Rock Mesh Section-hillstone-ha (high availability) Active/standby firmware version upgrade end experience

Okay, everybody.

We often encounter high-availability, stacking, VRRP, and other dual-machine deployment scenarios in the common Enterprise Edge Network architecture, and in some of the cases described earlier, the basic is a two-machine deployment, a highly available enterprise networking form,

So, the basic configuration is also described earlier, but does not describe how to upgrade the hardware in the state of the high-availability of the OS scenario, here because in the last week completed a (Rock Mesh branch-ha) seamless migration, so here we deliberately summarize the following ideas,

To share with you, please refer to the correct.

Procedure: (Please record all operation details and completion time of the field colleague)

PS: Why do this step, because we are a professional technical service company, so we need to record every step of the team, for us in the late re-disk and thinking. This will be summed up more. So we deliberately recorded the time of each node.

1. The primary and standby firewall profile Web export, local backup (total two copies)-Can advance the Master (standby) device preemption function shutdown, ha detection shutdown, current configuration: Master firewall has preemption, master and standby are hung in track

Total time: 1 minutes 51 seconds

2. The local web execution uploads the OS, the master and the standby at the same time, the upgrade---"This step can be prepared in advance firewall implementation", and click the No Restart button.

Total time: 3 minutes 45 seconds

3.console access to the standby machine, the standby equipment to peel the network environment, Business Line, Heartbeat line, the internal network cable all unplug, and the standby ha cluster id,no off. So that it does not run the HA protocol, a single run

Total time: within 1 minutes

4. Restart the standby machine on the local console to make the OS version the latest version uploaded earlier.

Total time: 4 minutes

5. After the standby OS firmware upgrade is complete, console:show version looks at the running versions and uses show configuration such as the current configuration file. "notepad++ or Excel function comparison observation"

Total time: 2 minutes

6. After upgrading the OS after the configuration file confirmation is correct, and confirm that there is no operation after the HA protocol traffic switching action-expected to be interrupted within 1 minutes

Total time: 1 minutes

Main business drops: less than 4 (user completely unaware)

7. In step 6 switchover process, the same time the console connected to the master firewall will be stripped of the main firewall security network environment, business Line, Heartbeat line, the internal network cable all unplugged. Complete the switching of the original standby traffic, all lines (Business, Heartbeat (down), intranet), so that the traffic switch to the standby firewall.

Total time: 1 minutes

8. The HA protocol of the standby machine, namely: currently running flow of equipment, remember here do not hang ha detection

Total time: 15 seconds

9. After confirming that the traffic switch is complete, reboot the main firewall to make the OS the latest version uploaded earlier.

Total time: 3 minutes 13 seconds

10. Compare to main firewall profile, view version, notepad++, Excel comparison Confirmation

Total time: 2 minutes

11. Connect the main firewall and the HA core jumper of the standby firewall to verify that the HA status protocol is healthy: show ha group 0---"Negotiate log flipping" when successful, and confirm no preemption

Total time: 18 seconds

12.console to the primary firewall, access to the main firewall services, intranet lines. Confirm Ha status, and observe whether the business network is affected, detailed observation and testing of the main standby firewall public network virtual IP, management IP (BGP, CTC), whether the normal ping, if the business has an impact immediately "unplug" the main firewall all lines.

Total time: 1 minutes

Business observation time: 2 minutes

13. Inform the customer team to cooperate to confirm that all monitoring has been resumed properly.

Total time: 1 minutes

Customer team confirms business time: 15 minutes

14.console to the primary firewall, configure the HA preemption feature. Restores the pre-upgrade primary and standby roles.

Syntax: Show ha group 0 first confirm HA status

Hillstone-a (config) # ha group 0

Hillstone-a (config-ha-group) # preempt

Total time: 35 seconds

15. Simulate device failure and test high-availability role hot switching. Observe the loss of business address and record.

Total time: 15 seconds

Packet loss: 1 drops (within the range of acceptance)

16*. In the Maintenance window for 60 minutes, if the task is not completed in 40 minutes according to the upgrade process, the rollback work is performed.

In summary, is I in the Stone Network branch double machine upgrade when the overall idea, and in the real environment has been fully verified, indeed prepared enough, the implementation of the process will not appear any error, do not very smooth completion of the upgrade. The key is that the customer has no sense at all, and this is the proudest place in this case as the "solo surgeon" I cut.

So here, again nagging a sentence, we do not pay too much attention to technical implementation, appropriate attention to the idea and the writing of documents.

————— from a two-tier operator of the network to share, diligence, hard work, focus, in addition to these no other secret!!

This article from "Allen on the road-from zero to one" blog, reprint please contact the author!

Rock Mesh Section-hillstone-ha (high availability) Active/standby firmware Version upgrade end experience