What's the best way to swap the interface configuration

d-fillmore · ‎07-13-2012

Hi - I have a redundant pair of 5520s and I need to swap the interface configuration on them;

We have a DMZ connected to the Management interface and the failover link runs over one of the gig interfaces. I'm trying to work out the best way to swap the interface config for these whilst minimizing downtime.

Does anyone have any suggestions?

Many thanks, Dom

Jouni Forss · ‎07-13-2012

Hi,

Personally I haven't had to do this kind of change. When interfaces have changed it has almost always been a larger change where some downtime was to be expected.

You could maybe do it like this

- Remove the secondary unit from the network and remove the Failover configurations (I think you can leave the standby IP configurations intact, but not 100% sure)

- Change the DMZ configurations and physical connections to the new port. You will also need to issue all the "nameif" related commands again (like NAT commands and attaching ACL to an interface and so on.

- Configure the new Failover link

- Perhaps even clear the configurations on the former secondary unit and configure it with just the failover configurations and let it copy the settings from the primary/active unit when its (secondary ASA) connected to the network.

Ofcourse youve better backup the original situation/configuration and also gather all the configurations related to the DMZ interfaces "nameif" since you will loose all those when moving the interface configurations (you cant change the nameif to another interface/subinterface without losing the related configurations as the ASA wont let you name another interface with the same "nameif" if one already excists)

- Jouni