Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
412
Views
3
Helpful
6
Replies

Migration with vPC, SVI, and HA FW

Go to solution
irenof
Level 1
Level 1

‎09-23-2024 10:22 AM

Hi all,

 I am studying the best way to migrate two N7k to N9k . The physical topology is depiceted below:

irenof_0-1727111008761.png

During the migration I will create vPC3 for L2 extention. The N7k swithes are in VPC peer-link and create a vPcs with a couple of FW in HA. The connection is done through a /29 network via SVI and both port channels (1 and 2) belong to the SVI. N7k switches do HSRP for the /29 network, n7k1 is primary.

 

irenof_1-1727111866522.png

 

My idea is to configure n9ks with SVI and HSRP shutdown and start migrating VPC2 first to the new n9ks. At this time I would only no shut the new vpc2, leaving the SVI down with the N7ks doing the HSRP. My question is, what then? My idea is to then migrate VPC1 to the new 9ks, no shut the new vpc1 and shut SVI on n7k and no shut SVI on n9k with hsrp with the n9k1 primary.

I want to have as short downtime as possible. The N7k1(and N7k2) does a eBGP connection between 2 VRFs in the same machine [ The description of the logil topology is just for 1 network, but I have one /29 for VRF (I gave 3 of them)]

I hope I have been as clear as possible.

Thanks

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎09-23-2024 01:07 PM - edited ‎09-23-2024 01:11 PM

Hello @irenof ,

your approach looks like reasonable

creating L2 connectivity between  Nexus 7k and Nexus 9k pairs.

Then you move the L2 connectivty on a per vPC basis actually migrating the FW standby unit to the new Nexus 9k pair, without enabling the SVIs and HSRP on the new Nexus 9k pair.

Then you move the second vPC to the new Nexus 9k pair.

then you migrate the L3 by disabling the SVIs on Nexus 7k and you enable the corresponding SVIs on Nexus 9k.

Looking at the bigger picture you may need a L3 link per VRF between Nexus 7k and Nexus 9k so that you can migrate one VLAN and the L3 link between them can provide routing connectivity during migration ( if you have multiple VLANs under each VRF to avoid to migrate all these VLANs at once at OSI layer3 the ones in the same VRF ).

Edit:

I see you have three VLANs under each port-channel 1 and 2 towards the Firewalls. You can migrate at Layer 3 one of them at a time or all of them at once. Above I was referring to the other VLANs in the same VRF if they exist. Likely your SVIs to the FWs are in different VRFs.

Hope to help

Giuseppe

 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-23-2024 12:41 PM

HSRP is good idea to extend the SVI to other new switches.

depends on how the vPC configured, then you see less interruptive when you do HSRP move over one active to another.

Make sure VRF also extended and configured on new switches, is the HSPR VRF aware ?

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
irenof
Level 1
Level 1
In response to balaji.bandi

‎09-23-2024 01:06 PM

Hi, thanks for you reply. What do you mean with "extend the SVI to other new switches"?
Vpc is configured as follow (on N7k1, same as in N7k2):

interface port-channel1
description FW1
switchport
switchport mode trunk
switchport trunk native vlan 1000
switchport trunk allowed vlan 811,821
spanning-tree port type edge trunk
flowcontrol send on
vpc 1

interface port-channel2
description FW2
switchport
switchport mode trunk
switchport trunk native vlan 1000
switchport trunk allowed vlan 811,821
spanning-tree port type edge trunk
flowcontrol send on
vpc 2

int vlan with Hsrp for vlan 821:

interface Vlan821
description Transit-FW
no shutdown
vrf member Test
ip address 10.0.0.2/29
hsrp version 2
hsrp 821
authentication md5 key-chain hsrp-keys
preempt delay minimum 900
ip 10.0.0.1/29

 

for vlan811 is the same with different IP.


As you can see, many SVI belongs to a vpc, so when I unplug the cables I impact many SVI. I think a should shut down both 811 and 821 and move them to the new n9k.

The new N9ks have the same conf as the 7000, but with L3 shutdown at the beginning.

 

Thanks

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to irenof

‎09-23-2024 11:58 PM 

As you can see, many SVI belongs to a vpc, so when I unplug the cables I impact many SVI. I think a should shut down both 811 and 821 and move them to the new n9k.

This also address my SVI extended to other switch, if they are connected Enhanced VPC L2 extended all over, you can create HSRP on that new switch also (that what you mentioned in your original post)

All 4 switch participate in HSRP and 2 only active / standby rest will be listener mode, when you shutdown active one, other one become active and so on...for the Layer 3 Move. to new switch, rest all you need to look any other routing stuff ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎09-23-2024 01:07 PM - edited ‎09-23-2024 01:11 PM

Hello @irenof ,

your approach looks like reasonable

creating L2 connectivity between  Nexus 7k and Nexus 9k pairs.

Then you move the L2 connectivty on a per vPC basis actually migrating the FW standby unit to the new Nexus 9k pair, without enabling the SVIs and HSRP on the new Nexus 9k pair.

Then you move the second vPC to the new Nexus 9k pair.

then you migrate the L3 by disabling the SVIs on Nexus 7k and you enable the corresponding SVIs on Nexus 9k.

Looking at the bigger picture you may need a L3 link per VRF between Nexus 7k and Nexus 9k so that you can migrate one VLAN and the L3 link between them can provide routing connectivity during migration ( if you have multiple VLANs under each VRF to avoid to migrate all these VLANs at once at OSI layer3 the ones in the same VRF ).

Edit:

I see you have three VLANs under each port-channel 1 and 2 towards the Firewalls. You can migrate at Layer 3 one of them at a time or all of them at once. Above I was referring to the other VLANs in the same VRF if they exist. Likely your SVIs to the FWs are in different VRFs.

Hope to help

Giuseppe

 

0 Helpful

Go to solution
irenof
Level 1
Level 1
In response to Giuseppe Larosa

‎09-23-2024 01:40 PM

Hello @Giuseppe Larosa,

your answer starts to clear up my doubts. Actually a L3 link between the old and the new switches might be useful since I have many VPC connections with FW and CEs to migrate (CEs have p2p connection, so it yes easer). Without It would I loose routing connectivity between L3 services still in the Nexus 7000 and the onces migrated to the 9000 right?

Yes, the SVIs belog to different VRF.

Thanks again,

Irenof

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to irenof

‎09-23-2024 02:30 PM

Hello @irenof ,

>> Without It would I loose routing connectivity between L3 services still in the Nexus 7000 and the onces migrated to the 9000 right?

yes this what the per VRF L3 link can solve. You may be using a dynamic routing protocol on it so that when a subnet disappears on the Nexus 7000 after shutting down both SVIs it wil be learned on the per VRF L3 link from the Nexus 9000 pair.

Hope to help

Giuseppe

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card