Skip to main content
jmlux
jmlux
New Member
May 31, 2017
Question

Reassign VLANs from port to aggregate

  • May 31, 2017
  • 1 reply
  • 27477 views

Hey, We currently have VLAN interfaces assigned to ports directly. Now we'd like to create aggregate interfaces and assign the VLANs to those. It's an A-P HA pair. The way with the least downtime would be to backup the config, change with a text editor, and restore the edited config. Question 1: Would that be the preferred method or how would you go about this? Question 2: What if the edited configuration is invalid for whatever reason? Will it revert to the previously running config? How to have a way back? Thanks. Marki

1 reply

Agent_1994
Agent_1994
New Member
May 31, 2017

Hello jmlux!

 

 I did something similar last month, and it worked. If you maintain the vlan interfaces names, and there are no references to the aggregate members (physical ports) it wouldn't be a problem. 

 

 What i had to do last month was to migrate an "old" lag to a new lag, and move the vlans into the new one. In your case, you'd create the lag and change the "set interface" accordingly.

 

 If something doesn't work, there will be configuration chunks missing. 

 

 My advice?

[ol]
  • if you can, create the lag BEFORE.
  • back up your configuration.
  • copy it to another file and modify that file.
  • check that there are no references to the LAG member ports.
  • import the new (modified) configuration.
  • check (visually) is there's something missing.
  • backup the new configuration.
  • use a tool like Beyond Compare (https://www.scootersoftware.com/) to check if there are missing chunks, by comparing the imported backup against the new backup (step 7).[/ol]

     Btw, i don't believe this is supported by Fortinet, they may shoot us on sight if they catch us doing this. 

    • jmlux
    jmluxAuthor
    New Member
    May 31, 2017

    Ok, so we agree on the general principle of restoring a manually modified backup file.

     

    mkolus wrote:

     Btw, i don't believe this is supported by Fortinet, they may shoot us on sight if they catch us doing this. 

    Well, they could provide us with an official method other than installing the box from scratch when you need to change the name of a VLAN and the like ;)

     

    In any case, you could probably carry out everything on the live system as long as you don't lose access to management. However the downtime would be much longer than by simply preparing a config and pushing it in one step. Why get shot for being efficient?

     

    BTW I always use winmerge for such tasks. It's a great and simple tool.

    emnoc
    emnoc
    New Member
    May 31, 2017

    FWIW

     

    1>

    if you have spare ports create a lag on those 2x ports

     

    2> move the vlan sub.interface one-by-one to the new lag

     

    e.g

     

      config sys interface

                edit <the name of the subinterface>

                             set interface <new lag name>

                end

    3> no downtime required

     

    4> no changes of the fwpolicy

     

    Ken

     

     

    Terms & ConditionsAccessibility statement