Migrate subinterface config to another interface

Reply
CRF
L1 Bithead

Migrate subinterface config to another interface

Hi,

here is a sample of my configuration.

I have trunk link (from a cisco device) to the 1/6 interface, where i configured several subinterfaces.

You can see that we have the 1/6.3 in the Virtual Router vr-recette in the Virtual System Recette.

And after that I have 1/6.206, 1/6.207,1/6.208 in the Virtual Router vr-sante in the Virtual System Sante.

This is a partial extract, i have in fact 11 subinterfaces in the 1/6physical interface.

example1.JPG

Due to a modification in our Cisco Switches stack, the vlans which referred to 1/6.3 and 1/6.208 subinterfaces (respectively vlans 3 and 208 on the stack) will no longer be on the same stack than the others subinterfaces.

How can we modify the interface number of each lines that reffered to the 1/6.3 and 1/6.208 subinterfaces, for example for 1/8 physical interface (1/7 is already in use) ?

We have, as you imagine, a lot of rules on each Security Zones (DMZ_Recette and DMZ_Sante).

I didn't find yet any way to do it yet.

Thanks,

kprakash
L5 Sessionator

You can log into the cli, and log the cli session:

admin> confiugre

admin# run set cli config-output-format set

You can then filter the configuration of the interface 1/6 using the "show" command, and then pressing the / button, and typing "ethernet1/6",as below. It brings the configuration of eth1/6 and its subinterfaces. I am just showing for the sub interface eth1/6.3

admin#show

/ethernet1/6

set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 neighbor-discovery router-advertisement enable no

set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 neighbor-discovery router-advertisement min-interval 200

set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 neighbor-discovery router-advertisement max-interval 600

set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 neighbor-discovery router-advertisement hop-limit 64

set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 neighbor-discovery router-advertisement reachable-time unspecified

set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 neighbor-discovery router-advertisement retransmission-timer unspecified

set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 neighbor-discovery router-advertisement lifetime 1800

set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 neighbor-discovery router-advertisement managed-flag no

set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 neighbor-discovery router-advertisement other-flag no

set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 neighbor-discovery router-advertisement enable-consistency-check no

set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 neighbor-discovery router-advertisement link-mtu unspecified

set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 neighbor-discovery enable-dad no

set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 neighbor-discovery reachable-time 30

set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 neighbor-discovery ns-interval 1

set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 neighbor-discovery dad-attempts 1

set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 enabled no

set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 interface-id EUI-64

set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ip 192.168.102.21/24

set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 adjust-tcp-mss no

set network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 tag 3

Open the notepad on which the logs are being written to. replace the word "set" with "delete", so that we are gonna delete the eth1/6 references. Copy paste all these output again, and replace eth1/6 with eth1/8, so that you should have the output of the format

set config devices localhost.localdomain network interface ethernet ethernet1/8 layer3 units ethernet1/8.3 ipv6 enabled no

set config devices localhost.localdomain network interface ethernet ethernet1/8 layer3 units ethernet1/8.3 ipv6 interface-id EUI-64

set config devices localhost.localdomain network interface ethernet ethernet1/8 layer3 units ethernet1/8.3 ip 192.168.102.21/24

set config devices localhost.localdomain network interface ethernet ethernet1/8 layer3 units ethernet1/8.3 adjust-tcp-mss no

set config devices localhost.localdomain network interface ethernet ethernet1/8 layer3 units ethernet1/8.3 tag 3

Go back to the cli

and then paste all the "delete" and the "set" commands for the eth1/6 and eth1/8 respectively

once pasted, commit the configuration

admin#

delete config devices localhost.localdomain network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 enabled no

delete config devices localhost.localdomain network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 interface-id EUI-64

delete config devices localhost.localdomain network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ip 192.168.102.21/24

delete config devices localhost.localdomain network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 adjust-tcp-mss no

delete config devices localhost.localdomain network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 tag 3

set config devices localhost.localdomain network interface ethernet ethernet1/8 layer3 units ethernet1/8.3 ipv6 enabled no

set config devices localhost.localdomain network interface ethernet ethernet1/8 layer3 units ethernet1/8.3 ipv6 interface-id EUI-64

set config devices localhost.localdomain network interface ethernet ethernet1/8 layer3 units ethernet1/8.3 ip 192.168.102.21/24

set config devices localhost.localdomain network interface ethernet ethernet1/8 layer3 units ethernet1/8.3 adjust-tcp-mss no

set config devices localhost.localdomain network interface ethernet ethernet1/8 layer3 units ethernet1/8.3 tag 3

admin# commit force

CRF
L1 Bithead

Hi,

Thank you for answering

So this is how i will proceed:

delete network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 mtu 1500

delete network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 interface-management-profile Ping

delete network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 tag 3

delete network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ip 192.168.102.21/24

delete network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 enabled no

delete network interface ethernet ethernet1/6 layer3 units ethernet1/6.3 ipv6 neighbor-discovery enable-dad no

delete network virtual-router vr-recette interface ethernet1/6.3

delete vsys vsys2 import network interface ethernet1/6.3

delete vsys vsys2 zone DMZ_Recette network layer3 ethernet1/6.3

set network interface ethernet ethernet1/8 layer3 units ethernet1/8.3 mtu 1500

set network interface ethernet ethernet1/8 layer3 units ethernet1/8.3 interface-management-profile Ping

set network interface ethernet ethernet1/8 layer3 units ethernet1/8.3 tag 3

set network interface ethernet ethernet1/8 layer3 units ethernet1/8.3 ip 192.168.102.21/24

set network interface ethernet ethernet1/8 layer3 units ethernet1/8.3 ipv6 enabled no

set network interface ethernet ethernet1/8 layer3 units ethernet1/8.3 ipv6 neighbor-discovery enable-dad no

set network virtual-router vr-recette interface ethernet1/8.3

set vsys vsys2 import network interface ethernet1/8.3

set vsys vsys2 zone DMZ_Recette network layer3 ethernet1/8.3

For your example you did't talk about this configuration:

set network virtual-router vr-recette interface ethernet1/8.3

set vsys vsys2 import network interface ethernet1/8.3

set vsys vsys2 zone DMZ_Recette network layer3 ethernet1/8.3

Is it correct ? Was-it a forgetting ?

If this is correct, when i will put these commands, il will be on a anctive/standby architecture.

How can i desactive the failover in order to be sure that everything went ok. Then i will reactivate the failover to propagate the rules to the other unit.

Thank you.

kprakash
L5 Sessionator

Hi CRF,

I did not paste the configuration of the lines, my bad, but you are correct. You need these lines as well:

delete network virtual-router vr-recette interface ethernet1/6.3

delete vsys vsys2 import network interface ethernet1/6.3

delete vsys vsys2 zone DMZ_Recette network layer3 ethernet1/6.3

set network virtual-router vr-recette interface ethernet1/8.3

set vsys vsys2 import network interface ethernet1/8.3

set vsys vsys2 zone DMZ_Recette network layer3 ethernet1/8.3


When you commit the PANFW, with all these changes, the configuration will be automatically pushed to both the devices in the cluster. But if you want to test this out on one box first, you can remove the passive box from the cluster, by disabling the HA, under the HA settings (Also be careful that you do not run into a split brain scenario). You can then apply these changes on this box and commit them, and test the traffic. If they work as expected, you can then apply these changes on the active box too, and bring back the other box into the HA cluster.

CRF
L1 Bithead

Thank you !

So here is what i will have to do:

I connect to the standby device in SSH and deactivate the HA:

request high-availability state suspend

Then i apply all we saw just before, to replace the number of the interface, and i force the commit

Then I have to test the new configuration by routing the traffic to the passive unit.

If i understand correctly I  have to reactivate the passive unit in the HA cluster,with the command:

request high-availability state functionnal

Then i connect to the active unit and use the commande :

request high-availability state suspend

I check that everything is fine, and if so, i use the same commands on the new passive unit to modify the interface number.

Then i can reactivate the HA.

During the test, if i see any problem, to rollback, i will just have to reactivate HA, then go on the one with the good configuration, apply a commit, is that correct ?

Is there a command to make the passive unit become the active ? (if the HA is correctly configured).

Thank you.

kprakash
L5 Sessionator

Hi CRF,

Yes, you are right again.

1) You will suspend the current passive box: request high-availability state suspend

2) Apply the changes and force the commit

3) Make the current box functional. The box will still remain passive, and there will be a mismatch in the running configuration on both the active and the passive devices

4) Now test the traffic by suspending the current active box, and make it functional and  passive:

>request high-availability state suspend

>request high-availability state functional ( on the suspended box)

5) If everything is fine, you can synchronize the running configuration, from the new active box

> request high-availability sync-to-remote running-config ( on the current active box)

If at all you encounter any issues, suspend the current active box ( with the new interface config. Bring back this box to passive ), and then synchronize the running configuration from the active box.

BR,

Karthik

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!