08-16-2013 05:40 AM - edited 03-11-2019 07:26 PM
Dear All ASA Experts,
The ASA5585 is running the GE connect (IN & OUT) to the Core Switch.
Now, I want to change the GE as 10GE.
Is it any configurations lost?
Any parts I need to care?
Any generics method I can do to finish the modification?
Thanks!
08-16-2013 01:25 PM
Not exactly sure what your issue is, but the 10Gig interfaces have the same configuration as any other ASA interface. But as always when making changes, make sure you have a current backup of your configuration so you can perform a rollback if needed.
08-19-2013 11:28 PM
Actually, I have around 20 security contexts, that is using the GE as the IN/OUT to connect the Core Switch.
Then I will change the GE to 10GE as the IN/OUT to connect the Core Switch. I must take a short time to modify all the related interface from GE to 10GE configurations and import as running config, that make sure use the least time to resume the firewall service.
I think ... I should write a program to capture all security contexts and modify all related interface configuration (from GE to 10GE) .... But I don't know whtch parties will be changed? NAT? ACLs? Routing? ....
08-20-2013 05:48 AM
You will need to license the 5585 for 10 GE interface use if you haven't already.
The NAT/ACL/routing commands operate based on interface names (inside, outside, etc.) rather than physical reference (Gi0/0, Te1/0 etc.) so the new Te interfaces need to be assigned the nameif command currently used by the Gi interfacesto your core.
08-20-2013 11:02 PM
Thanks for your reply!
That mean if I use the same "nameif" on the GE and 10GE, then I am no need to modify the configurations when I change the GE to 10GE?
Need to reboot the FW, after change the GE to 10GE?
08-21-2013 01:10 AM
There should be no need to reboot the firewall after the changes, but once you remove the configuration from the GE route statements, ACLs, NAT, etc. that reference that interface will be deleted and would need to be added again.
so make sure you have a backup of all statements tat reference the interfaces you are about to change and then re-add them once the change has been made. you should do this change in a scheduled maintenance window.
09-16-2013 12:52 AM
Really thanks for your reply!
Would you mind tell me which parts I need to modify, after GE > 10GE? ACLs? NAT? Route?
PS: I would use the same nameif as the GE and 10GE.
09-18-2013 05:18 AM
For example. If you have a route statement for the GE interface (lets call it "outside"):
route 0.0.0.0 0.0.0.0 outside
then you delete the config for that interface and move that config to a 10GE interface that route statement will also be removed as it is bound to the original GE "outside" interface.
The same goes for for the access-group command if you have any ACLs configured for the GE interface. The acutall ACL should not be removed but its association to the interface named outside will be removed. So the following command will be removed once the configuration on the GE interface is removed.
access-group OUT-to-IN in interface outside
The same also goes for NAT as this specifies interfaces also. This commands differ depending on your ASA version but in either case those that reference the interface that was removed would need to be re-added.
nat (inside,outside) 1.1.1.1 2.2.2.2
You should always take a backup of your configuration or make sure you have an up to date backup before you start making these changes.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide