Issue/Introduction:
How to expand a VSX_cluster on Crossbeam X series chassisN/A
Cause:
A customer wants to expand a VSX cluster from 1 to 2 members on each Crossbeam X-Series chassis to process more traffic.
During the original design, the system was not configured to have spare IP addresses for either VSX cluster management or for VSX Checkpoint cluster sync IP addresses between the chassis.
Resolution:
Technical Consideration
From a technical consideration the systems are not required to use contiguous IP addresses across chassis however the IP address contiguity is enforced within a chassis for a given VAP group due to the increment-per-vap command.
For Cluster management, the IP addresses may be from different subnets across the chassis.
For Cluster sync, the IP addresses across the chassis must be within the same subnet.
This procedure should be performed during a maintenance window and the customer should understand that there are potential risks associated with the migration of firewalls in a production environment.
Procedure
The following procedure explains how to migrate a VSX cluster member from one chassis to another.
Situation before adding cluster members
- VSX cluster member A on X45-1
- VSX cluster member B on X45-2
Desired situation- VSX cluster member A on X45-1
- VSX cluster member B on X45-1
- VSX cluster member C on X45-2
- VSX cluster member D on X45-2
Actions:
1) Stop the VSX cluster on chassis X45-2.
configure vap-group vsx max-load-count 02) Expand the vap-group on chassis X45-1.
configure circuit mgmt vap-group vsx ip 20.20.20.1/24 increment-per-vap 20.20.20.2
configure circuit sync vap-group vsx ip 10.1.1.1/24 increment-per-vap 10.1.1.2
configure vap-group vsx load-balance-vap-list 1
configure vap-group vsx vap-count 2
configure vap-group vsx max-load-count 2
application-update vap-group vsx Then apply any required patches on the second vap on the X45-1 chassis.
3) Move the cluster member B onto X45-1 chassis.
vsx_util reconfigure VSX_cluster_B
Please note that if you need to change the mgmt_ip of the VSX_cluster_B member you can
perform the action by doing "
vsx_util change_mgmt_ip" for a given cluster member prior to
execute the vsx_util reconfigure.
4) When the X45-1 newly added cluster member is reconfigured, and it is being rebooted.
Check if the policy and the VS are properly created, state sync is working then enter this command.
configure vap-group vsx load-balance-vap-list 1 2 3 4 5 6 7 8 9 10
Your X45 cluster member should then have the proper policy and should be processing traffic.
Proceed to the X45-2 configuration change.
5) Modify the configuration and add the new clusters:
configure circuit mgmt vap-group vsx ip 30.30.30.1/24 increment-per-vap 30.30.30.2
(second set of IP for the mgmt)
configure circuit sync vap-group vsx ip 10.1.1.8/24 increment-per-vap 10.1.1.9
configure vap-group vsx vap-count 2
configure module x maintenance (where x represents the vap which will boot vsx_1 image)
configure vap-group vsx max-load-count 2
When the vap_1 apm is booted
rsh to the vsx_1 and executer reset_gw
application-update vap-group vsx
Then apply any required patches on the second vap on the X45-2 chassis.
Configure module x enable (where x represents the vap which will boot vsx_1 image).
6) Add the VSX cluster members of chassis 2.
vsx_util add_member
vsx_util add_member_reconf You may need to reload the entire VAP group at the end to ensure proper configuration.
Workaround
N/A