Background:
A high profile customer would like to convert one of their VPNs (over 100) into a MPLS connection since they are already paying for the MPLS services.
Summary:
Step 1. Interface Change
Step 2. Dashboard Update
Step 3. Rules modification
Step 4. Static routes addition
Step 5. Remove previous vpn community
Step1. Interface Change
- ssh to the primary firewall and open WebUI
- Configure the target interface with IP and subnet
- High Availability > Advanced VRRP > Virtual Routers > Add > Interface: eth4-05 > Virtual Router ID: 90 > Backup Addresses Add: 10.1.1.100 (VRRP address) > Monitored Interfaces Add: (all interfaces other than itself) > Add eth4-05 to all VRIDs: (all VRIDs other than itself)Monitored Interfaces > Save
##Note Start#######################################################################
(if you are not comfortable with GUI method, here is CLI method)
ssh to the primary firewall > cli > run the following commands
----------------------------------------------------
set vrrp interface eth4-05 monitored-circuit vrid 90 on
set vrrp interface eth4-05 monitored-circuit vrid 90 priority 100
set vrrp interface eth4-05 monitored-circuit vrid 90 hello-interval 1
set vrrp interface eth4-05 monitored-circuit vrid 90 monitored-interface eth2-01 on
set vrrp interface eth4-05 monitored-circuit vrid 90 monitored-interface eth2-01 priority-delta 10
set vrrp interface eth4-05 monitored-circuit vrid 90 monitored-interface eth2-02 on
set vrrp interface eth4-05 monitored-circuit vrid 90 monitored-interface eth2-02 priority-delta 10
set vrrp interface eth4-05 monitored-circuit vrid 90 monitored-interface eth2-03 on
set vrrp interface eth4-05 monitored-circuit vrid 90 monitored-interface eth2-03 priority-delta 10
set vrrp interface eth4-05 monitored-circuit vrid 90 monitored-interface eth2-04 on
set vrrp interface eth4-05 monitored-circuit vrid 90 monitored-interface eth2-04 priority-delta 10
... ...
set vrrp interface eth4-05 monitored-circuit vrid 90 backup-address 10.1.1.100 on
set vrrp interface eth2-01 monitored-circuit vrid 61 monitored-interface eth4-05 on
set vrrp interface eth2-01 monitored-circuit vrid 61 monitored-interface eth4-05 priority-delta 10
set vrrp interface eth2-02 monitored-circuit vrid 62 monitored-interface eth4-05 on
set vrrp interface eth2-02 monitored-circuit vrid 62 monitored-interface eth4-05 priority-delta 10
set vrrp interface eth2-03 monitored-circuit vrid 63 monitored-interface eth4-05 on
set vrrp interface eth2-03 monitored-circuit vrid 63 monitored-interface eth4-05 priority-delta 10
set vrrp interface eth2-04 monitored-circuit vrid 64 monitored-interface eth4-05 on
set vrrp interface eth2-04 monitored-circuit vrid 64 monitored-interface eth4-05 priority-delta 10
... ...
save config
exit
##Note end########################################################################
- ssh to the secondary firewall and open WebUI
- Configure the target interface with IP and subnet
- High Availability > Advanced VRRP > Virtual Routers > Add > Interface: eth4-05 > Virtual Router ID: 90 > Backup Addresses Add: 10.1.1.100 (VRRP address) > Monitored Interfaces Add: (all interfaces other than itself) > Add eth4-05 to all VRIDs: (all VRIDs other than itself)Monitored Interfaces > Save
##Note Start#######################################################################
(if you are not comfortable with GUI method, here is CLI method)
ssh to the secondary firewall > cli > run the following commands
------------------------------------------------------
set vrrp interface eth4-05 monitored-circuit vrid 90 on
set vrrp interface eth4-05 monitored-circuit vrid 90 priority 95
set vrrp interface eth4-05 monitored-circuit vrid 90 hello-interval 1
set vrrp interface eth4-05 monitored-circuit vrid 90 monitored-interface eth2-01 on
set vrrp interface eth4-05 monitored-circuit vrid 90 monitored-interface eth2-01 priority-delta 10
set vrrp interface eth4-05 monitored-circuit vrid 90 monitored-interface eth2-02 on
set vrrp interface eth4-05 monitored-circuit vrid 90 monitored-interface eth2-02 priority-delta 10
set vrrp interface eth4-05 monitored-circuit vrid 90 monitored-interface eth2-03 on
set vrrp interface eth4-05 monitored-circuit vrid 90 monitored-interface eth2-03 priority-delta 10
set vrrp interface eth4-05 monitored-circuit vrid 90 monitored-interface eth2-04 on
set vrrp interface eth4-05 monitored-circuit vrid 90 monitored-interface eth2-04 priority-delta 10
... ...
set vrrp interface eth4-05 monitored-circuit vrid 90 backup-address 10.1.1.100 on
set vrrp interface eth2-01 monitored-circuit vrid 61 monitored-interface eth4-05 on
set vrrp interface eth2-01 monitored-circuit vrid 61 monitored-interface eth4-05 priority-delta 10
set vrrp interface eth2-02 monitored-circuit vrid 62 monitored-interface eth4-05 on
set vrrp interface eth2-02 monitored-circuit vrid 62 monitored-interface eth4-05 priority-delta 10
set vrrp interface eth2-03 monitored-circuit vrid 63 monitored-interface eth4-05 on
set vrrp interface eth2-03 monitored-circuit vrid 63 monitored-interface eth4-05 priority-delta 10
set vrrp interface eth2-04 monitored-circuit vrid 64 monitored-interface eth4-05 on
set vrrp interface eth2-04 monitored-circuit vrid 64 monitored-interface eth4-05 priority-delta 10
... ...
save config
exit
##Note End###################################################################
Step 2. Update Dashboard
Open SmartConsole > GATEWAYS & SERVERS > Double click the cluster object > Network Management > Actions > New Interface > Name: eth4-05 > Network Type: Cluster > IPv4: 10.1.1.100 / 29 > Modify "Member IPs": 'hafw1' IPv4: 10.1.1.101/29; 'hafw2' IPv4: 10.1.1.102/29; > Modify "Topology": check "Override"; "This Network (Internal); "Specific: [Network_object]" > OK
NOTE: the [Network_object] consists of all interested traffic you are planning to route via the MPLS via the interface eth4-05!!
Step 3. Modify Rules
- Disable the current VPN rules
- Create regular rules (copy from previous VPN rules without going through VPN)
Step 4. Add static route on gateways
ssh to the primary gateway > clish > set static-route 10.0.0.0/8 nexthop gateway address 10.1.1.97 on > save config
ssh to the secondary gateway > clish > set static-route 10.0.0.0/8 nexthop gateway address 10.1.1.97 on > save config
NOTE: I used 10/8 network because the current VPN will evaluate the routes for the current VPNs, then the static route will take in effect. So even though I have overlapping 10. hosts configured in the current VPNs, it will not cause issues.
Step 5. Remove the previous VPN community