06-28-2013 02:51 AM
Hi,
here is a sample of my configuration.
I have trunk link (from a cisco device) to the 1/6 interface, where i configured several subinterfaces.
You can see that we have the 1/6.3 in the Virtual Router vr-recette in the Virtual System Recette.
And after that I have 1/6.206, 1/6.207,1/6.208 in the Virtual Router vr-sante in the Virtual System Sante.
This is a partial extract, i have in fact 11 subinterfaces in the 1/6physical interface.
Due to a modification in our Cisco Switches stack, the vlans which referred to 1/6.3 and 1/6.208 subinterfaces (respectively vlans 3 and 208 on the stack) will no longer be on the same stack than the others subinterfaces.
How can we modify the interface number of each lines that reffered to the 1/6.3 and 1/6.208 subinterfaces, for example for 1/8 physical interface (1/7 is already in use) ?
We have, as you imagine, a lot of rules on each Security Zones (DMZ_Recette and DMZ_Sante).
I didn't find yet any way to do it yet.
Thanks,
06-28-2013 07:00 AM
You can log into the cli, and log the cli session:
admin> confiugre
admin# run set cli config-output-format set
You can then filter the configuration of the interface 1/6 using the "show" command, and then pressing the / button, and typing "ethernet1/6",as below. It brings the configuration of eth1/6 and its subinterfaces. I am just showing for the sub interface eth1/6.3
admin#show
/ethernet1/6
set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 neighbor-discovery router-advertisement enable no
set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 neighbor-discovery router-advertisement min-interval 200
set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 neighbor-discovery router-advertisement max-interval 600
set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 neighbor-discovery router-advertisement hop-limit 64
set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 neighbor-discovery router-advertisement reachable-time unspecified
set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 neighbor-discovery router-advertisement retransmission-timer unspecified
set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 neighbor-discovery router-advertisement lifetime 1800
set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 neighbor-discovery router-advertisement managed-flag no
set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 neighbor-discovery router-advertisement other-flag no
set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 neighbor-discovery router-advertisement enable-consistency-check no
set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 neighbor-discovery router-advertisement link-mtu unspecified
set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 neighbor-discovery enable-dad no
set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 neighbor-discovery reachable-time 30
set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 neighbor-discovery ns-interval 1
set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 neighbor-discovery dad-attempts 1
set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 enabled no
set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 interface-id EUI-64
set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ip 192.168.102.21/24
set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 adjust-tcp-mss no
set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 tag 3
Open the notepad on which the logs are being written to. replace the word "set" with "delete", so that we are gonna delete the eth1/6 references. Copy paste all these output again, and replace eth1/6 with eth1/8, so that you should have the output of the format
set config devices localhost.localdomain network interface ethernet ethernet1/8 layer3 units ethernet1/8.3 ipv6 enabled no
set config devices localhost.localdomain network interface ethernet ethernet1/8 layer3 units ethernet1/8.3 ipv6 interface-id EUI-64
set config devices localhost.localdomain network interface ethernet ethernet1/8 layer3 units ethernet1/8.3 ip 192.168.102.21/24
set config devices localhost.localdomain network interface ethernet ethernet1/8 layer3 units ethernet1/8.3 adjust-tcp-mss no
set config devices localhost.localdomain network interface ethernet ethernet1/8 layer3 units ethernet1/8.3 tag 3
Go back to the cli
and then paste all the "delete" and the "set" commands for the eth1/6 and eth1/8 respectively
once pasted, commit the configuration
admin#
delete config devices localhost.localdomain network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 enabled no
delete config devices localhost.localdomain network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 interface-id EUI-64
delete config devices localhost.localdomain network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ip 192.168.102.21/24
delete config devices localhost.localdomain network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 adjust-tcp-mss no
delete config devices localhost.localdomain network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 tag 3
set config devices localhost.localdomain network interface ethernet ethernet1/8 layer3 units ethernet1/8.3 ipv6 enabled no
set config devices localhost.localdomain network interface ethernet ethernet1/8 layer3 units ethernet1/8.3 ipv6 interface-id EUI-64
set config devices localhost.localdomain network interface ethernet ethernet1/8 layer3 units ethernet1/8.3 ip 192.168.102.21/24
set config devices localhost.localdomain network interface ethernet ethernet1/8 layer3 units ethernet1/8.3 adjust-tcp-mss no
set config devices localhost.localdomain network interface ethernet ethernet1/8 layer3 units ethernet1/8.3 tag 3
admin# commit force
07-01-2013 01:36 AM
Hi,
Thank you for answering
So this is how i will proceed:
delete network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 mtu 1500
delete network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 interface-management-profile Ping
delete network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 tag 3
delete network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ip 192.168.102.21/24
delete network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 enabled no
delete network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 neighbor-discovery enable-dad no
delete network virtual-router vr-recette interface ethernet1/6.3
delete vsys vsys2 import network interface ethernet1/6.3
delete vsys vsys2 zone DMZ_Recette network layer3 ethernet1/6.3
set network interface ethernet ethernet1/8 layer3 units ethernet1/8.3 mtu 1500
set network interface ethernet ethernet1/8 layer3 units ethernet1/8.3 interface-management-profile Ping
set network interface ethernet ethernet1/8 layer3 units ethernet1/8.3 tag 3
set network interface ethernet ethernet1/8 layer3 units ethernet1/8.3 ip 192.168.102.21/24
set network interface ethernet ethernet1/8 layer3 units ethernet1/8.3 ipv6 enabled no
set network interface ethernet ethernet1/8 layer3 units ethernet1/8.3 ipv6 neighbor-discovery enable-dad no
set network virtual-router vr-recette interface ethernet1/8.3
set vsys vsys2 import network interface ethernet1/8.3
set vsys vsys2 zone DMZ_Recette network layer3 ethernet1/8.3
For your example you did't talk about this configuration:
set network virtual-router vr-recette interface ethernet1/8.3
set vsys vsys2 import network interface ethernet1/8.3
set vsys vsys2 zone DMZ_Recette network layer3 ethernet1/8.3
Is it correct ? Was-it a forgetting ?
If this is correct, when i will put these commands, il will be on a anctive/standby architecture.
How can i desactive the failover in order to be sure that everything went ok. Then i will reactivate the failover to propagate the rules to the other unit.
Thank you.
07-01-2013 05:48 AM
Hi CRF,
I did not paste the configuration of the lines, my bad, but you are correct. You need these lines as well:
delete network virtual-router vr-recette interface ethernet1/6.3
delete vsys vsys2 import network interface ethernet1/6.3
delete vsys vsys2 zone DMZ_Recette network layer3 ethernet1/6.3
set network virtual-router vr-recette interface ethernet1/8.3
set vsys vsys2 import network interface ethernet1/8.3
set vsys vsys2 zone DMZ_Recette network layer3 ethernet1/8.3
When you commit the PANFW, with all these changes, the configuration will be automatically pushed to both the devices in the cluster. But if you want to test this out on one box first, you can remove the passive box from the cluster, by disabling the HA, under the HA settings (Also be careful that you do not run into a split brain scenario). You can then apply these changes on this box and commit them, and test the traffic. If they work as expected, you can then apply these changes on the active box too, and bring back the other box into the HA cluster.
07-01-2013 07:59 AM
Thank you !
So here is what i will have to do:
I connect to the standby device in SSH and deactivate the HA:
request high-availability state suspend
Then i apply all we saw just before, to replace the number of the interface, and i force the commit
Then I have to test the new configuration by routing the traffic to the passive unit.
If i understand correctly I have to reactivate the passive unit in the HA cluster,with the command:
request high-availability state functionnal
Then i connect to the active unit and use the commande :
request high-availability state suspend
I check that everything is fine, and if so, i use the same commands on the new passive unit to modify the interface number.
Then i can reactivate the HA.
During the test, if i see any problem, to rollback, i will just have to reactivate HA, then go on the one with the good configuration, apply a commit, is that correct ?
Is there a command to make the passive unit become the active ? (if the HA is correctly configured).
Thank you.
07-02-2013 12:51 PM
Hi CRF,
Yes, you are right again.
1) You will suspend the current passive box: request high-availability state suspend
2) Apply the changes and force the commit
3) Make the current box functional. The box will still remain passive, and there will be a mismatch in the running configuration on both the active and the passive devices
4) Now test the traffic by suspending the current active box, and make it functional and passive:
>request high-availability state suspend
>request high-availability state functional ( on the suspended box)
5) If everything is fine, you can synchronize the running configuration, from the new active box
> request high-availability sync-to-remote running-config ( on the current active box)
If at all you encounter any issues, suspend the current active box ( with the new interface config. Bring back this box to passive ), and then synchronize the running configuration from the active box.
BR,
Karthik
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
