HomePhabricator

Transactions T174218 Change Details

Change Details

Old
New
Diff

Planning the switchover from pfw-eqiad to pfw3-eqiad/fasw-eqiad Aiming for September 26th at 15:00 UTC / 11:00 EDT / 08:00 PST, and should takes max 5h, 6h if needed to rollback. **During the window (2h):** - cr1/cr2-eqiad: ``` delete interfaces xe-3/1/7 disable set interfaces xe-3/3/2 disable ``` - cr1-eqiad: `activate protocols bgp group Fundraising neighbor 208.80.154.201` - cr2-eqiad: `activate protocols bgp group Fundraising neighbor 208.80.154.203` - pfw3-codfw: ``` delete security ike gateway ike-gateway-eqiad address 208.80.154.218 set security ike gateway ike-gateway-eqiad address 208.80.154.219 set security address-book global address pfw-eqiad 208.80.154.219/32 ``` - Repatch servers to new switch stack |Hostname|Old port|New port|New device| |indium|pfw1:ge-2/0/0 |ge-0/0/0|fasw-c1a| |payments1|pfw1:ge-2/0/1 |ge-0/0/1|fasw-c1a| |payments3|pfw1:ge-2/0/2 |ge-0/0/2|fasw-c1a| |frav1001|pfw1:ge-2/0/3 |ge-0/0/3|fasw-c1a| |pay-lvs1001|pfw1:ge-2/0/4 |ge-0/0/4|fasw-c1a| |frdev1001|pfw1:ge-2/0/5 |ge-0/0/5|fasw-c1a| |tellurium|pfw1:ge-2/0/6 |ge-0/0/6|fasw-c1a| |frpm1001|pfw1:ge-2/0/7 |ge-0/0/7|fasw-c1a| |frlog1001|pfw1:ge-2/0/8 |ge-0/0/8|fasw-c1a| |frauth1001|pfw1:ge-2/0/9 |ge-0/0/9|fasw-c1a| |americium|pfw1:ge-2/0/10 |ge-0/0/10|fasw-c1a| |frqueue1001|pfw1:ge-2/0/11 |ge-0/0/11|fasw-c1a| |frdb1002|pfw1:ge-2/0/14 |ge-0/0/12|fasw-c1a| |payments2|pfw2:ge-11/0/0 |ge-1/0/13|fasw-c1b| |payments4|pfw2:ge-11/0/1 |ge-1/0/14|fasw-c1b| |pay-lvs1002|pfw2:ge-11/0/3 |ge-1/0/15|fasw-c1b| |samarium|pfw2:ge-11/0/5 |ge-1/0/16|fasw-c1b| |thulium|pfw2:ge-11/0/7 |ge-1/0/17|fasw-c1b| |bismuth|pfw2:ge-11/0/8 |ge-1/0/18|fasw-c1b| |aluminium|pfw2:ge-11/0/9 |ge-1/0/19|fasw-c1b| |civi1001|pfw2:ge-11/0/10 |ge-1/0/20|fasw-c1b| |frdb1001|pfw2:ge-11/0/11 |ge-1/0/21|fasw-c1b| **After the migration (2h) testing:** - Verify monitoring is green - Verify BGP sessions are UP (inc. pybal) - Do failover tests (unplug each devices and core links, verify failover time/behavior) - Verify NAT - Verify cross DC syncs **Rollback decision** ** Move mgmt to mgmt switch cf. T156397 ** **Cleanup** [x] cr1-eqiad: ``` delete protocols bgp group Fundraising neighbor 208.80.154.217 delete protocols bgp group Fundraising multipath delete interfaces xe-3/3/2 ``` [x] cr2-eqiad: ``` delete protocols bgp group Fundraising neighbor 208.80.154.221 delete protocols bgp group Fundraising multipath delete interfaces xe-3/3/2 ``` [x] pfw3-codw: ` delete firewall family inet filter loopback4 term allow_codfw from source-address 208.80.154.218/32 ` - Remove dns entries [x] Remove rancid config [x] Remove from Icinga [x] Remove from LibreNMS - Remove from torrus **Unrack, final part of rack elevation, back to T169644**

Planning the switchover from pfw-eqiad to pfw3-eqiad/fasw-eqiad Aiming for September 26th at 15:00 UTC / 11:00 EDT / 08:00 PST, and should takes max 5h, 6h if needed to rollback. **During the window (2h):** - cr1/cr2-eqiad: ``` delete interfaces xe-3/1/7 disable set interfaces xe-3/3/2 disable ``` - cr1-eqiad: `activate protocols bgp group Fundraising neighbor 208.80.154.201` - cr2-eqiad: `activate protocols bgp group Fundraising neighbor 208.80.154.203` - pfw3-codfw: ``` delete security ike gateway ike-gateway-eqiad address 208.80.154.218 set security ike gateway ike-gateway-eqiad address 208.80.154.219 set security address-book global address pfw-eqiad 208.80.154.219/32 ``` - Repatch servers to new switch stack |Hostname|Old port|New port|New device| |indium|pfw1:ge-2/0/0 |ge-0/0/0|fasw-c1a| |payments1|pfw1:ge-2/0/1 |ge-0/0/1|fasw-c1a| |payments3|pfw1:ge-2/0/2 |ge-0/0/2|fasw-c1a| |frav1001|pfw1:ge-2/0/3 |ge-0/0/3|fasw-c1a| |pay-lvs1001|pfw1:ge-2/0/4 |ge-0/0/4|fasw-c1a| |frdev1001|pfw1:ge-2/0/5 |ge-0/0/5|fasw-c1a| |tellurium|pfw1:ge-2/0/6 |ge-0/0/6|fasw-c1a| |frpm1001|pfw1:ge-2/0/7 |ge-0/0/7|fasw-c1a| |frlog1001|pfw1:ge-2/0/8 |ge-0/0/8|fasw-c1a| |frauth1001|pfw1:ge-2/0/9 |ge-0/0/9|fasw-c1a| |americium|pfw1:ge-2/0/10 |ge-0/0/10|fasw-c1a| |frqueue1001|pfw1:ge-2/0/11 |ge-0/0/11|fasw-c1a| |frdb1002|pfw1:ge-2/0/14 |ge-0/0/12|fasw-c1a| |payments2|pfw2:ge-11/0/0 |ge-1/0/13|fasw-c1b| |payments4|pfw2:ge-11/0/1 |ge-1/0/14|fasw-c1b| |pay-lvs1002|pfw2:ge-11/0/3 |ge-1/0/15|fasw-c1b| |samarium|pfw2:ge-11/0/5 |ge-1/0/16|fasw-c1b| |thulium|pfw2:ge-11/0/7 |ge-1/0/17|fasw-c1b| |bismuth|pfw2:ge-11/0/8 |ge-1/0/18|fasw-c1b| |aluminium|pfw2:ge-11/0/9 |ge-1/0/19|fasw-c1b| |civi1001|pfw2:ge-11/0/10 |ge-1/0/20|fasw-c1b| |frdb1001|pfw2:ge-11/0/11 |ge-1/0/21|fasw-c1b| **After the migration (2h) testing:** [x] Verify monitoring is green [x] Verify BGP sessions are UP (inc. pybal) [x] Do failover tests (unplug each devices and core links, verify failover time/behavior) [x] Verify NAT [x] Verify cross DC syncs **Rollback decision** ** Move mgmt to mgmt switch cf. T156397 ** **Cleanup** [x] cr1-eqiad: ``` delete protocols bgp group Fundraising neighbor 208.80.154.217 delete protocols bgp group Fundraising multipath delete interfaces xe-3/3/2 ``` [x] cr2-eqiad: ``` delete protocols bgp group Fundraising neighbor 208.80.154.221 delete protocols bgp group Fundraising multipath delete interfaces xe-3/3/2 ``` [x] pfw3-codw: ` delete firewall family inet filter loopback4 term allow_codfw from source-address 208.80.154.218/32 ` [x] Remove dns entries [x] Remove rancid config [x] Remove from Icinga [x] Remove from LibreNMS **Unrack, final part of rack elevation, back to T169644**

Planning the switchover from pfw-eqiad to pfw3-eqiad/fasw-eqiad Aiming for September 26th at 15:00 UTC / 11:00 EDT / 08:00 PST, and should takes max 5h, 6h if needed to rollback. **During the window (2h):** - cr1/cr2-eqiad: ``` delete interfaces xe-3/1/7 disable set interfaces xe-3/3/2 disable ``` - cr1-eqiad: `activate protocols bgp group Fundraising neighbor 208.80.154.201` - cr2-eqiad: `activate protocols bgp group Fundraising neighbor 208.80.154.203` - pfw3-codfw: ``` delete security ike gateway ike-gateway-eqiad address 208.80.154.218 set security ike gateway ike-gateway-eqiad address 208.80.154.219 set security address-book global address pfw-eqiad 208.80.154.219/32 ``` - Repatch servers to new switch stack |Hostname|Old port|New port|New device| |indium|pfw1:ge-2/0/0 |ge-0/0/0|fasw-c1a| |payments1|pfw1:ge-2/0/1 |ge-0/0/1|fasw-c1a| |payments3|pfw1:ge-2/0/2 |ge-0/0/2|fasw-c1a| |frav1001|pfw1:ge-2/0/3 |ge-0/0/3|fasw-c1a| |pay-lvs1001|pfw1:ge-2/0/4 |ge-0/0/4|fasw-c1a| |frdev1001|pfw1:ge-2/0/5 |ge-0/0/5|fasw-c1a| |tellurium|pfw1:ge-2/0/6 |ge-0/0/6|fasw-c1a| |frpm1001|pfw1:ge-2/0/7 |ge-0/0/7|fasw-c1a| |frlog1001|pfw1:ge-2/0/8 |ge-0/0/8|fasw-c1a| |frauth1001|pfw1:ge-2/0/9 |ge-0/0/9|fasw-c1a| |americium|pfw1:ge-2/0/10 |ge-0/0/10|fasw-c1a| |frqueue1001|pfw1:ge-2/0/11 |ge-0/0/11|fasw-c1a| |frdb1002|pfw1:ge-2/0/14 |ge-0/0/12|fasw-c1a| |payments2|pfw2:ge-11/0/0 |ge-1/0/13|fasw-c1b| |payments4|pfw2:ge-11/0/1 |ge-1/0/14|fasw-c1b| |pay-lvs1002|pfw2:ge-11/0/3 |ge-1/0/15|fasw-c1b| |samarium|pfw2:ge-11/0/5 |ge-1/0/16|fasw-c1b| |thulium|pfw2:ge-11/0/7 |ge-1/0/17|fasw-c1b| |bismuth|pfw2:ge-11/0/8 |ge-1/0/18|fasw-c1b| |aluminium|pfw2:ge-11/0/9 |ge-1/0/19|fasw-c1b| |civi1001|pfw2:ge-11/0/10 |ge-1/0/20|fasw-c1b| |frdb1001|pfw2:ge-11/0/11 |ge-1/0/21|fasw-c1b| **After the migration (2h) testing:** -[x] Verify monitoring is green -[x] Verify BGP sessions are UP (inc. pybal) -[x] Do failover tests (unplug each devices and core links, verify failover time/behavior) -[x] Verify NAT -[x] Verify cross DC syncs **Rollback decision** ** Move mgmt to mgmt switch cf. T156397 ** **Cleanup** [x] cr1-eqiad: ``` delete protocols bgp group Fundraising neighbor 208.80.154.217 delete protocols bgp group Fundraising multipath delete interfaces xe-3/3/2 ``` [x] cr2-eqiad: ``` delete protocols bgp group Fundraising neighbor 208.80.154.221 delete protocols bgp group Fundraising multipath delete interfaces xe-3/3/2 ``` [x] pfw3-codw: ` delete firewall family inet filter loopback4 term allow_codfw from source-address 208.80.154.218/32 ` - [x] Remove dns entries [x] Remove rancid config [x] Remove from Icinga [x] Remove from LibreNMS - Remove from torrus **Unrack, final part of rack elevation, back to T169644**

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits