Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1371
Views
10
Helpful
5
Replies

Making changes on the interfaces on the Secondary Standby FTD while Primary FTD is running

Go to solution
Pahee Nagulan
Level 1
Level 1

‎06-29-2021 06:37 PM - edited ‎06-29-2021 06:39 PM

We have 2x 2120 Cisco FTDs(managed by FMC) in the DMZ.  Primary/Active FTD has a single L3 link to EDGE 1 and Secondary/Standby FTD has a single L3 to EDGE-2 switch. We are planning to deploy VPC on the EDGE switches where each FTD is going to have two legs to the EDGE switches(One is to EDGE-1 and the other one is to EDGE-2). We would like to reduce the outage on the DMZ. So my question is, Can I make changes on the Secondary Standby FTD(Single layer 3 interface to Layer 3 Port channel) while Primary FTD is being active(It's running with single L3). Once I build the port-channel on the Secondary Standby FTD, I will do a failover to make that active. Then change the interfaces on the Primary FTD.

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎06-30-2021 02:27 AM

You can only Make changes on Primary all the time, ( you can not make any changes on Secondary interm of config).

 

i am sure you need small downtime (or maintenance window) while conergence take place from single link to Port-chanel move config time.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-30-2021 05:47 AM

Besides what @balaji.bandi correctly noted, changing single interface to a 2-member portchannel interface is particularly challenging. Assuming you want to retain the same interface name (and associated zone and inferface group) you have to essentially remove it altogether and then re-add it anew.

View solution in original post

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎07-05-2021 06:37 AM

The Interface config no longer valid, you need created associated config to reflect. and clean up old config.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful
5 Replies 5

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎06-30-2021 02:27 AM

You can only Make changes on Primary all the time, ( you can not make any changes on Secondary interm of config).

 

i am sure you need small downtime (or maintenance window) while conergence take place from single link to Port-chanel move config time.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-30-2021 05:47 AM

Besides what @balaji.bandi correctly noted, changing single interface to a 2-member portchannel interface is particularly challenging. Assuming you want to retain the same interface name (and associated zone and inferface group) you have to essentially remove it altogether and then re-add it anew.

Go to solution
Pahee Nagulan
Level 1
Level 1

‎07-05-2021 06:05 AM

Thank you @balaji.bandi @Marvin Rhoads for taking your time to reply to my question. When I'm removing the existing L3 interface config(and associated zone and interface group) on the FTDs, will that wipe-out the config on routing and policies associated with that interface and security zone on the FTD?

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎07-05-2021 06:37 AM

The Interface config no longer valid, you need created associated config to reflect. and clean up old config.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Pahee Nagulan
Level 1
Level 1
In response to balaji.bandi

‎07-08-2021 12:26 PM

Thanks @balaji.bandi for confirming.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card