Solved: Re: Modify Vlan ID on ASA interface

LuigiDiFronzo9542 · ‎06-01-2023

Hello,

There are 2 ASA 5545 ver 9.14 in HA, and there is a subinterface associated with an ISP and another subinterface associated with a second ISP. We need to change one subinterface with a diferent Vlan id as well as the subinterface id for standarization.

What would be the best strategy for that change? The change will interrupt the access for the other subinterface?.

Thanks

Rob Ingram · ‎06-01-2023

@LuigiDiFronzo9542 I am pretty sure you cannot change the subinterface ID of an interface, you can certainly change the VLAN number. You'd have to recreate a new sub-interface using your new standardised convention. Bear in mind if you delete the old sub interface, recreate using the new naming convention and reuse the original nameif, you will have to recreate the NAT and associate the ACL to the interface.

Or just change the VLAN ID and leave the subinterface ID using the old naming convention.

View solution in original post

MHM Cisco World · ‎06-01-2023

I think you have SW, because same physical two subinterface can not connect without SW.
NOW
add the new subinterface, add NAT add ACL...etc.
in SW add this new VLAN
NOW in SW re-config the interface connect to ISP from OLD VLAN-ID to NEW VLAN-ID

the traffic will disrupt ? Yes traffic may be effect by this change. so it safe to do in maintenance window

View solution in original post

Rob Ingram · ‎06-01-2023

@LuigiDiFronzo9542 I'd probably just create another sub-interface on the ASA and the connected interface leading to the ISP hardware. You would then need to amend any NAT and ACL configuration to reflect the new nameif. Once that is working you can then remove the old sub-interface.

Adding or changing a sub-interface would not cause a problem for the other sub-interface that hasn't changed.

LuigiDiFronzo9542 · ‎06-01-2023

Thank you Rob,

In this case I forgot to mention that the IP address of the subinterface to be changed, will be the same.

Rob Ingram · ‎06-01-2023

@LuigiDiFronzo9542 I am pretty sure you cannot change the subinterface ID of an interface, you can certainly change the VLAN number. You'd have to recreate a new sub-interface using your new standardised convention. Bear in mind if you delete the old sub interface, recreate using the new naming convention and reuse the original nameif, you will have to recreate the NAT and associate the ACL to the interface.

Or just change the VLAN ID and leave the subinterface ID using the old naming convention.

MHM Cisco World · ‎06-01-2023

I think you have SW, because same physical two subinterface can not connect without SW.
NOW
add the new subinterface, add NAT add ACL...etc.
in SW add this new VLAN
NOW in SW re-config the interface connect to ISP from OLD VLAN-ID to NEW VLAN-ID

the traffic will disrupt ? Yes traffic may be effect by this change. so it safe to do in maintenance window

LuigiDiFronzo9542 · ‎06-01-2023

Thanks MHM,

In fact the interface is connected to a switch, and the modifications ocurred because a change of Vlan number at Sw level. So the number of Vlan was changed and now we must reconfigure in ASA this new Vlan number. In fact the IP of subinterface is the same as well as the gateway.

MHM Cisco World · ‎06-02-2023

if you want to do change without effect the traffic then
A- you use ECMP, if yes then stop use it and shift the traffic via other ISP
B- if you use one path for default route toward the ISP you want to change VLAN0ID for it then shit traffic to other ISP

add subinterface with different VLAN-ID the FW will accept this step BUT the FW will not accept assign two different interface/subinterface with same subnet, so you need to delete IP from OLD subinterface and add IP to NEW subinterface.