Overview
I installed an 8206 in the Sydney Solution Centre (SSC) many years ago. It is getting on a bit now, and is missing some key features like POE+, latest AOSS firmware updates, V3 module support, etc.
This switch is a key component in the SSC, acting as the aggregator for multiple downstream switches (especially ones without any fibre connectivity), and all of those devices with a single network connection that are not connected directly to the core (such as APs, ILOs, test systems, etc).
Planning
Work out what the replacement device (and modules) will be, and make sure it will fit, cables will reach, etc.
In this case, the ProCurve 8206 will be replaced by its direct successor in the model line-up, the ArubaOS-Switch 5406R. It is actually 2 rack-units smaller than the 8206, so I have some blanking panels on hand to fill in the gap. Many of the ports were unused, so a different combination of V3 modules will provide at least the same number of fibre ports, and a smaller number of RJ45 10/100/1000 ports - now with POE+.
Preparation
Work through the existing switch config and remove any unneccessary or unused protocols or features, and unnecessary port-specific config. Take the time to validate any advanced features such as ACLs, PBR, AAA, etc. Remove anything that no longer serves a purpose, as a simpler, streamlined configuration will require less work to migrate and less chance of missing something.
Take the time to build a spreadsheet with key elements defined, such as:
- old port --> new port
- cable details (they are all labelled, right?!)
- VLANs
- port types: fibre, copper, 10Gb, etc
- special or critical systems (like our SM fibre connection to the outside world)
Make sure you do the appropriate change controls!
Config Analysis
Analyse the existing switch config. Some of these commands will be useful:
- show run
- show lldp info remote
- show ip route
- show vlan
- show mac-address
- show arp
- show span
Elements to check include:
- Physical (space, mounting, power, cable connections and reach)
- L1 (connection types, special connections including low or high-speed, transceivers, etc)
- L2 (VLANs, multicast)
- L3 (routing)
- Security (ACLs, AAA, remote access, etc)
Staging and New Config
Ideally, you will be able to build the switch online with different IP address(es). This could be temporary or permanent, depending on the enironment. Even just DHCP on the OOBM port makes this easier. (If you do change IP address(es), make sure the appropriate updates are made in systems like ClearPass, Airwave and IMC.)
Build the new config based on the port allocation spreadsheet and configured feature list.
For this migration, much of this config was the same; the operating system was the same (K15.xx vs KB16.xx), and the platforms pretty similar. Examples of the key differences or changes are listed here.
Control Plane
8206 (config) # control-plane-protection enable
5406R (config) # copp traffic-class all limit default
Cloud Management
The 5406R could be cloud-managed with Central, but I don't want that, so those functions have been disabled.
aruba-central disable
activate provision disable
Fault-Finder
This was enabled on the 5406R globally, and on most ports for broadcast-control.
fault-finder all sensitivity high
fault-finder broadcast-storm all action warn percent 10
Note that the broadcast-storm control will need to be disabled on ports being added to a trunk (aggregation) group.
GVRP vs MVRP
Unfortunately the MVRP implementation in AOSS is not compatible with GVRP, so I have had to stick with GVRP to support the older downstream switches that only support GVRP.
Openflow
I removed all the Openflow config. The 5406R supports Openflow the same as the 8206, but this is no longer a focus, and the Openflow applications and demos I had are no longer in place.
OOBM
The 5406R has an out-of band management port (OOBM) which provides a completely separate connection point to the switch - just like an ILO port on a server. It is separate, not on the backplane, so there are no issues with loops.
oobm
ip address dhcp-bootp
exit
Site Prep
- Tools at hand (lifter, screwdrivers, cage-nut tool, etc)
- Caps for cables and optics
- Hook-and-loop/velcro straps
- Extra cables
- Disconnect and remove any cables that are listed in the spreadsheet
- Get the new switch ready (IP addresses changed if required, saved and backed-up config, powered off and ready to mount)
Deployment/Cutover
Once all the planning and preparation has been done, the actual cutover should be pretty straightforward.
The basic process I usually follow is:
- Power off and unpatch old switch
- Remove old switch (taking all the modules out first makes it lighter and easier to manage single-handed)
- Mount new switch
- Power on and repatch critical ports (eg OOBM, uplink LACP)
- Test system connectivity
- Patch remaining ports
- Testing
Because I was mounting the 5406R 2RU higher, I had to lengthen the power cables, and repatch some of the ethernet cables.
Total off-line time for critical systems (ie firewall + upstream LACP) was approx 35min. Total replacement time was just over 2 hours. And now the new 5406R switch is in and running!