Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
281
Views
0
Helpful
2
Replies

migrating to new IPv4 subnet - can we run two at once?

Go to solution
James Leinweber
Level 4
Level 4

‎04-05-2016 10:15 AM - edited ‎03-12-2019 12:35 AM

I have a 5525-x firewall running ASA firmware 9.4.2(6) on which I'd like to renumber a trunked subinterface to a different IPv4 subnet.  This would be most conveniently done if I could have both the old and new subnets active simultaneously on the same vlan while we migrate all of the downstream client hosts. In theory, according to the documentation, this might be possible.  However, I haven't found a way to make this work.  Has anyone ever succeeded with this?  It fails for me identically in 9.4 and 9.6 firmwares.  Should I open a TAC, or is it hopeless?

Suppose the interface were:

interface Gi0/3.10

   vlan 10

   nameif xxx

   security-level 100

   ip address 192.0.2.1 255.255.255.0

Further suppose the end goal was "ip address 198.51.100.1 255.255.255.0", and the MAC address of the interface was 0000.1111.2222.

According to the command reference for "arp" and "route" an intermediate state with both the new address 198.51.100.1 and the old address 192.0.1.1 active at once might be obtainable by:

arp xxx 198.51.100.1 0000.1111.2222 alias

route xxx 198.51.100.0 255.255.255.0 192.0.2.1

However, that route statement produces

ERROR: invalid next hop address 192.0.2.1, it matches our IP address

Alternatively "route xxx 198.51.100.0 255.255.255.0 198.51.100.1" doesn't produce an error, but the new subnet doesn't work, either.

-- Jim Leinweber, WI State Lab of Hygiene

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎04-05-2016 01:00 PM

Do you have a spare interface on the ASA?  If so, plug it into the same switch but with the new address range.

Make sure you keep the traffic symmetric.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎04-05-2016 01:00 PM

Do you have a spare interface on the ASA?  If so, plug it into the same switch but with the new address range.

Make sure you keep the traffic symmetric.

0 Helpful

Go to solution
James Leinweber
Level 4
Level 4
In response to Philip D'Ath

‎04-07-2016 09:17 AM

As it happens, I do have an extra physical interface, and can make this ploy work; I've tried it successfully in my test lab.  You can't, apparently, have two subinterfaces with the same vlan tag, so you do need an entire spare interface.

Thanks for the suggestion!

-- Jim Leinweber

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card