cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
382
Views
0
Helpful
3
Replies

ASA - reconfiguring interfaces help

jigsaw2026
Level 1
Level 1

Hi,

I have a trunk port on one interface, with 2 sub-interfaces. I am actually decomissioning one of the vlans, so I would like to remove the sub-interfaces and make it a regular interface with the remaining vlan.

Setup as follows:

interface GigabitEthernet0/1

speed 1000

duplex full

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1.3

vlan 30

nameif inside

security-level 100

ip address 10.20.0.1 255.255.0.0 standby 10.20.0.2

!

interface GigabitEthernet0/1.10

vlan 10

nameif storage

security-level 85

ip address 10.24.0.1 255.255.0.0 standby 10.24.0.2

!

I would like to get to:

interface GigabitEthernet0/1

speed 1000

duplex full

nameif storage

security-level 85

ip address 10.24.0.1 255.255.0.0 standby 10.24.0.2

I have an active/standby failover. I would like to readdress this with minimal downtime, but I'm unsure how to do this without confusing the failover. I was thinking that I could do the following:

1) On the standby unit, remove both sub-interfaces and readdress interface as above

2) Failover primary to standby

3) On primary, remove both sub-interfaces and readdress interface as above.

4) Fail back to primary

With this plan I am worried that

-standby unit will complain that it's not synched

-failver from primary will not occur because standby interfaces will no longer exist

Or is it necessary for me to admin shut down the primary interface (will this cause failover???), readress and then bring back up again, no failover required...

Can anyone think of a good way of going about this?

Many thanks,

J

3 Replies 3

Collin Clark
VIP Alumni
VIP Alumni

I don't think the firewall will failover when you make interface config changes. If you're really concerned, you could reboot/shut down the failover device and while it's down/rebooting, you could make your configuration changes. Once the standby device is online it will sync the config with the primary.

Hope that helps.

Thank you for your response. The problem is that I do not really want any downtime while I'm doing it (for the remaining vlan) - which is why I thought to failover - but I guess that's not possible?

IMO by using failover to keep uptime during the reconfig, you greatly increase your risk in things getting FUBAR'd.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: