cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1216
Views
10
Helpful
5
Replies

ASA5545 FTD Migration with same IP

fabc1
Level 1
Level 1

Product Model: ASA 5545-X FTD

 

Hi all,

 

we are planning to perform major overhaul and migration on our network with minimal downtime. We will have to migrate it individually, thus requires both old and new networks to be up simultaneously.

You may refer to the image attach for the network diagram plan (networkdiagram.png).

My question is, is it possible to bring up interface g0/4.6 with the same ip address of 172.x.x.254? This is because we want to maintain the IP configurations. Will be it possible to configure two separate interfaces with same .6 and same static ip address?

 

as of now, we have came out with a solution as refer to the second image in attachment (suggestion.png).

 

Directly connect the new switches to old switches and trunk vlans. Therefore, the traffic will pass through the old switch and subsequently to the firewall. After all VMs have been migrated, only then we will swap the cables at firewall side.

Appreciate if you could advise on this and let me know if you have better suggestions.
Thanks!

5 Replies 5

Lee Dress
Level 1
Level 1

I JUST went through this last night replacing an ASA5508 with a FTD 1120.

Here's what I did.

 

I programmed the new FTD with the exact same IP (192.x.x.254) on the inside interface, but disabled the port.  then I plugged the wire into a free port on the switch

When I was ready, I attached to the old ASA via ASDM on the outside interface and disabled the inside interface.

then I enabled the inside interface on the new FTD.

 

it took about 30 seconds for arp to straighten out the new mac address for the duplicate IP, but it worked.

 

as long as you have control of each device from a network not reliant on that IP Address, you should be able to do it.

if you are on the "inside", you could also do it by enabling/disabling ports on the switch they are attached to. then enable the new port, and disable the old one.  it's pretty much the same as moving wires.

 

I don't think you need to set up any new interface. Here is my suggestion:

1) Connect the standby FTD inside interface to the New Switch B

2) Move the VMs

3) Force the standby FTD to become the active

4) Move the inside interface cable from the old primary FTD (FTD Main) and connect it to New Switch A

5) Revert the failover roles and make the new standby (FTD Main) to become the active again

hi Aref,

 

Thank you for your inputs!

 

The solution you proposed is actually one of the solutions that we have discussed internally. The drawback is that during the period of VM migration, both old and new will only have one leg connection to the firewall right? Mean there will be no redundancy? Note that the VM migration could take a couple of weeks or more.

 

Separately, the solution I proposed previously also workable, right?

Hi Fatin, you are very welcome. I don't think that would be the case as both the old and the new VMs would be able to reach both firewalls as shown in this pic:

 

Cisco_Community_ASA5545 FTD Migration with same IP.jpg

fabc1
Level 1
Level 1

Thank you all for the feedback and suggestions! 

Review Cisco Networking for a $25 gift card