Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jmlux
New Contributor III

Reassign VLANs from port to aggregate

Hey, We currently have VLAN interfaces assigned to ports directly. Now we'd like to create aggregate interfaces and assign the VLANs to those. It's an A-P HA pair. The way with the least downtime would be to backup the config, change with a text editor, and restore the edited config. Question 1: Would that be the preferred method or how would you go about this? Question 2: What if the edited configuration is invalid for whatever reason? Will it revert to the previously running config? How to have a way back? Thanks. Marki

13 REPLIES 13
Agent_1994
Contributor

Hello jmlux!

 

 I did something similar last month, and it worked. If you maintain the vlan interfaces names, and there are no references to the aggregate members (physical ports) it wouldn't be a problem. 

 

 What i had to do last month was to migrate an "old" lag to a new lag, and move the vlans into the new one. In your case, you'd create the lag and change the "set interface" accordingly.

 

 If something doesn't work, there will be configuration chunks missing. 

 

 My advice?

[ol]
  • if you can, create the lag BEFORE.
  • back up your configuration.
  • copy it to another file and modify that file.
  • check that there are no references to the LAG member ports.
  • import the new (modified) configuration.
  • check (visually) is there's something missing.
  • backup the new configuration.
  • use a tool like Beyond Compare (https://www.scootersoftware.com/) to check if there are missing chunks, by comparing the imported backup against the new backup (step 7).[/ol]

     Btw, i don't believe this is supported by Fortinet, they may shoot us on sight if they catch us doing this. 

  • jmlux
    New Contributor III

    Ok, so we agree on the general principle of restoring a manually modified backup file.

     

    mkolus wrote:

     Btw, i don't believe this is supported by Fortinet, they may shoot us on sight if they catch us doing this. 

    Well, they could provide us with an official method other than installing the box from scratch when you need to change the name of a VLAN and the like ;)

     

    In any case, you could probably carry out everything on the live system as long as you don't lose access to management. However the downtime would be much longer than by simply preparing a config and pushing it in one step. Why get shot for being efficient?

     

    BTW I always use winmerge for such tasks. It's a great and simple tool.

    emnoc
    Esteemed Contributor III

    FWIW

     

    1>

    if you have spare ports create a lag on those 2x ports

     

    2> move the vlan sub.interface one-by-one to the new lag

     

    e.g

     

      config sys interface

                edit <the name of the subinterface>

                             set interface <new lag name>

                end

    3> no downtime required

     

    4> no changes of the fwpolicy

     

    Ken

     

     

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    jmlux
    New Contributor III

    That's valuable input also: can't do it in the GUI but works well in the CLI, thanks.

     

    I guess you could then even do it when you wish to reuse a port:

    1. Create LAG with new port

    2. Move subinterface/VLAN to new LAG port with only one member

    3. Add the port the VLAN was previously assigned to to the LAG

    You have to have one free port to start the lag with.

    emnoc
    Esteemed Contributor III

     

    yeap that's how I would do it to . No need to take down time or re-import any cfgs. One more thing to considered in  the LAG member, if it's a multiple NP model, try to plan with both  members ports bound to the same NP4 for example.

     

     

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    jmlux
    New Contributor III

    Haha! Nope!

     

    On the CLI:

    VLAN ID or physical interface cannot be changed once a VLAN has been created. object set operator error, -522 discard the setting Command fail. Return code -522

    Conclusion: Perform the text file editing.

    emnoc
    Esteemed Contributor III

    Nope wrong, you can't change the vlanid once it set. That  want  you  asked.

     

    We currently have VLAN interfaces assigned to ports directly. Now we'd like to create aggregate interfaces and assign the VLANs to those. It's an A-P HA pair

     

     

    You can always change the subinterface "interface" using the above  set interface < name of the lag >, read again the above post #4

     

    1>

    If you have  pre-subinterfaces  bound to physical  interface portXXXX and now want to move it to LAGXXX, you do not need to reset the vlanid # or  have resulting downtime

     

    2>

    If  you want to  re-bind the subinterface and change the vlanid#,  than yes that not doable regardless if a lag is involved  or not

     

    Again read item#4 from above & determine what your trying todo.

     

    Ken

     

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    jmlux
    New Contributor III

    I do not wish to change the VLAN id. I want to move the VLAN from a physical port to a LAG:

     

    XXXX (vdxxx) # config system interface XXXX (interface) # edit VLAN_XXXX XXXX (VLAN_XXXX) # show config system interface     edit "VLAN_XXXX"         set vdom "vdxxx"         set ip 1.2.3.4 255.255.248.0         set allowaccess ping         set snmp-index 34         set interface "port10"         set vlanid 59     next end XXXX (VLAN_XXXX) # set interface XXX_LAG XXXX (VLAN_XXXX) # next VLAN ID or physical interface cannot be changed once a VLAN has been created. object set operator error, -522 discard the setting Command fail. Return code 1

    emnoc
    Esteemed Contributor III

    Guess what my bad, I found a bug in fortiOS with no lack of warning.

     

    look at this;

     

    FGT1 (global) $ show sys interface JKK_ETH_APP132 config system interface     edit "JKK_ETH_APP132"         set vdom "JKK"         set ip 10.2.1.1 255.255.254.0         set allowaccess ping         set description "JKK ETH APP"         set snmp-index 12         set interface "LAG_ETH"         set vlanid 132     next end FGT1 (global) $ config system interface FGT1 (interface) $     edit "JKK_ETH_APP132" FGT1 (JKK_ETH_APP132) $ set interface  port28 FGT1 (JKK_ETH_APP132) $ end FGT1 (global) $ show sys interface JKK_ETH_APP132 config system interface     edit "JKK_ETH_APP132"         set vdom "JKK"         set ip 10.2.1.1 255.255.254.0         set allowaccess ping         set description "JKK ETH APP"         set snmp-index 12         set interface "LAG_ETH"         set vlanid 132     next end

     

    No warning at all. 5.2.12 which is seem in  earlier  versions

     

    VLAN ID or physical interface cannot be changed once a VLAN has been created. object set operator error, -522 discard the setting Command fail. Return code -522

     

    BTW; I found the behavior is the same under 5.4 no warning if you trying to change the  interface , but a warning if you try the  vlanid. Both results fails one with warning the other without.

     

     

    Ken

     

     

     

        

     

     

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    Labels
    Top Kudoed Authors