topic Re: Migrate ASA Sub-interface to Port-Channel in Network Security

Migrate ASA Sub-interface to Port-Channel

johnlloyd_13 — Sat, 23 Mar 2024 09:43:54 GMT

hi,

i need to migrate G0/0 "outside" and G0/1.xx "inside" sub-interfaces to a new port-channel1 interface.

can't seem to pre-configure the same sub-interface VLAN and ip address under the same context.

can someone advise what is the best approach and with a "minimal" downtime?

do i configure a new context instead and allocate the Po1.900 "outside" and Po1.xx "inside" sub-interfaces?

then delete the old context once the outside and inside interface are migrated and new context configured?

<SYSTEM>

GigabitEthernet0/1.960 unassigned YES unset up up
GigabitEthernet0/1.998 unassigned YES unset up up
GigabitEthernet0/2 unassigned YES unset up up

ciscoasa(config)# interface Port-channel1.998
ciscoasaconfig-subif)# vlan 998
ERROR: VLAN 998 exists in the global vlans table

ciscoasa(config)# changeto context TEST-CONTEXT
ciscoasa/TEST-CONTEXT(config)# sh int ip b
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/1.998 10.1.6.4 YES manual up up
Port-channel1.998 unassigned YES unset up up

ciscoasa/TEST-CONTEXT(config)# interface Port-channel1.998
ciscoasa/TEST-CONTEXT(config-if)# nameif TEST
ERROR: VLAN must be configured for interface Port-channel1.998
ciscoasa/TEST-CONTEXT(config-if)#
ciscoasa/TEST-CONTEXT(config-if)# sh run interface Port-channel1.998
!
interface Port-channel1.998
no nameif <<< CAN'T PRE-CONFIGURE NAMEIF
no security-level
no ip address

ciscoasa/TEST-CONTEXT(config-if)# ip address 10.1.6.4 255.255.255.0
ERROR: Failed to apply IP address to interface Port-channel1.998, as the network overlaps with interface GigabitEthernet0/1.998. Two interfaces cannot be in the same subnet. <<< CAN'T PRE-CONFIGURE L3 IP

-----

changeto system

interface Port-channel1.900
description OUTSIDE
vlan 900

interface Port-channel1.998
description INSIDE
vlan 998

context NEW-CONTEXT
allocate-interface Port-channel1.900
allocate-interface Port-channel1.998

!! CONFIGURE NEW-CONTEXT

!! REMOVE OLD-CONTEXT AND G0/1.xx INSIDE SUBIF

no context OLD-CONTEXT

no interface GigabitEthernet0/1.998

!! G0/0 OUTSIDE IS STILL USED BY OTHER CONTEXT

Re: Migrate ASA Sub-interface to Port-Channel

balaji.bandi — Sat, 23 Mar 2024 09:57:05 GMT

Personally VLAN is the one connected to Switch is important. why not use different VLAN using same context ?

make sure switch associated with connected port allow new VLAN you looking to create.

Re: Migrate ASA Sub-interface to Port-Channel

MHM Cisco World — Sat, 23 Mar 2024 10:01:47 GMT

any new interface have same nameif of other interface not work
I run now lab of NSK if you can wait me to night I can send to you some steps to shift from g0/0.x to port-channel .x
MHM

Re: Migrate ASA Sub-interface to Port-Channel

johnlloyd_13 — Sat, 23 Mar 2024 12:20:16 GMT

hi balaji,

i don't think it's practical to change ALL "inside" sub-interface to a new VLAN.

Re: Migrate ASA Sub-interface to Port-Channel

balaji.bandi — Sat, 23 Mar 2024 14:06:39 GMT

Ok let me re-cap here are you looking total move from Interface to Port-channel ?

Create New context possible but more work right ? (also required downtime moving from context to context ?)

Rather over engineering - suggest to take downtime and big bang moving is best option i can thing of.

Re: Migrate ASA Sub-interface to Port-Channel

johnlloyd_13 — Sun, 24 Mar 2024 03:12:39 GMT

yes, move ALL "inside" sub-interfaces into the new port-channel interface like i said.

was thinking of some other way other than configuring a new context and allocate the new sub-interfaces in the port-channel.

as you saw in the error in my original post, you can assign the same VLAN on the current G0/1.xx and Po1.xx, but can't configure the same nameif and ip address. so i don't think configuring a new context is the alternative.

Re: Migrate ASA Sub-interface to Port-Channel

balaji.bandi — Sun, 24 Mar 2024 09:38:11 GMT

but can't configure the same nameif and ip address.

You can not have same IP address