cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
135
Views
0
Helpful
2
Replies

migrating to new IPv4 subnet - can we run two at once?

James Leinweber
Enthusiast
Enthusiast

I have a 5525-x firewall running ASA firmware 9.4.2(6) on which I'd like to renumber a trunked subinterface to a different IPv4 subnet.  This would be most conveniently done if I could have both the old and new subnets active simultaneously on the same vlan while we migrate all of the downstream client hosts. In theory, according to the documentation, this might be possible.  However, I haven't found a way to make this work.  Has anyone ever succeeded with this?  It fails for me identically in 9.4 and 9.6 firmwares.  Should I open a TAC, or is it hopeless?

Suppose the interface were:

interface Gi0/3.10

   vlan 10

   nameif xxx

   security-level 100

   ip address 192.0.2.1 255.255.255.0

Further suppose the end goal was "ip address 198.51.100.1 255.255.255.0", and the MAC address of the interface was 0000.1111.2222.

According to the command reference for "arp" and "route" an intermediate state with both the new address 198.51.100.1 and the old address 192.0.1.1 active at once might be obtainable by:

arp xxx 198.51.100.1 0000.1111.2222 alias

route xxx 198.51.100.0 255.255.255.0 192.0.2.1

However, that route statement produces

ERROR: invalid next hop address 192.0.2.1, it matches our IP address

Alternatively "route xxx 198.51.100.0 255.255.255.0 198.51.100.1" doesn't produce an error, but the new subnet doesn't work, either.

-- Jim Leinweber, WI State Lab of Hygiene

1 Accepted Solution

Accepted Solutions

Philip D'Ath
Advisor
Advisor

Do you have a spare interface on the ASA?  If so, plug it into the same switch but with the new address range.

Make sure you keep the traffic symmetric.

View solution in original post

2 Replies 2

Philip D'Ath
Advisor
Advisor

Do you have a spare interface on the ASA?  If so, plug it into the same switch but with the new address range.

Make sure you keep the traffic symmetric.

As it happens, I do have an extra physical interface, and can make this ploy work; I've tried it successfully in my test lab.  You can't, apparently, have two subinterfaces with the same vlan tag, so you do need an entire spare interface.

Thanks for the suggestion!

-- Jim Leinweber

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers