Actually, I have around 20 security contexts, that is using the GE as the IN/OUT to connect the Core Switch.

Then I will change the GE to 10GE as the IN/OUT to connect the Core Switch. I must take a short time to modify all the related interface from GE to 10GE configurations and import as running config, that make sure use the least time to resume the firewall service.

I think ...  I should write a program to capture all security contexts and modify all related interface configuration (from GE to 10GE) .... But I don't know whtch parties will be changed? NAT? ACLs? Routing? ....

You will need to license the 5585 for 10 GE interface use if you haven't already.

The NAT/ACL/routing commands operate based on interface names (inside, outside, etc.) rather than physical reference (Gi0/0, Te1/0 etc.) so the new Te interfaces need to be assigned the nameif command currently used by the Gi interfacesto your core.

Thanks for your reply!

That mean if I use the same "nameif" on the GE and 10GE, then I am no need to modify the configurations when I change the GE to 10GE?

Need to reboot the FW, after change the GE to 10GE?

There should be no need to reboot the firewall after the changes, but once you remove the configuration from the GE route statements, ACLs, NAT, etc. that reference that interface will be deleted and would need to be added again.

so make sure you have a backup of all statements tat reference the interfaces you are about to change and then re-add them once the change has been made.  you should do this change in a scheduled maintenance window.

Really thanks for your reply!

Would you mind tell me which parts I need to modify, after GE > 10GE? ACLs? NAT? Route?

PS: I would use the same nameif as the GE and 10GE.

For example.  If you have a route statement for the GE interface (lets call it "outside"):

route 0.0.0.0 0.0.0.0 outside

then you delete the config for that interface and move that config to a 10GE interface that route statement will also be removed as it is bound to the original GE "outside" interface.

The same goes for for the access-group command if you have any ACLs configured for the GE interface.  The acutall ACL should not be removed but its association to the interface named outside will be removed.  So the following command will be removed once the configuration on the GE interface is removed.

access-group OUT-to-IN in interface outside

The same also goes for NAT as this specifies interfaces also.  This commands differ depending on your ASA version but in either case those that reference the interface that was removed would need to be re-added.

nat (inside,outside) 1.1.1.1 2.2.2.2

You should always take a backup of your configuration or make sure you have an up to date backup before you start making these changes.