4 Transporter

Re: Migrating from sub-interface to L3 interface

I think you are making this harder than it needs to be...

 

I would do the following:

1) configure the new ports on the switch in your VLAN and wire it to the new ports on the firewalls

2) just before your maintenance window, configure the new firewall ports and remove the subinterfaces

3) when the maintenance window begins, apply this candidate configuration

4) once you verify everything is functioning, remove the VLAN from the trunk ports on the switch

 

 

L3 Networker

Re: Migrating from sub-interface to L3 interface

I like the way you are approaching this option, but I would change the methodology slightly:

 

1) configure the new ports on the switch in your VLAN and wire it to the new ports on the firewalls (with the switchports SHUT)

2) setup the new FW ports as just standard members of the VLAN (untagged or access-port depending on your terminology) and push policy

3) when the maintenance window begins, SHUT the VLAN Trunk Interface on the switch,  NO SHUT the standard access ports

4) once you verify everything is functioning, remove the VLAN from the trunk ports on the switch

5) once you verify everything is functioning, remove the VLAN tagging from the FW ports and push policy

 

The roll back is a quick - SHUT of the new ports and NO SHUT of the old ports.

 

Very similar process to Joe, but slightly different focus.

L4 Transporter

Re: Migrating from sub-interface to L3 interface

OP specified they were moving to an L3 interface - not sure you can have two interfaces with same IP even if one is "down."

 

That aside, I feel this is a "tomatoe-tomahto" sort of difference, and agree that either solution is possible and easier than breaking HA and bringing firewalls off/on-line.

L7 Applicator

Re: Migrating from sub-interface to L3 interface


@JoeAndreini wrote:

I think you are making this harder than it needs to be...

 

I would do the following:

1) configure the new ports on the switch in your VLAN and wire it to the new ports on the firewalls

2) just before your maintenance window, configure the new firewall ports and remove the subinterfaces

3) when the maintenance window begins, apply this candidate configuration

4) once you verify everything is functioning, remove the VLAN from the trunk ports on the switch

 

 


I would also use exactly these steps for this migration. Specially because I can confirm that was working perfectly fine when I did the opposite (migrate from L3 interfaces to subinterfaces). 

PaloAlto Firewalls are Zone based firewalls, so the session sync will work during this migration. This is because on a Palo Alto Networks firewall, a session is defined by two uni-directional flows each uniquely identified by a 6-tuple key: source-address, destination-address, source-port, destination-port, protocol, and security-zone. --> nothing about source-interfaces ;)

L0 Member

Re: Migrating from sub-interface to L3 interface

Thanks a lot for the inputs. Their requirement is that they don't want any interuption during this migration because they have a monitoring system on this sub-interface, and any traffic interruption will create a noise/alarm.

 

I agree with @JoeAndreini, this migration should be simple. I will try to push with this method with them on a maintenance window.

 

Again, thanks a lot for the input.

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!