cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1968
Views
0
Helpful
7
Replies

FTD interface reconfiguration

Sergey Sakharov
Level 1
Level 1

Hi team!

I have ASA5515-x and FTD2100. I'm willing to migrate from ASA to FTD so i used Firepower Migration Tool. ASA has one physical interface for each zone, but on FTD i want to create etherchannel for each zone for redundancy. Is it possible to move configuration from physical interface to port-channel somehow?

7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

Then you can not use 100% migration tool, you can do offline that changes and required testing also before you make live.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I've deleted device from FMC and added it again without any configuration. After that manually created Port-Channels and subinterfaces on them. Firepower Migration Tool can see and map ASA interfaces on Port-Channels but not on subinterfaces.

Interfaces.PNGFMT.pngWhy? What's the limitation for subinterfaces? In documentation https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide-CP/CP2FTD-with-FP-Migration-Tool/CP2FTD-with-FP-Migration-Tool_chapter_010.html there is nothing about it, just - "Subinterfaces are not created by the Firepower Migration Tool. Only interface mapping is allowed between physical interfaces, port channel, or subinterfaces"

Also tried to change ASA configuration manually in notepad - move interface configuration to subinterface like that

interface GigabitEthernet0/0
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/0.1
 vlan 1
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.248 standby 1.1.1.2

But FMT doesn't see subinterfaces in that file as well

That's a current limitation of both the FMT as well as the online migration tool in CDO. I had to go through similar pain in a recent migration. I have since brought it up with the Cisco product team as an unwelcome shortcoming as it can result in a fair amount of unnecessary extra work to change things later. Hopefully future release will incorporate the ability to map to subinterfaces (with or without Etherchannels).

balaji.bandi
Hall of Fame
Hall of Fame

I may be not done, the Migration tool does not give the ability to make complete topology change. this tool simple ACL rule conversation based on exiting to new.

 

if this is not a big rule base I do it manually and now you got a chance to get rid of old rules which redundant moving forward with the new setuo.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Found the solution - created on both devices (for ASA did it in notepad) Port-Channels with the same numbers, move in notepad ASA config from physical interfaces to Port-Channel subinterfaces and pushed it to Firepower Migration Tool - migration tool created by itself same subinterfaces for FTD

Yes that will work as an interim workaround if it is one portchannel subinterface to another portchannel subinterface. In my case I was trying to map multiple source ASA physical interfaces a a single portchannel on FTD with subinterfaces corresponding to the multiple physical interfaces.  Maybe I could have gotten it to work if I had more extensively hand-modified the source ASA config to fool the tool into thinking they all started out as subinterfaces on a single interface

Good you cracked, since software not know what you done, so you change the config bluff the tool so it can migrate as it is..

 

good stufff

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Review Cisco Networking for a $25 gift card