topic Re: Changing interface from access to trunk in Network Security

Changing interface from access to trunk

db1 — Fri, 21 Feb 2020 16:49:44 GMT

Hi All,

I have my inside interface configured like this:

interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 192.168.x.1 255.255.255.0 standby 192.168.x.3

It connects to a switch configured also with an access interface.

However, there is a SD-WAN device inbetween, and that device expects to see tagged VLAN traffic.

So I need to change the ports on the switch and ASA to send tagged VLAN traffic. Easy on the switch, but from what I understand on the ASA I will need to create a subinterface.

Of course I have quite a lot of config on the ASA mentioning 'inside' interface, NAT, access-lists and so on.

How do I do it in a best way? I guess I don't want to remove the current 'nameif inside' as it will remove all this config.

Maybe reboot using a new config with modified interface setup?

Thanks!

Re: Changing interface from access to trunk

db1 — Mon, 18 Feb 2019 21:40:46 GMT

I will reply to my own post, maybe it is helpful to someone in future.

1. I copied the startup config to ftp server

2. I opened it in Notepad++, changed the interface config

3. I copied the modified startup config from ftp to startup-config on the ASA

4. Outside working hours I rebooted the ASA

5. While the ASA was rebooting I changed the config on the switch to trunk instead of access

6. When ASA rebooted it loaded the new startup-config and everything worked right away.

Everything worked nice, I did not lose any configuration, all NAT / Access rules were still there.

Re: Changing interface from access to trunk

Mohammed al Baqari — Tue, 19 Feb 2019 06:20:18 GMT

I don't think you can swap it and keep all other rules without impact. I
suggest to create the sub interface without IP, check in the run config is
related to inside interface and configure it for the new interface then
finally migrate the ip address