We are going to replace our clustered C600 series by C650 machines. Since we have a rather complex firewall config I like to do a “in-place” machine swap. What I’m planning to do is the following: • Give the new machine IP addresses as our production machines have now • Install the certificates on the new machine • Shut down the listeners of the new machine • Shut down the new machine • Shut down the listeners on the old machine • Wait until the queue’s are empty • Remove the machine from the cluster • Shutdown the machine • Replace the C600 by the C650 • Connect only the management interface and boot the machine • Check if the listeners are still stopped • Connect DATA1 and DATA2 • Check if the connectivity is as expected (can I connect to my internal mail servers, can I connect to internet mail servers) • Check if DNS is working • Add the machine to the cluster. • Check the configuration • Start the listeners
I have a few questions: • Is this a good / safe approach or am I overlooking something? • Is it sensible to install the certificates while the machine is still stand-alone or will I have to do it after machine has become a part of the cluster? (it’s a terrible job so I like to do it only once) • When I stop the listeners before shutting down the machine, will they stay stopped after booting the systems again or will they be started automatically?
Steven, I can't see any traps in your approach so far.
IMHO, you should install certificates before joining the cluster if you use them for TLS connections. As soon as the machine is part of the cluster it has listeners defined which will be active for incoming connections. These connection may fail if the sender expects official certificates.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :