08-16-2018 12:44 PM - edited 03-01-2019 08:49 AM
Hello
In our data center we will be replacing our existing Cisco ASA 5520 active/standby firewall pair with Cisco ASA 2210s and also swapping our 3750G core switch stack with 2 Nexus 3172Ps. We would like to set up the new hardware in parallel with production, fully test the new setup and then migrate with minimal service impact. Any tips on how we can achieve this?
Please let me know what information you need.
Thanks
AO
08-16-2018 12:54 PM
08-16-2018 01:24 PM
As suggested you can ask for PS Service with partner.
Or
If you expertise internally, Build the Setup same as old and test all good..connect to live network
cut over the devices/servers in the change window...Once all migrated to new environment.
Keep old setup until new setup stable and working as expected. and decomm old kit.
08-16-2018 01:32 PM
Thanks for the replies. I'm pretty comfortable setting up the firewalls and switches to all communicate with each other in an isolated environment and test internally. My main concern is how do we test being able to access the environment externally since we would need to put public IPs on the external interfaces. We currently have two internet circuits configured as active/standby.
08-16-2018 01:40 PM
Problem is you can't have the same public ip's obviously on both firewalls at the same time, so the only way to really do it is to build it in parallel, but offline then put test machines outside and one that corresponds to the public ip's on the inside so say nat outside is 4.4.4.4 to existing server 10.10.10.10
then in your lab, copy over the same stuff in terms of the equivalent config but then just use like a laptop on the inside to show it's working. If you could use different ip's, you could address the new firewalls with new addresses in the same space different internal ip's then you could theoretically flip flop between the two in parallel. You could do interesting things like source nat the traffic coming into the new firewalls so you don't have to change your gateways on the servers etc but that may or may not be an option for you depending on the ip space you have etc...
The other thing is are you using FTD on the new firewalls or asa code? different animal entirely if FTD.
08-20-2018 10:32 AM
Hi cdusio
Thanks for the tips, building the new environment offline sounds good, I'll start planning for that. I don't know if we have additional IPs in the same space but will try to find out so we know whether doing the other option is possible. I like the sound of doing it completely isolated, seems like less risk to impacting prod. We are just going to be running ASA code, no FTD.
Thanks
AO
08-18-2018 02:23 AM
As suggested you make all the pre-configuration ready and test different Public spare IP's if you have and keep the working setup ready.
Like moving from old Switches to new Switches, there is syntax change, you get enough time to fix those issue.
Also from ASA to FTD. and so on.
If the organisation have not set any time lines, you can get experience and hands on deployment, so you can support in future for the on going support.
If organisation can give you PS Service cost, opt a PS Service and shadow them and learn and document for your ongoing support.
09-04-2018 01:32 PM
Found out we don't have spare public IPs in the same range to fully test the new setup so may need to go down the isolated environment route. Anyone have suggestions on our options to migrate in stages rather than in one big bang? We do have a different public IP range we can use. I'm guessing we would require additional ports on our ISP equipment to plug into either way? I'm not physically at the site so would need to get somebody local to check what's available if so.
Thanks
AO
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide