Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
648
Views
5
Helpful
1
Replies

Cisco ASA5585x Change Netmask live on an interface

StaffanCelind6257
Level 1
Level 1

‎05-28-2019 06:15 AM

Cisco Adaptive Security Appliance Software Version 9.6(4)8

 

We're going to change the netmask on two interfaces on a ASA5585x Firewall.

These interfaces are critical for a system the runs behind these interfaces,

and these system cannot have any downtime or LoS.

 

So my question is, how much of an impact does the change of the netmask

have on these systems, will there be any downtime because of this?

 

The config i want to do is:

#interface Port-channel23.808
#ip address 172.31.28.1 255.255.252.0 standby 172.31.28.2

and

#interface Port-channel23.810
#ip address 172.31.24.1 255.255.252.0 standby 172.31.24.2

 

Will there be any loss of packets and/or sessions?

 

the ASA is in a HA-cluster.

Current config is:

 

interface Port-channel23.808
 vlan 808
 nameif eR-Tst
 security-level 30
 ip address 172.31.28.1 255.255.255.0 standby 172.31.28.2
 ipv6 address 2001:67c:274:1309::1/64 standby 2001:67c:274:1309::2
 ipv6 enable
 ipv6 nd prefix 2001:67c:274:1309::/64 no-autoconfig

interface Port-channel23.810
 vlan 810
 nameif eR-Srv
 security-level 40
 ip address 172.31.24.1 255.255.255.0 standby 172.31.24.2
 policy-route route-map rm-er-srv
 ipv6 address 2001:67c:274:1313::1/64 standby 2001:67c:274:1313::2
 ipv6 enable
 ipv6 nd prefix 2001:67c:274:1313::/64 no-autoconfig

 

Thanks in advance if these is anyone who knows if there is a way to change

subnetmask without disrupting the network on an ASA5585 in a HA-cluster.

 

With Regards

Staffan Celind

Labels:
0 Helpful
1 Reply 1

Francesco Molino
VIP Alumni
VIP Alumni

‎05-28-2019 09:08 PM

Hi

You're increasing the subnet mask.
If you have dynamic routing advertising these subnets, then it won't work based on your config and you need to make sure of this to avoid interruption.
Same applies to acls and nat, after modifying the mask, you'll need to modify it if you want all machines out of the actual /24 which will be in the new /22 to access internet or to be accessed by others.

The subnet mask itself won't cause any disruption but features on the side might if not configured to reflect new mask.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Customers Also Viewed These Support Documents