For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

marccabre_20581's avatar
marccabre_20581
Icon for Nimbostratus rankNimbostratus
Jun 09, 2016

How to migrate a Sync-Failover Interface & Vlan id in a vCMP enabled appliances.

Dear people!

 

I have an interesting question...regarding how to migrate a Sync-Failover Interface & Vlan id in a vCMP enabled appliances.

 

Ok, lets go... they are only using LTM

 

The customer told us to add a new devices, lets say Dev3, to the existing device group. As a ofline device but with full sync.

 

The problem raise when we check the customer physical config:

 

They have 2 physical devices, lets say: PHYDEV1 and PHYDEV2. These devices ar using vCMP and inside they have 2 Virtual F5 appliances, one in each physical devices: VIRDEV1 and VIRDEV2

 

The problem is in order to add the new device to that device group they have to be in the SAME Sync-Failover VLAN 100.

 

Now the vlan 100 is implemented using a Port-Channel direct between PHYDEV01 and PHYDEV02, then we need to change that schema and pass the vlan through a Nexus Switch.

 

And here comes my question... What is or what do you think is the best & safe way to do it in a production environment? Bellow my initial idea.

 

At the final of the process we will have to: * Do the sync-failover using f5 - Nexus - F5 connectivity and not F5 - F5 * Change the existing vlans 100 (That can not be used) for VLAN 2100

 

  1. Actually PHYDEC2 and VIRDEV2 are the active ones (and it will remain as active until finish the migration)
  2. Configure the VIRTDEV1 as Offline
  3. Disconnect the Management Links between F5 Physical Appliances and connect PHYDEV1 Management Ports (Port-Channel + vlan 100) to the Nexus
  4. Extend the VLAN 2100 to the PHYDEV1 and then to the VIRDEV1
  5. Confgure the VLAN 2100 Self IP in the VIRDEV1
  6. Change the device group config (We have to use the new vlan 2100).
  7. At this point we have one device migrated (Offline mode)
  8. Start the PHYDEV2 Sync-Failover link migration (with device VIRFEV2 in Production/No offline
  9. Disconnect the Management Links between F5 Physical Appliance and connect PHYDEV2 Management Ports (Port-Channel + vlan 100) to the Nexus
  10. Confgure the VLAN 2100 Self IP in the VIRDEV2
  11. Change the device group config (We have to use the new vlan 2100).
  12. Chack if the Device-Group it's ok
  13. Move VIRDEV01 to standby mode
  14. Sync VIRTDEV2 to group

Then the main questions are: * It's possible do it? XD * Can we change the VLAN without deleting the Existing Device Group? * Because the Trust&Certificates between devices are the same we will recover the normal Device Group Status?

 

application delivery
BIG-IP
LTM
security

1 Reply

  • tatmotiv's avatar
    tatmotiv
    Icon for Cirrostratus rankCirrostratus
    Jun 15, 2016
    Can you not extend the VLAN 100 to the Nexus switch? Is it already used there? By "Management Links" described above you do not mean the physical management ports of the vCMP hosts, do you? Are the management ports of the vCMP guests configured as bridged or isolated?