Forum Discussion
CirrostratusQuestions on Migrating configs from iSeries to RSeries F5s
When we migrate between different platforms , I plan on following the below procedure but have few questions
- From the iSeries platform (iF5-A(Active) and iF5-B(Standby)), need to take backups and move them to the /shared folder and edit the UCS file(bigip_base.conf for LTM and bigip_gtm.conf for GTM) by modifying the Management Ips, Adding new Vlans(as I want to have new subnet for VIPs), creating new self IPs for all the node subnets and edit the existing domain to a new domain(ex:ab.xyz.com to dc.xyz.com). Modified files are iF5-A.ucs and iF5-B.ucs. - We need to remove trunk config from the new UCS file(K50152613), so do we remove the full config including the config where trunk has all the vlans added along with deleting the trunk interface? We have to manually add the vlans and Trunks through F5OS? - How can we edit iApps as they are no longer supported?
- On the new R-Series F5s, Bring them up and configure them for HA. Now when I copy using "platform migrate" On the R-Series rF5-A(Active) and rF5-B(Standby),
tmsh load sys ucs /tmp/iF5-A.ucs platform-migrate for rF5-A
tmsh load sys ucs /tmp/iF5-B.ucs platform-migrate for rF5-B I see that in the KB article, it saves the non compatible config in /var/local/ucs/platform_migrate_ignored_objects
Based on this K82540512, Looks like interfaces, trunks and Vlans are not copied? Does it copy the VIPs, nodes, pool members without Vlans? and should we be doing this after manually creating the Trunks and Vlans on F5OS?
3. Why do we need to do "modify sys crypto master-key prompt-for-password"
https://my.f5.com/manage/s/article/K82540512
If anyone has done this successfully, please let me know how you did it and what issues you saw?
Thank you
4 Replies
- Melissa_C
Moderator
Hello InquisitiveMai
Noticed your post has been up for some time without response. If you have got these questions answered I would like to encourage you to provide an update with those answers for you and future users who may encounter the same issues. However, if you have not I would suggest contacting support, specially Professional Services as they are the go-to team for migration assistance.
-Melissa
PanchankaNimbostratus
Hiya,
I’m working on the same thing and made good progress on migration from iseries appliance mode (no vguests) to F5OS tenant LTM only. Here are my comments.
For your item 1
looks like you want to make a bunch of config changes at the same time you are migrating. This was not my approach. I kept things as similar as possible for the migration and made optimizations after the migration. The more that changes, the more that can go wrong. I even kept the same mgmt IP. Here is a brief overview of my appraach:
- Deploy F5OS tenant with a temp mgmt ip, vlans and trunks.
- Reset admin and root passwords
- modify sys crypto master-key prompt-for-password and save sys config
- On iseries standby run sys failover offline
- Ensure old mgmt ip is offline by shutting down the mgmt port on the switch
- Change the tenant’s mgmt IP to the iSeries IP and change F5OS tenant to deployed state
- load sys ucs <filename> no-license platform-migrate check for errors and validate loaded config
- Check the /var/local/ucs/platform_migrate_ignored_objects, you should see mgmt-routes and references to “vmname” objects that include vlans
- Put back mgmt routes
- Force offline to avoid split brain run sys failover offline
- Move fibers from iSeries device to new rSeries
- Recreate device trust
- Failover to new rSeries and repeat steps above for remaining iSeries device.
For modifying the bigip_base.conf file, I recommend not deleting anything, instead comment out (with a '#') all physical elements, namely: Interfaces and Trunks.
net stp /Common/cist {
# trunks {
# lab-n7k_trunk {
# external-path-cost 20000
# internal-path-cost 20000
# }
# }
vlans {
/Common/ha-lab_vlan
/Common/ha2-lab_vlan
/Common/lab-voice_vlan
net stp-globals {
config-name 00-23-E9-7B-E0-80
}
#net trunk lab-n7k_trunk {
# interfaces {
# 1.0
# 2.0
# }
# lacp enabled
#}
net vlan /Common/ha2-lab_vlan {
dag-adjustment none
# interfaces {
# lab-n7k_trunk {
# tagged
# }
# }
tag 27
}
Also, if you hate editing in vi, vim or nano as much as I do, you can use 7-Zip and Notepad++ to edit and save within the archive. 7-Zip will prompt you to save and re-bundle it.
You mentioned iApps, but do you have iApps that reference physical elements?
For your item 2, I answered most of it above. You also asked, Does it copy the VIPs, nodes, pool members without Vlans? I recommend pre-setup of the F5OS tenants with all the required vlans and interfaces and LACP trunks.
For your item 3, the master key is used to encrypt things on box i.e. password, private keys. If you don’t do this, the config load correctly, but the secrets won’t be decryptable which will make quite the mess. If you don’t already know what it is, set it on the old iSeries before you start, then set it on the tenant. If you already have it documented, just set it on the new tenant. You know if you’ve done it right if the hashes match between iSeries and rSeries. But we aware of this bug as it bit me.
Bug ID 2150489: Most DB keys encrypted by SecureVault master key are not persisted to BigDB.dat when the system master key is changed. https://cdn.f5.com/product/bugtracker/ID2150489.html
I recommend you upgrade to 17.1.5.4 on the iSeries before you migrate. Obvioiusly, your tenant will need the same version.
Hope that was helpful. This is a fun project for me so let me know if you have any other questions.
InquisitiveMaiThank you for the detailed response. We are configuring them as new F5s, so that we can move one application at a time and don't have to make changes to the config. What do you mean by iApps referring to physical elements? iApps like Horizon,ldap,sharepoint etc
Was thinking to manually configure them
- Panchanka
If the iApps were working on your iSeries, they will continue to work on the rSeries after you load the UCS. If want to move them over one at a time you will need a different procedure than what I described above. To move your iApps one at a time, I recommend getting on the CLI listing the VS then list all referenced elements and any other elements referenced by those until you have the full iApp application configuration listed. From there you can manually remove the iApp related "buckets/tags" i.e iAppName.app/vs_name and app-service /Common/
then
load sys config from-terminal merge
and paste in the clean elements. Keep in mind there is an order of precedence.
Hope that helps
