cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1081
Views
20
Helpful
7
Replies

Data Centre migration plan

aok
Level 1
Level 1

Hello

 

In our data center we will be replacing our existing Cisco ASA 5520 active/standby firewall pair with Cisco ASA 2210s and also swapping our 3750G core switch stack with 2 Nexus 3172Ps. We would like to set up the new hardware in parallel with production, fully test the new setup and then migrate with minimal service impact. Any tips on how we can achieve this?

 

Please let me know what information you need.

 

Thanks
AO

7 Replies 7

cdusio
Level 4
Level 4
hire someone to assist you, that's way too much to ask on a forum imho

balaji.bandi
Hall of Fame
Hall of Fame

As suggested you can ask for PS Service with partner.

 

Or

 

If you expertise internally, Build the Setup same as old and test all good..connect to live network

cut over the devices/servers in the change window...Once all migrated to new environment.

Keep old setup until new setup stable and working as expected. and decomm old kit.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks for the replies. I'm pretty comfortable setting up the firewalls and switches to all communicate with each other in an isolated environment and test internally. My main concern is how do we test being able to access the environment externally since we would need to put public IPs on the external interfaces. We currently have two internet circuits configured as active/standby.

Problem is you can't have the same public ip's obviously on both firewalls at the same time, so the only way to really do it is to build it in parallel, but offline then put test machines outside and one that corresponds to the public ip's on the inside so say nat outside is 4.4.4.4 to existing server 10.10.10.10

 

then in your lab, copy over the same stuff in terms of the equivalent config but then just use like a laptop on the inside to show it's working. If you could use different ip's, you could address the new firewalls with new addresses in the same space different internal ip's then you could theoretically flip flop between the two in parallel. You could do interesting things like source nat the traffic coming into the new firewalls so you don't have to change your gateways on the servers etc but that may or may not be an option for you depending on the ip space you have etc... 

 

The other thing is are you using FTD on the new firewalls or asa code? different animal entirely if FTD. 

Hi cdusio

 

Thanks for the tips, building the new environment offline sounds good, I'll start planning for that. I don't know if we have additional IPs in the same space but will try to find out so we know whether doing the other option is possible. I like the sound of doing it completely isolated, seems like less risk to impacting prod. We are just going to be running ASA code, no FTD.

 

Thanks

AO

As suggested you make all the pre-configuration ready and test different Public spare IP's if you have and keep the working setup ready.

 

Like moving from old Switches to new Switches, there is syntax change, you get enough time to fix those issue.

 

Also from ASA  to FTD. and so on.

 

If the organisation have not set any time lines, you can get experience and hands on deployment, so you can support in future for the on going support.

 

If organisation can give you PS Service cost, opt a PS Service and shadow them and learn and document for your ongoing support.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Found out we don't have spare public IPs in the same range to fully test the new setup so may need to go down the isolated environment route. Anyone have suggestions on our options to migrate in stages rather than in one big bang? We do have a different public IP range we can use. I'm guessing we would require additional ports on our ISP equipment to plug into either way? I'm not physically at the site so would need to get somebody local to check what's available if so.

 

Thanks

AO

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: