How to safely migrate circuits on VSX NGX R65 in a VRRP configuration from one interface to another

book

Article ID: 168057

calendar_today

Updated On:

Products

XOS

Issue/Introduction

How to safely migrate circuits on VSX NGX R65 in a VRRP configuration from one interface to anotherN/A

Cause

Migrating circuits from one circuit to another, in a VSX configuration.

Resolution

This solution is specifically written for VSX NGX R65 in a VRRP configuration, but it could work for other flavors of VSX. If you need to migrate a circuit from an MLT interface to another physical interface (due to an NPM upgrade) there are some specific steps to be followed; especially when the system is running in dual-box HA (VRRP).

Modifying VRRP and remapping the circuits manually in the XOS CLI does not work. The configuration file is pushed by VSX, which would cause local.vsall to not be in sync with the configuration on the CPM.

This is how a group interface config might look like in initial stage:

circuit outside circuit-id 1027
device-name out
vap-group vsx1
ip-forwarding
circuit mgmt circuit-id 1025
device-name mgmt
vap-group vsx1
ip-forwarding
ip 172.30.32.74 255.255.255.192 172.30.32.127 increment-per-vap 172.30.32.75
circuit sync circuit-id 1028
device-name sync
vap-group vsx1
ip-forwarding
ip 4.4.4.2 255.255.255.0 4.4.4.255 increment-per-vap 4.4.4.3
circuit inside circuit-id 1026
device-name in
vap-group vsx1
circuit vsx_ckt_vsx1_wrp128 circuit-id 1031
device-name wrp128
vap-group vsx1
ip-forwarding
mac-addr 00:00:00:00:00:00
circuit vsx_ckt_vsx1_wrp192 circuit-id 1030
device-name wrp192
vap-group vsx1
ip-forwarding
mac-addr 00:00:00:00:00:00
circuit vsx_ckt_vsx1_wrp256 circuit-id 1034
device-name wrp256
vap-group vsx1
ip-forwarding
mac-addr 00:00:00:00:00:00
circuit vsx_ckt_vsx1_inside_107 circuit-id 1033 domain 2
device-name in.107
vap-group vsx1
ip-forwarding
default-egress-vlan-tag 107
circuit vsx_ckt_vsx1_inside_106 circuit-id 1037 domain 3
device-name in.106
vap-group vsx1
ip-forwarding
default-egress-vlan-tag 106
circuit vsx_ckt_vsx1_inside_103 circuit-id 1040 domain 4
device-name in.103
vap-group vsx1
ip-forwarding
default-egress-vlan-tag 103
circuit vsx_ckt_vsx1_inside_105 circuit-id 1043 domain 5
device-name in.105
vap-group vsx1
ip-forwarding
default-egress-vlan-tag 105

group-interface inside
interface-type gigabitethernet
mode multi-link circuit inside
interface 1/1
interface 1/2
logical vsx_log_vsx1_inside_103 ingress-vlan-tag 103 103
circuit vsx_ckt_vsx1_inside_103
logical vsx_log_vsx1_inside_105 ingress-vlan-tag 105 105
circuit vsx_ckt_vsx1_inside_105
logical vsx_log_vsx1_inside_106 ingress-vlan-tag 106 106
circuit vsx_ckt_vsx1_inside_106
logical vsx_log_vsx1_inside_107 ingress-vlan-tag 107 107
circuit vsx_ckt_vsx1_inside_107
#
vrrp failover-group group1 failover-group-id 1
priority 200
virtual-router vrrp-id 1 circuit inside
backup-stay-up
vap-group vsx1
virtual-router vrrp-id 2 circuit outside
backup-stay-up
vap-group vsx1
ip 20.20.20.1 255.255.255.0 20.20.20.255
virtual-router vrrp-id 4 circuit vsx_ckt_vsx1_wrp128
backup-stay-up
vap-group vsx1
ip 192.168.1.2 255.255.255.255 192.168.1.2
virtual-router vrrp-id 8 circuit vsx_ckt_vsx1_wrp192
backup-stay-up
vap-group vsx1
ip 192.168.1.6 255.255.255.255 192.168.1.6
virtual-router vrrp-id 10 circuit vsx_ckt_vsx1_wrp256
backup-stay-up
vap-group vsx1
ip 192.168.1.7 255.255.255.255 192.168.1.7
virtual-router vrrp-id 9 circuit vsx_ckt_vsx1_inside_107
backup-stay-up
vap-group vsx1
ip 10.107.1.1 255.255.255.0 10.107.1.255
virtual-router vrrp-id 7 circuit vsx_ckt_vsx1_inside_106
backup-stay-up
vap-group vsx1
ip 10.106.1.1 255.255.255.0 10.106.1.255
virtual-router vrrp-id 5 circuit vsx_ckt_vsx1_inside_103
backup-stay-up
vap-group vsx1
ip 10.103.1.1 255.255.255.0 10.103.1.255
virtual-router vrrp-id 6 circuit vsx_ckt_vsx1_inside_105
backup-stay-up
vap-group vsx1
ip 10.102.1.1 255.255.255.0 10.102.1.255

Use the following steps to migrate circuits that are part of a VRRP configuration.

1.       Remove the group interface.

2.       Remove the VRRP configuration associated with the VLAN circuits (the virtual routers).

 

virtual-router vrrp-id 9 circuit vsx_ckt_vsx1_inside_107
backup-stay-up
vap-group vsx1
ip 10.107.1.1 255.255.255.0 10.107.1.255
virtual-router vrrp-id 7 circuit vsx_ckt_vsx1_inside_106
backup-stay-up
vap-group vsx1
ip 10.106.1.1 255.255.255.0 10.106.1.255
virtual-router vrrp-id 5 circuit vsx_ckt_vsx1_inside_103
backup-stay-up
vap-group vsx1
ip 10.103.1.1 255.255.255.0 10.103.1.255
virtual-router vrrp-id 6 circuit vsx_ckt_vsx1_inside_105
backup-stay-up
vap-group vsx1
ip 10.102.1.1 255.255.255.0 10.102.1.255

3.       Remove the circuits associated with those VLANs.

 

circuit vsx_ckt_vsx1_inside_107 circuit-id 1033 domain 2
device-name in.107
vap-group vsx1
ip-forwarding
default-egress-vlan-tag 107
circuit vsx_ckt_vsx1_inside_106 circuit-id 1037 domain 3
device-name in.106
vap-group vsx1
ip-forwarding
default-egress-vlan-tag 106
circuit vsx_ckt_vsx1_inside_103 circuit-id 1040 domain 4
device-name in.103
vap-group vsx1
ip-forwarding
default-egress-vlan-tag 103
circuit vsx_ckt_vsx1_inside_105 circuit-id 1043 domain 5
device-name in.105
vap-group vsx1
ip-forwarding
default-egress-vlan-tag 105

 

Special care must be taken not to remove the VRRP config or circuits associated to the warp links or virtual routers. Removing these will result in the configuration not being generated properly, and a full cleanup of VSX may be needed.

4.       Configure the new interface with the appropiate circuit attached to it.

 

interface gigabitethernet 1/1
logical inside
circuit inside

 

5.       Reload the  VAP groups attached to that circuit.The proper logical circuits and virtual routers will be populated on VAP group reload.

 

circuit outside circuit-id 1027
device-name out
vap-group vsx1
ip-forwarding
circuit mgmt circuit-id 1025
device-name mgmt
vap-group vsx1
ip-forwarding
ip 172.30.32.74 255.255.255.192 172.30.32.127 increment-per-vap 172.30.32.75
circuit sync circuit-id 1028
device-name sync
vap-group vsx1
ip-forwarding
ip 4.4.4.2 255.255.255.0 4.4.4.255 increment-per-vap 4.4.4.3
circuit inside circuit-id 1026
device-name in
vap-group vsx1
circuit vsx_ckt_vsx1_wrp128 circuit-id 1031
device-name wrp128
vap-group vsx1
ip-forwarding
mac-addr 00:00:00:00:00:00
circuit vsx_ckt_vsx1_wrp192 circuit-id 1030
device-name wrp192
vap-group vsx1
ip-forwarding
mac-addr 00:00:00:00:00:00
circuit vsx_ckt_vsx1_wrp256 circuit-id 1034
device-name wrp256
vap-group vsx1
ip-forwarding
mac-addr 00:00:00:00:00:00
circuit vsx_ckt_vsx1_1_1_107 circuit-id 1029 domain 2
device-name in.107
vap-group vsx1
ip-forwarding
default-egress-vlan-tag 107
circuit vsx_ckt_vsx1_1_1_106 circuit-id 1032 domain 3
device-name in.106
vap-group vsx1
ip-forwarding
default-egress-vlan-tag 106
circuit vsx_ckt_vsx1_1_1_103 circuit-id 1033 domain 4
device-name in.103
vap-group vsx1
ip-forwarding
default-egress-vlan-tag 103
circuit vsx_ckt_vsx1_1_1_105 circuit-id 1035 domain 5
device-name in.105
vap-group vsx1
ip-forwarding
default-egress-vlan-tag 105
#
interface gigabitethernet 1/1
logical inside
circuit inside
logical vsx_log_vsx1_1_1_103 ingress-vlan-tag 103 103
circuit vsx_ckt_vsx1_1_1_103
logical vsx_log_vsx1_1_1_105 ingress-vlan-tag 105 105
circuit vsx_ckt_vsx1_1_1_105
logical vsx_log_vsx1_1_1_106 ingress-vlan-tag 106 106
circuit vsx_ckt_vsx1_1_1_106
logical vsx_log_vsx1_1_1_107 ingress-vlan-tag 107 107
circuit vsx_ckt_vsx1_1_1_107
interface gigabitethernet 1/3
logical out
circuit outside
interface gigabitethernet 1/5
logical mgmt
circuit mgmt
interface gigabitethernet 1/7
logical log17
circuit sync
#
vrrp failover-group group1 failover-group-id 1
priority 200
virtual-router vrrp-id 1 circuit inside
backup-stay-up
vap-group vsx1
virtual-router vrrp-id 2 circuit outside
backup-stay-up
vap-group vsx1
ip 20.20.20.1 255.255.255.0 20.20.20.255
virtual-router vrrp-id 4 circuit vsx_ckt_vsx1_wrp128
backup-stay-up
vap-group vsx1
ip 192.168.1.2 255.255.255.255 192.168.1.2
virtual-router vrrp-id 8 circuit vsx_ckt_vsx1_wrp192
backup-stay-up
vap-group vsx1
ip 192.168.1.6 255.255.255.255 192.168.1.6
virtual-router vrrp-id 10 circuit vsx_ckt_vsx1_wrp256
backup-stay-up
vap-group vsx1
ip 192.168.1.7 255.255.255.255 192.168.1.7
virtual-router vrrp-id 9 circuit vsx_ckt_vsx1_1_1_107
backup-stay-up
vap-group vsx1
ip 10.107.1.1 255.255.255.0 10.107.1.255
virtual-router vrrp-id 7 circuit vsx_ckt_vsx1_1_1_106
backup-stay-up
vap-group vsx1
ip 10.106.1.1 255.255.255.0 10.106.1.255
virtual-router vrrp-id 5 circuit vsx_ckt_vsx1_1_1_103
backup-stay-up
vap-group vsx1
ip 10.103.1.1 255.255.255.0 10.103.1.255
virtual-router vrrp-id 6 circuit vsx_ckt_vsx1_1_1_105
backup-stay-up
vap-group vsx1
ip 10.102.1.1 255.255.255.0 10.102.1.255

Workaround

N/A