Re: Replacing L4/L7 device

Antonio Macia · ‎01-21-2026

Hi,

We need to replace a virtual ASA in HA (active, stand-by) which is currently in production attached to multiple service graphs, so the process must be as smooth as possible. I was thinking on setting the same IP and MAC address on the new firewall and swap the old and virtual firewalls so this is transparent to ACI.

Each firewall member is in a different POD but both share the same active member's MAC address.

Anyone has performed this task in the past and can give feedback?

Thanks.

Cristian Matei · ‎01-23-2026

Hi,

@Antonio Macia What is the new firewall? Haven't been through this exact specific scenario, something similar though. Using same IP's and VMAC's (I guess you mean Virtual MAC's when you say same MAC) should work, there will be, though a short downtime window, in the order of seconds.

Thanks,

Cristian.

Antonio Macia · ‎01-25-2026

Hi @Cristian Matei

The new firewall is a virtual FTD, so we can consider the same as the existing Cisco ASA. A glitch in the network is expected indeed. I just wanted to ensure that this would be the best approach. Thx,

Cristian Matei · ‎02-01-2026

Hi,

@Antonio Macia Did it work without unforeseen challenges?

Thanks,

Cristian.

Antonio Macia · ‎02-01-2026

Hi Critian,

We didn't test it. Let you know when done. Thanks for asking.

Antonio.