Hey, We currently have VLAN interfaces assigned to ports directly. Now we'd like to create aggregate interfaces and assign the VLANs to those. It's an A-P HA pair. The way with the least downtime would be to backup the config, change with a text editor, and restore the edited config. Question 1: Would that be the preferred method or how would you go about this? Question 2: What if the edited configuration is invalid for whatever reason? Will it revert to the previously running config? How to have a way back? Thanks. Marki
Hello jmlux!
I did something similar last month, and it worked. If you maintain the vlan interfaces names, and there are no references to the aggregate members (physical ports) it wouldn't be a problem.
What i had to do last month was to migrate an "old" lag to a new lag, and move the vlans into the new one. In your case, you'd create the lag and change the "set interface" accordingly.
If something doesn't work, there will be configuration chunks missing.
My advice?
[ol]Btw, i don't believe this is supported by Fortinet, they may shoot us on sight if they catch us doing this.
Ok, so we agree on the general principle of restoring a manually modified backup file.
mkolus wrote:Well, they could provide us with an official method other than installing the box from scratch when you need to change the name of a VLAN and the like ;)Btw, i don't believe this is supported by Fortinet, they may shoot us on sight if they catch us doing this.
In any case, you could probably carry out everything on the live system as long as you don't lose access to management. However the downtime would be much longer than by simply preparing a config and pushing it in one step. Why get shot for being efficient?
BTW I always use winmerge for such tasks. It's a great and simple tool.
FWIW
1>
if you have spare ports create a lag on those 2x ports
2> move the vlan sub.interface one-by-one to the new lag
e.g
config sys interface
edit <the name of the subinterface>
set interface <new lag name>
end
3> no downtime required
4> no changes of the fwpolicy
Ken
PCNSE
NSE
StrongSwan
That's valuable input also: can't do it in the GUI but works well in the CLI, thanks.
I guess you could then even do it when you wish to reuse a port:
1. Create LAG with new port
2. Move subinterface/VLAN to new LAG port with only one member
3. Add the port the VLAN was previously assigned to to the LAG
You have to have one free port to start the lag with.
yeap that's how I would do it to . No need to take down time or re-import any cfgs. One more thing to considered in the LAG member, if it's a multiple NP model, try to plan with both members ports bound to the same NP4 for example.
PCNSE
NSE
StrongSwan
Haha! Nope!
On the CLI:
VLAN ID or physical interface cannot be changed once a VLAN has been created. object set operator error, -522 discard the setting Command fail. Return code -522
Conclusion: Perform the text file editing.
Nope wrong, you can't change the vlanid once it set. That want you asked.
We currently have VLAN interfaces assigned to ports directly. Now we'd like to create aggregate interfaces and assign the VLANs to those. It's an A-P HA pair
You can always change the subinterface "interface" using the above set interface < name of the lag >, read again the above post #4
1>
If you have pre-subinterfaces bound to physical interface portXXXX and now want to move it to LAGXXX, you do not need to reset the vlanid # or have resulting downtime
2>
If you want to re-bind the subinterface and change the vlanid#, than yes that not doable regardless if a lag is involved or not
Again read item#4 from above & determine what your trying todo.
Ken
PCNSE
NSE
StrongSwan
I do not wish to change the VLAN id. I want to move the VLAN from a physical port to a LAG:
XXXX (vdxxx) # config system interface XXXX (interface) # edit VLAN_XXXX XXXX (VLAN_XXXX) # show config system interface edit "VLAN_XXXX" set vdom "vdxxx" set ip 1.2.3.4 255.255.248.0 set allowaccess ping set snmp-index 34 set interface "port10" set vlanid 59 next end XXXX (VLAN_XXXX) # set interface XXX_LAG XXXX (VLAN_XXXX) # next VLAN ID or physical interface cannot be changed once a VLAN has been created. object set operator error, -522 discard the setting Command fail. Return code 1
Guess what my bad, I found a bug in fortiOS with no lack of warning.
look at this;
FGT1 (global) $ show sys interface JKK_ETH_APP132 config system interface edit "JKK_ETH_APP132" set vdom "JKK" set ip 10.2.1.1 255.255.254.0 set allowaccess ping set description "JKK ETH APP" set snmp-index 12 set interface "LAG_ETH" set vlanid 132 next end FGT1 (global) $ config system interface FGT1 (interface) $ edit "JKK_ETH_APP132" FGT1 (JKK_ETH_APP132) $ set interface port28 FGT1 (JKK_ETH_APP132) $ end FGT1 (global) $ show sys interface JKK_ETH_APP132 config system interface edit "JKK_ETH_APP132" set vdom "JKK" set ip 10.2.1.1 255.255.254.0 set allowaccess ping set description "JKK ETH APP" set snmp-index 12 set interface "LAG_ETH" set vlanid 132 next end
No warning at all. 5.2.12 which is seem in earlier versions
VLAN ID or physical interface cannot be changed once a VLAN has been created. object set operator error, -522 discard the setting Command fail. Return code -522
BTW; I found the behavior is the same under 5.4 no warning if you trying to change the interface , but a warning if you try the vlanid. Both results fails one with warning the other without.
Ken
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.