Changing Management IPs

bhx90bhx90
in Firebox - FireCluster

Hi,

I've recently upgraded to a pair of M590 (12.10.2) devices for my A/P FireCluster and I'm looking to implement some network segmentation for additional security.

We currently have a very flat 192.168 subnet with PCs, Servers and printers all on vlan1.

To ensure I don't introduce any bottle necks I would like to move the vlan1 subnet from the trusted interface to an untagged vlan on a 10G interface.

I realise that i will need to change the trusted interface to another subnet but when I try and create a vlan called VLAN1 on the Watchgaurd, I get the following error.

"The FireCluster management IP address 192.168.... cannot be on the same subnet as the primary IP of interface VLAN1"

Am I able to change the FireCluster management IP addresses to move them to a different subnet and interface, so they are not on the same subnet as vlan1. Or is there a better way to achieve what I need?

Any advise would be welcome.

Thanks

Phil

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi Phil,

    You'll need to do one of two things:
    -Leave vlan1 in tact for the firecluster's management interface
    -Move the firecluster's management interface to the new interface.

    You'll want to use WatchGuard System Manager's Policy Manager tool to do this so that you can push all changes at once.

    -First, go to Network -> Configuration.
    -Create a new network on an unused port, use a subnet you don't intend on using.
    -Next go to Firecluster -> Configure, and change the "Interface for management IP address" to your newly configured network.
    -Go to the members tab, and for each cluster member, change the IP addresses to match that new network you made up.
    -In Network -> Configuration, you should now be able to set your old interface to disabled under interface type, and then create the new network on your 10G SFP+ port.
    -Once the network interface is moved, you can Go to Fireclsuter -> Configure to move the "Interface for management IP address" to the new 10G port.
    -Remember to go to the members tab, and change the management IPs back to what they were before.

    Please ensure that your switch is capable of handing the MAC address sharing that the cluster will perform. See the requirements section here:

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/ha/cluster_quick_start.html

    -James Carson
    WatchGuard Customer Support

  • bhx90bhx90

    Hi James,

    Thanks for you're reply. I will try it out.

    Thanks

    Phil

Sign In to comment.