| Author |
Message |
RS
Guest
|
 Posted:
Mon Nov 21, 2005 5:20 pm Post subject:
thoughts on upgrading to PIX v7.xx |
|
|
Currently running 6.3(4) on 525 FO configuration.
Tested conversion on 515 with a copy of our live config - noticed a
few commands did not "port" over properly. Not a big problem - but a
problem none the less.
Given that, here is my take on how to migrate:
-Since we have a FO config - turn off SECONDARY and upgrade the
PRIMARY.
-Fix any issues, and run the PRIMARY for a few days. (Note: NO config
changes are to be made during that period.)
-If the are problems, turn off the PRIMARY and run the SECONDARY with
the 6.3(4) code on it. Figure out what went wrong - downgrade the
PRIMARY if necessary.
-If all is well, turn off the PRIMARY and upgrade the SECONDARY.
Appreciate any and all feedback.
Thanks,
Rico |
|
| Back to top |
|
 |
Walter Roberson
Guest
|
| Posted:
Mon Nov 21, 2005 5:20 pm Post subject:
Re: thoughts on upgrading to PIX v7.xx |
|
|
In article <1132590731.196716.213480@g47g2000cwa.googlegroups.com>,
RS <ricosuave.info@gmail.com> wrote:
| Quote: | (Doesn't matter - all problems
to end users is the fault of the omnipotent "Network" anyway...)
|
NA: {12 pages on why the network has a serious crisis that must be
fixed ASAP, with several proposals about how to fix the problem, and
an examination of the ramifications and costs of each proposal, complete
with parts list and negotiated pricing 40% below retail.}
Everyone: "You are too much of a perfectionist. You know we don't have
time to read anything technical like that!"
NA: "Computer talkie-talkie have heap big problem. Thag must fix
right now!"
Everyone: "Oh, you're just saying that so you can build up your little
empire. And you never -explain- anything."
Later:
NA: "Network broke like Thag said, said, said."
Everyone: "It's -your- fault, Thag!"
--
If you lie to the compiler, it will get its revenge. -- Henry Spencer |
|
| Back to top |
|
|
Vincent C Jones
Guest
|
| Posted:
Mon Nov 21, 2005 5:20 pm Post subject:
Re: thoughts on upgrading to PIX v7.xx |
|
|
In article <1132587636.323924.92450@g44g2000cwa.googlegroups.com>,
RS <ricosuave.info@gmail.com> wrote:
| Quote: | Currently running 6.3(4) on 525 FO configuration.
Tested conversion on 515 with a copy of our live config - noticed a
few commands did not "port" over properly. Not a big problem - but a
problem none the less.
Given that, here is my take on how to migrate:
-Since we have a FO config - turn off SECONDARY and upgrade the
PRIMARY.
-Fix any issues, and run the PRIMARY for a few days. (Note: NO config
changes are to be made during that period.)
-If the are problems, turn off the PRIMARY and run the SECONDARY with
the 6.3(4) code on it. Figure out what went wrong - downgrade the
PRIMARY if necessary.
-If all is well, turn off the PRIMARY and upgrade the SECONDARY.
Appreciate any and all feedback.
Thanks,
Rico
|
You left out the scheduling of downtime with critical users and
the scheduling of testing of critical applications immediately
before and immediately after the cutover. The before part can be
critical as it serves two purposes: testing the tests to ensure
they actually work, and verifying that all critical applications
actually are functional before you start so the cutover does not
get blamed for breaking something which was already broken.
Another trick, you can fail over to the secondary, take the primary
off line, and then do your upgrade. When the primary looks ready
to go, take the secondary off line (unplug the network interfaces)
and attach the primary back into the networks. You did remember
to label all patch cables so you don't destroy your security by
plugging the wrong network into any ports... This way, you don't
have to wait for rebooting and can "painlessly" revert at any time
to the previous configuration (very handy when you need to prove
the problem is not attributable to the new configuration ;-)
Good luck and have fun!
--
Vincent C Jones, Consultant Expert advice and a helping hand
Networking Unlimited, Inc. for those who want to manage and
Tenafly, NJ Phone: 201 568-7810 control their networking destiny
http://www.networkingunlimited.com |
|
| Back to top |
|
|
RS
Guest
|
| Posted:
Mon Nov 21, 2005 5:20 pm Post subject:
Re: thoughts on upgrading to PIX v7.xx |
|
|
Good points. I failed to mention downtime scheduling for brevity.
Testing critical apps that go through the PIX is an interesting
concept. This would take a monumental coordination effort around here
- so many folks to contact who would then have to "schedule" (or even
figure out what the heck we want). LOL, it would never happen then!
Almost a bit of CYA there too eh?? ;) (Doesn't matter - all problems
to end users is the fault of the omnipotent "Network" anyway...)
Thanks for the thoughts.
R |
|
| Back to top |
|
|
DigitalVinyl
Guest
|
| Posted:
Tue Nov 22, 2005 12:47 am Post subject:
Re: thoughts on upgrading to PIX v7.xx |
|
|
"RS" <ricosuave.info@gmail.com> wrote:
| Quote: | Currently running 6.3(4) on 525 FO configuration.
Tested conversion on 515 with a copy of our live config - noticed a
few commands did not "port" over properly. Not a big problem - but a
problem none the less.
Given that, here is my take on how to migrate:
-Since we have a FO config - turn off SECONDARY and upgrade the
PRIMARY.
-Fix any issues, and run the PRIMARY for a few days. (Note: NO config
changes are to be made during that period.)
-If the are problems, turn off the PRIMARY and run the SECONDARY with
the 6.3(4) code on it. Figure out what went wrong - downgrade the
PRIMARY if necessary.
-If all is well, turn off the PRIMARY and upgrade the SECONDARY.
Appreciate any and all feedback.
Thanks,
Rico
|
We did this upgrade back in August. We're running 7.02. Unfortunately
this account does all their management through the PDM. And this has
resulted in a lot of misconfiguration of the PIX. I can't believe
Cisco still claims they even have a gui. Using the latest and greatest
still feels like a beta product.
The upgrade required a line by line comparison of the NAT, STATIC and
ACLS. A lot of rules were invalidated. Two ACCESS-GROUP commands
detached ACLs. Lierally re-entered at least a hundred commands. Our
PIX config is 4800 lines long, so it was only about 2%.
Going into production without doing the compare would have been
disastrous.
DiGiTAL_ViNYL (no email) |
|
| Back to top |
|
|
RS
Guest
|
| Posted:
Fri Dec 09, 2005 5:20 pm Post subject:
Re: thoughts on upgrading to PIX v7.xx |
|
|
To DiG ViN-
That is why were are going to upgrade a single PIX in the failover set.
(Leave the "un-upgraded" off) If there are a boat load of problems
like that - we can revert to the 6.3x ver with minimal downtime. Work
on the ver 7 config offline.
I've seen the commands changed a bit. Seems like nothing too major.
Any commands/major changes that I should be aware of tho??
Thanks.
RS |
|
| Back to top |
|
|
DigitalVinyl
Guest
|
| Posted:
Sat Dec 10, 2005 5:53 am Post subject:
Re: thoughts on upgrading to PIX v7.xx |
|
|
"RS" <ricosuave.info@gmail.com> wrote:
| Quote: | To DiG ViN-
That is why were are going to upgrade a single PIX in the failover set.
(Leave the "un-upgraded" off) If there are a boat load of problems
like that - we can revert to the 6.3x ver with minimal downtime. Work
on the ver 7 config offline.
I've seen the commands changed a bit. Seems like nothing too major.
Any commands/major changes that I should be aware of tho??
Thanks.
RS
The site i'm working with has been using the PDM without any |
understanding of the CLI. Due to the looseness of the PDM there were a
lot of misconfiguration and bad PDM definitons. The conversion:
- deleted some access-group commands,
- made duplicates of PDM groups practically elimianting the purpose of
PDM groups; FOr instance if the group SMTPServers appeared under three
different rules, the conversion created "SMTPServers_ref" &
"SMTPServers_ref_1" because some logic made it impossible to re-use
the same group
- many named objects were simply deleted (i believe we may have
exceeded the expected number of objects for the conversion program).
- many rules were made null because of missing defintions
- some translations which worked before were broken after the upgraded
DiGiTAL_ViNYL (no email) |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in