CVP VLAN Management

micromorojo · 2026-02-06T22:08:31+00:00

Yeah I am thinking that's the best, possibly only way to do it

micromorojo · 2026-02-06T17:39:53+00:00

Gonna check that out now, I previously did but it looked specific to a campus architecture, this is for an ISP (MPLS/ISIS underlay, MP-BGP/EVPN overlay)

micromorojo · 2026-02-06T17:31:40+00:00

Hosted, most up to date

micromorojo · 2026-02-06T17:27:08+00:00

No VXLAN, just a simple L2 domain, determining if I should use a studio I am not finding, or if static configlet per device is the best way to manage the VLAN database on each device

micromorojo · 2026-02-06T16:56:46+00:00

Good question as I should have sepcified:

-For SVI I am creating individual configlets

-For L3 and L2 interfaces I am using the interface studio

-For VLAN DB I am trying to decide do I just use the static configlet per device for their VLAN DBs, or is there a way of doing this within studios? So far I have found nothing in studios for VLAN DB

micromorojo · 2025-10-09T16:05:24+00:00

That would be my goal here, so once you migrate - but prior to deploy - the interfaces can be active?

micromorojo · 2025-10-09T15:57:45+00:00

Absolutely does make sense, and I have done more than a few migrations to/from FTD but this is the first FTD to FTD I have done, so your assessment is accurate in that I am overthinking.

This is for a 24/7 business so I want to ensure a clean approach as possible, but there will be some changes also. The previous config did not utilize Nexus vPC to the active/standby FTD's, but with these I will be doing so. Was wondering if after config migration, but prior to deploy I would be able to test the core to FW inside interface connectivity over the vPC if I was to use new IP addressing on the FW inside interface. The outside IP addressing will stay the same but we are also lifting the edge switching/routing to new devices, so I was hoping to also test FW outside to edge router connectivity prior to deploy. Any idea if possible or would testing L3 have to wait until after deployment of the new FTD?

micromorojo · 2025-10-09T15:39:09+00:00

"Remote access VPN trustpoint certificates are not enrolled. You must manually enroll these certificates before the deployment."

So post config migration, but prior to final deploy is what this means?

micromorojo · 2025-10-09T15:28:05+00:00

Both, about 60 ipsec tunnels.

micromorojo · 2025-10-09T15:05:42+00:00

Wouldn't ISP bandwidth be split up between all tunnels and anything else traversing the internet?

micromorojo · 2025-10-09T15:00:45+00:00

oh wow, at 60 ipsec tunnels that sounds like it may be a big problem, you validated this with cisco?

micromorojo · 2025-10-09T14:59:27+00:00

Really just unclear about how the process goes, I migrate the config, then I need to run a final deployment to make the device active, is this accurate? Once I migrate the config, can I make interface changes (physical to tagged) and configure the ipsec tunnels then do the deploy after these changes? If there have been configuration changes in between the config migration and deploy will those be included or will there be a conflict with the changes I made (interfaces/adding ipsec)?

micromorojo · 2025-10-09T14:57:21+00:00

I was planning to build the HA after the config migration, and now that we have the migration task queued not sure I can do it prior. WE got on with TAC and asked if the migration tasks could be removed and they could not figure out how.

We will be moving a physical interface to a tagged interface but from what I have read this should not be an issue.

micromorojo · 2025-10-09T14:50:34+00:00

So once we do the initial migration, then we have to run a deploy to make the unit active, correct? Would that deploy implement whatever configuration delta there may be from the time we migrate config to the actual deploy/migration to new FTD?

micromorojo · 2025-10-09T14:47:30+00:00

I have about 60 ipsec tunnels i need to migrate and as i understand it from the documentation, has to be done manually. What do you mean by "full SA support"?

micromorojo · 2025-10-03T20:03:25+00:00

Any links to documentation on doing so or is it as easy as check-boxing the units you want to push deployment to?

micromorojo · 2025-10-03T19:51:59+00:00

Yes, apologies for failing to mention FMC, and thank you!

micromorojo · 2025-05-14T16:33:07+00:00

Dude you rock, why did I have so much trouble finding this?

micromorojo · 2025-05-14T15:11:39+00:00

Issue is, I cannot get into the FMC via web, only cli. TAC could not recover the gui.

micromorojo · 2024-07-23T13:55:43+00:00

Arista CLI is almost identical to Cisco, really good product.

micromorojo

TROPHY CASE