Planning the switchover from pfw-eqiad to pfw3-eqiad/fasw-eqiad
Aiming for September 26th at 15:00 UTC / 11:00 EDT / 08:00 PST, and should takes max 5h, 6h if needed to rollback.
During the window (2h):
- cr1/cr2-eqiad:
delete interfaces xe-3/1/7 disable set interfaces xe-3/3/2 disable
- cr1-eqiad: activate protocols bgp group Fundraising neighbor 208.80.154.201
- cr2-eqiad: activate protocols bgp group Fundraising neighbor 208.80.154.203
- pfw3-codfw:
delete security ike gateway ike-gateway-eqiad address 208.80.154.218 set security ike gateway ike-gateway-eqiad address 208.80.154.219 set security address-book global address pfw-eqiad 208.80.154.219/32
- Repatch servers to new switch stack
Hostname | Old port | New port | New device |
indium | pfw1:ge-2/0/0 | ge-0/0/0 | fasw-c1a |
payments1 | pfw1:ge-2/0/1 | ge-0/0/1 | fasw-c1a |
payments3 | pfw1:ge-2/0/2 | ge-0/0/2 | fasw-c1a |
frav1001 | pfw1:ge-2/0/3 | ge-0/0/3 | fasw-c1a |
pay-lvs1001 | pfw1:ge-2/0/4 | ge-0/0/4 | fasw-c1a |
frdev1001 | pfw1:ge-2/0/5 | ge-0/0/5 | fasw-c1a |
tellurium | pfw1:ge-2/0/6 | ge-0/0/6 | fasw-c1a |
frpm1001 | pfw1:ge-2/0/7 | ge-0/0/7 | fasw-c1a |
frlog1001 | pfw1:ge-2/0/8 | ge-0/0/8 | fasw-c1a |
frauth1001 | pfw1:ge-2/0/9 | ge-0/0/9 | fasw-c1a |
americium | pfw1:ge-2/0/10 | ge-0/0/10 | fasw-c1a |
frqueue1001 | pfw1:ge-2/0/11 | ge-0/0/11 | fasw-c1a |
frdb1002 | pfw1:ge-2/0/14 | ge-0/0/12 | fasw-c1a |
payments2 | pfw2:ge-11/0/0 | ge-1/0/13 | fasw-c1b |
payments4 | pfw2:ge-11/0/1 | ge-1/0/14 | fasw-c1b |
pay-lvs1002 | pfw2:ge-11/0/3 | ge-1/0/15 | fasw-c1b |
samarium | pfw2:ge-11/0/5 | ge-1/0/16 | fasw-c1b |
thulium | pfw2:ge-11/0/7 | ge-1/0/17 | fasw-c1b |
bismuth | pfw2:ge-11/0/8 | ge-1/0/18 | fasw-c1b |
aluminium | pfw2:ge-11/0/9 | ge-1/0/19 | fasw-c1b |
civi1001 | pfw2:ge-11/0/10 | ge-1/0/20 | fasw-c1b |
frdb1001 | pfw2:ge-11/0/11 | ge-1/0/21 | fasw-c1b |
After the migration (2h) testing:
- Verify monitoring is green
- Verify BGP sessions are UP (inc. pybal)
- Do failover tests (unplug each devices and core links, verify failover time/behavior)
- Verify NAT
- Verify cross DC syncs
Rollback decision
- Move mgmt to mgmt switch cf. T156397 **
Cleanup
- cr1-eqiad:
delete protocols bgp group Fundraising neighbor 208.80.154.217 delete protocols bgp group Fundraising multipath delete interfaces xe-3/3/2
- cr2-eqiad:
delete protocols bgp group Fundraising neighbor 208.80.154.221 delete protocols bgp group Fundraising multipath delete interfaces xe-3/3/2
- pfw3-codw: delete firewall family inet filter loopback4 term allow_codfw from source-address 208.80.154.218/32
- Remove dns entries
- Remove rancid config
- Remove from Icinga
- Remove from LibreNMS
Unrack, final part of rack elevation, back to T169644