将配置从旧硬件型号(Cx70)迁移到新硬件型号(Cx95)

简介

在硬件(HW)生命周期中，客户可能拥有较旧型号的设备，稍后会被较新的硬件取代。  随着AsyncOS版本的更新，支持的版本将达到寿命终止(EoL)和支持终止(EoS)状态。  EoL/EoS和硬件生命周期曾经达到AsyncOS版本升级不能与较新硬件上装运和安装的AsyncOS版本相匹配的程度。（例如，思科电子邮件安全CX70 >思科电子邮件安全CX95。）

本文档将提供管理员选项来弥补版本之间的差距，以便将现有配置从旧硬件迁移到新硬件。

概述

先决条件

1. 查看思科停售和停产产品页面
2. 确定在现有硬件和新硬件上运行的AsyncOS版本：
   • Cx70（或其他硬件型号）[这是现有生产ESA。]
   • Cx95（或其他硬件型号）[这是ESA更换生产ESA。]
     • 步骤：
       • CLI，运行命令版本
       • UI，导航至监控>系统信息

3. 基本了解思科邮件安全设备的集群
4. 确定现有硬件是否已在集群中
   • 在CLI中，运行命令clusterconfig。
   • UI，导航至“监控”>“任意”
     • 如果您看到“Mode - Cluster:cluster_name”，设备在群集配置中运行

5. 下载思科邮件安全虚拟设备(vESA):
   • 要匹配Cx70支持的版本，请下载11.0.0-274:
     • https://software.cisco.com/download/home/284900944/type/282975113/release/11.0.0

6. 通过以下两种方法之一获取vESA的许可证：
   1. 许可证管理器的45天临时密钥
   2. 从许可证管理器请求现有硬件的XML

将旧硬件(Cx70)升级到最新AsyncOS

本文档将使用Cx70作为要更换的基本设备。  所有Cx70型号在AsyncOS 11.0.x上都有EoS。  为了弥补AsyncOS版本之间的任何差距，您需要将现有配置迁移到vESA，然后利用该vESA将配置同步到新设备。

要将现有配置迁移到新硬件，请将设备升级到设备的最新AsyncOS常规部署(GD)或维护部署(MD)版本。

 

将现有Cx70/HW升级到11.0.3-238(MD)

在思科邮件安全设备AsyncOS 11.0版本说明中，使用以下说明升级邮件安全设备：

1. 保存设备的XML配置文件。
2. 如果使用安全列表/阻止列表功能，请将安全列表/阻止列表数据库从设备导出。
3. 暂停所有侦听程序。
4. 等待队列为空。
5. 从“系统管理”选项卡中，选择“系统升级”
6. 单击“Available Upgrades”（可用升级）页面刷新，其中包含可用的AsyncOS升级版本列表。
7. 单击“Begin Upgrade(开始升级)”按钮，您的升级将开始。在问题出现时回答。升级完成后，单击“Reboot Now(立即重新启动)”按钮重新启动设备。
8. 恢复所有侦听程序。

重新启动后，验证运行的AsyncOS版本：

• CLI，运行命令版本
• UI，导航至监控>系统信息

注意：如果集群配置中已运行多个设备，则可以跳过下一部分。

创建群集（在现有Cx70/HW上）

创建集群可共享现有配置。  有关使用群集进行集中管理的信息，请参阅《用户指南》。  使用clusterconfig > Create a new cluster命令，类似于以下命令：

C170.local> clusterconfig

Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 2

Enter the name of the new cluster.
[]> migration.local

Should all machines in the cluster communicate with each other by hostname or by IP address?
1. Communicate by IP address.
2. Communicate by hostname.
[2]> 1

What IP address should other machines use to communicate with Machine C170.local?
1. 10.10.10.56 port 22 (SSH on interface Management)
2. Enter an IP address manually
[]> 1

Other machines will communicate with Machine C170.local using IP address 10.10.10.56 port 22. You can change this by using the COMMUNICATION subcommand of the clusterconfig command.
New cluster committed: Sat Jun 08 07:47:59 2019 GMT
Creating a cluster takes effect immediately, there is no need to commit.

Cluster migration.local

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]>

(Cluster migration.local)

使用vESA将配置桥接到新硬件(Cx95)

本文档将使用Cx70作为要更换的基本设备。  所有Cx70型号在AsyncOS 11.0.x上都有EoS。  为了弥补AsyncOS版本之间的任何差距，您需要将现有配置迁移到vESA，然后利用该vESA将配置同步到新设备。

部署vESA

从前提条件下载vESA映像并根据《思科内容安全虚拟设备安装指南》进行部署。

注意：安装指南提供有关DHCP(接口配置)的信息，在虚拟主机上设置默认网关(setgateway)，并加载虚拟设备许可证文件。  请确保您已按照指示阅读和部署。

升级您的vESA以匹配Cx70

部署vESA后，验证运行的AsyncOS版本：

• CLI，运行命令版本
• UI，导航至监控>系统信息

当您将Cx70的AsyncOS版本升级到11.0.3-238时，您还需要使vESA运行与邮件安全的AsyncOS版本相同的匹配版本。(即11.0.3-238:11.0.3-238，而不是11.0.0-274:11.0.3-238。)

1. 从“系统管理”选项卡中，选择“系统升级”
2. 单击“Available Upgrades”（可用升级）页面刷新，其中包含可用的AsyncOS升级版本列表。
3. 单击“Begin Upgrade(开始升级)”按钮，您的升级将开始。在问题出现时回答。升级完成后，单击“Reboot Now(立即重新启动)”按钮重新启动设备。

重新启动后，验证运行的AsyncOS版本：

• CLI，运行命令版本

UI，导航至监控>系统信息

将您的vESA加入您的ESA集群

从vESA的CLI中，运行clusterconfig > Join an existing... 将vESA添加到集群中，如下所示：

vESA.local> clusterconfig

Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 3

While joining a cluster, you will need to validate the SSH host key of the remote machine to which you are joining.  To get the public host key fingerprint of the remote host, connect to the cluster and run: logconfig -> hostkeyconfig -> fingerprint.

WARNING: All non-network settings will be lost. System will inherit the values set at the group or cluster mode for the non-network settings. Ensure that the cluster settings are compatible with your network settings (e.g. dnsconfig settings)

Exception:Centralized Policy, Virus, and Outbreak Quarantine settings are not inherited from the cluster.  These settings on this machine will remain intact.

Do you want to enable the Cluster Communication Service on ironport.example.com? [N]> n

Enter the IP address of a machine in the cluster.
[]> 10.10.10.56

Enter the remote port to connect to.  This must be the normal admin ssh port, not the CCS port.
[22]>

Would you like to join this appliance to a cluster using pre-shared keys? Use this option if you have enabled two-factor authentication on the appliance. [Y]> n

Enter the name of an administrator present on the remote machine
[admin]>

Enter passphrase:
Please verify the SSH host key for 10.10.10.56:
Public host key fingerprint: 80:22:44:aa:cc:55:ff:ff:11:66:77:ee:66:77:77:aa
Is this a valid key for this host? [Y]> y

Joining cluster group Main_Group.
Joining a cluster takes effect immediately, there is no need to commit.
Cluster migration.local

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]>

(Cluster migration.local)>

此时，您的vESA现在具有与现有Cx70/HW运行相同的配置。

运行clustercheck命令以验证同步，并验证现有vESA与Cx95之间是否存在任何不一致。  （有关详细信息，请参阅“集群不一致”。）

注意：您的vESA未处理邮件。  为了安慰您，您必须将vESA作为额外的MX添加到DNS记录中，或包括在ESA外部的任何负载均衡池中。 

从ESA集群中删除vESA

从vESA上的CLI，请运行clusterconfig ，并使用removemachine操作从集群中删除设备：

(Cluster migration.local)> clusterconfig

Cluster migration.local

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]> removemachine

Choose the machine to remove from the cluster.
1. C170.local (group Main_Group)
2. vESA.local (group Main_Group)
[1]> 2

Warning:
- You are removing the machine you are currently connected to, and you will no longer be able to access the cluster.
- This change will happen immediately without a commit.
Are you sure you want to continue? [N]> y

Please wait, this operation may take a minute...
Machine vESA.local removed from the cluster.

将您的vESA和Cx95升级到12.5.x

此时，在配置迁移中，您需要升级vESA以匹配新HW/Cx95的修订版。  本文档将假设您使用Cx95作为替换Cx70的设备。 

CX95硬件随附运行AsyncOS 11.5.x。  思科建议从11.5.x升级到12.5.x。

vESA需要运行相同的匹配版本的邮件安全AsyncOS。(即12.5.0-059:12.5.0-059，而不是11.0.3-238:12.5.0-059。)

在升级之前，您需要更改vESA上的动态主机设置。  [解释为什么需要这样做：当vESA加入Cx70群集时，它假设为HW更新程序的群集配置(update-manifests.ironport.com 443)。  此时，要升级vESA，需要将其重新指向VM更新程序。]

要完成此操作，请从CLI运行以下命令：

1. updateconfig
2. dynamichost（*这是仅在更新配置的此点处的隐藏命令）
3. 输入以下内容：update-manifests.sco.cisco.com 443
4. 按一次Enter键返回主CLI提示符
5. 运行提交以保存配置更改。

要升级vESA和Cx95:

1. 从“系统管理”选项卡中，选择“系统升级”
2. 单击“Available Upgrades”（可用升级）页面刷新，其中包含可用的AsyncOS升级版本列表。
3. 单击“Begin Upgrade(开始升级)”按钮，您的升级将开始。在问题出现时回答。升级完成后，单击“Reboot Now(立即重新启动)”按钮重新启动设备。

重新启动后，验证运行的AsyncOS版本：

• CLI，运行命令版本
• UI，导航至监控>系统信息

完成配置迁移到新HW/Cx95

对于本文档，我们假设您已经接收、机架安装、供电并完成了新硬件（即Cx95）的基本网络配置。  有关Cx95的详细信息，请参阅《思科电子邮件安全设备C195、C395、C695和C695F入门指南》。

创建新集群（在vESA上）

如果希望重新使用相同的群集名称，请使用Cx70群集中的相同群集名称创建。  或者，使用新群集名称创建新群集。  这是之前步骤的重复，现在在vESA上：

vESA.local> clusterconfig

Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 2

Enter the name of the new cluster.
[]> newcluster.local

Should all machines in the cluster communicate with each other by hostname or by IP address?
1. Communicate by IP address.
2. Communicate by hostname.
[2]> 1

What IP address should other machines use to communicate with Machine C170.local?
1. 10.10.10.58 port 22 (SSH on interface Management)
2. Enter an IP address manually
[]> 1

Other machines will communicate with Machine C195.local using IP address 10.10.10.58 port 22. You can change this by using the COMMUNICATION subcommand of the clusterconfig command.
New cluster committed: Sat Jun 08 11:45:33 2019 GMT
Creating a cluster takes effect immediately, there is no need to commit.

Cluster newcluster.local

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]>

(Cluster newcluster.local)>

将您的CX95加入您的ESA群集

在Cx95的CLI中，运行clusterconfig > Join an existing... 将Cx95添加到vESA上配置的新集群中，如下所示：

C195.local> clusterconfig

Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 3

While joining a cluster, you will need to validate the SSH host key of the remote machine to which you are joining.  To get the public host key fingerprint of the remote host, connect to the cluster and run: logconfig -> hostkeyconfig -> fingerprint.

WARNING: All non-network settings will be lost. System will inherit the values set at the group or cluster mode for the non-network settings. Ensure that the cluster settings are compatible with your network settings (e.g. dnsconfig settings)

Exception:Centralized Policy, Virus, and Outbreak Quarantine settings are not inherited from the cluster.  These settings on this machine will remain intact.

Do you want to enable the Cluster Communication Service on ironport.example.com? [N]> n

Enter the IP address of a machine in the cluster.
[]> 10.10.10.58

Enter the remote port to connect to.  This must be the normal admin ssh port, not the CCS port.
[22]>

Would you like to join this appliance to a cluster using pre-shared keys? Use this option if you have enabled two-factor authentication on the appliance. [Y]> n

Enter the name of an administrator present on the remote machine
[admin]>

Enter passphrase:
Please verify the SSH host key for 10.10.10.56:
Public host key fingerprint: 80:11:33:aa:bb:44:ee:ee:22:77:88:ff:77:88:88:bb
Is this a valid key for this host? [Y]> y

Joining cluster group Main_Group.
Joining a cluster takes effect immediately, there is no need to commit.
Cluster newcluster.local

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]>

(Cluster newcluster.local)>

重复此过程，将其他Cx95加入您的群集。 

此时，您的Cx95现在具有与现有Cx70/HW和vESA运行相同的配置。

运行clustercheck命令以验证同步，并验证现有vESA与Cx95之间是否存在任何不一致。  （有关详细信息，请参阅“集群不一致”。）

与vESA的第二部分中的步骤类似，您需要将updateconfig 设置为指向HW更新程序。  要完成此操作，请从CLI运行以下命令：

1. updateconfig
2. dynamichost（*这是仅在更新配置的此点处的隐藏命令）
3. 输入以下内容：update-manifests.ironport.com 443
4. 按一次Enter键返回主CLI提示符
5. 运行提交以保存配置更改。

配置迁移已完成！

迁移后清理和选项

Cx70 > Cx95

此时，您需要做出关闭Cx70设备电源以及将现有IP地址和关联主机名迁移到Cx95的决策。  在此流程中要审核的项目包括：

• UI:
  • Network > IP Interface [通过每个活动接口的步骤，以及分配给每个接口的任何关联主机名]
• CLI：
  • setgateway
  • sethostname

Cx00V

您还希望决定如何继续使用虚拟ESA。  要通过运行clusterconfig > removemachine从现有集群中删除此项，并选择要从集群中删除的虚拟设备的编号：

(Cluster newcluster.local)> clusterconfig

Cluster cluster

Choose the operation you want to perform:

- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]> removemachine

Choose the machine to remove from the cluster.
1. vESA.local (group Main_Group)
2. C195.local (group Main_Group)
[1]> 1

Warning:
- This is the last machine in the cluster.  Removing it from the cluster will destroy the cluster.
- This change will happen immediately without a commit.
Are you sure you want to continue? [N]> y

Please wait, this operation may take a minute...
Machine vESA.local removed from the cluster.

迁移后使用虚拟设备的想法：

• 使用实验室或测试设备
• 用于在为生产环境进行任何部署之前演示AsyncOS的未来版本/版本
• ESA备件，用于冗余或未来增长

vESA许可

创建演示许可证

1. 转至思科许可证注册门户(LRP):cisco.com/go/license
2. 使用您的思科帐户ID登录
3. 点击许可证
4. 从获取许可证下拉列表中，选择演示和评估……
5. 从弹出窗口中，选择产品系列：安全产品和产品：思科电邮/Web/内容安全虚拟演示许可证
6. 然后，您将为以下选项之一选择产品：

• ESA虚拟设备45天演示许可证
• WSA虚拟设备45天演示许可证
• SMA虚拟设备45天演示许可证

7. 单击“下一步”
8. 对于SN/虚拟设备标识符，您可以输入现有完全许可设备的序列，或留空并单击“下一步”。
9. 最后，查看“发送至”、“最终用户”字段；单击..以包括其他收件人
10. 单击Submit完成演示许可证请求
11. 按照前面的步骤输入的电子邮件地址进行检查，因为演示许可证将发送到该电子邮件地址

注意：您的虚拟许可证文件将以XML格式发送，并在三小时内收到您指定的电子邮件地址。

共享现有许可证

1. 转至思科许可证注册门户(LRP):cisco.com/go/license
2. 使用您的思科帐户ID登录
3. 点击许可证
4. 从“移动许可证”下拉列表中，选择共享许可证……
5. 选择“获取激活码”选项
6. 系统将显示一个弹出窗口。选择IronPort产品 — 软件捆绑包（如果您有现有软件捆绑包）或IronPort产品 — TC（如果您有单个产品）
7. 在源序列号/虚拟设备标识符字段中输入现有ESA/WSA/SMA序列号。如果您有多个ESA、WSA或SMA，请选择一个许可证与您想在虚拟设备上启用的许可证相同
8. 对于“选择目标设备类型”选项，选择“虚拟”按钮
9. 将目标序列号/虚拟设备标识符字段留空
10. 在“发送至”字段中，输入激活代码应发送到的电子邮件地址
11. 如果您之前已经完成了许可证请求，则可能会显示现有VLN，请根据需要选择
12. 单击“请求代码”
13. 收到激活代码后，重复步骤#3和#4（如上所列）。 完成步骤#5后，选择“使用激活代码”选项
14. 粘贴提供的激活代码，然后点击Next
15. 选择应嵌入思科虚拟ESA/虚拟WSA/虚拟SMA许可证的思科ESA/WSA软件SKU。单击“下一步”
16. 输入应将许可证发送到的电子邮件地址
17. 最后，单击“获取许可证”

注意：您的虚拟许可证文件将以XML格式发送，并在三小时内收到您指定的电子邮件地址。

限定的升级路径

11.0.3-238(版本说明)	11.5.0-066(版本说明)	12.5.0-059(版本说明)
AsyncOS for Cx70的EoS版本	Cx95的制造版本	Cx80/Cx90/Cx95推荐的GA版本
菲比11-0-1-027 ->菲比 — 11-0-3-238 菲比11-0-1-301 ->菲比 — 11-0-3-238 菲比11-0-1-602 ->菲比 — 11-0-3-238 菲比11-0-2-037 ->菲比 — 11-0-3-238 菲比11-0-2-038 ->菲比 — 11-0-3-238 菲比11-0-2-044 ->菲比 — 11-0-3-238 菲比9-1-2-053 ->菲比 — 11-0-3-238 菲比9-7-2-145 ->菲比 — 11-0-3-238 菲比9-8-1-015 ->菲比 — 11-0-3-238 菲比9-8-1-021 ->菲比 — 11-0-3-238	升级路径不可用，因为这是x95平台的制造版本。	菲比11-0-1-027 ->菲比 — 12-5-0-059 菲比11-0-2-044 ->菲比 — 12-5-0-059 菲比11-0-3-238 ->菲比 — 12-5-0-059 菲比11-0-3-242 ->菲比 — 12-5-0-059 菲比11-1-1-042 ->菲比 — 12-5-0-059 菲比11-1-2-023 ->菲比 — 12-5-0-059 菲比11-5-0-058 ->菲比 — 12-5-0-059 菲比11-5-0-077 ->菲比 — 12-5-0-059 菲比12-0-0-419 ->菲比 — 12-5-0-059 菲比12-1-0-089 ->菲比 — 12-5-0-059 菲比12-5-0-051 ->菲比 — 12-5-0-059

群集不一致

升级到AsyncOS 12.x后，如果设备处于集群模式且配置了DLP，则使用CLI运行clustercheck命令时，DLP设置中的不一致性会出现。

要解决此不一致问题，请强制整个集群使用集群中任何其他计算机的DLP配置。使用以下提示“How do you want to resolve this inconsistency？” 在clustercheck命令中，如以下示例所示：

(Cluster)> clustercheck
Checking DLP settings...
Inconsistency found!
DLP settings at Cluster test:
mail1.example.com was updated Wed Jan 04 05:52:57 2017 GMT by 'admin' on mail2.example.com mail2.example.com was updated Wed Jan 04 05:52:57 2017 GMT by 'admin' on mail2.example.com How do you want to resolve this inconsistency?

1. Force the entire cluster to use the mail1.example.com version.

2. Force the entire cluster to use the mail2.example.com version.

3. Ignore.
[3]>

请确保阅读ESA上运行的AsyncOS版本的版本说明。

其他参考：ESA集群要求和设置