Cisco ASA – Moving Interface Names on a Cisco ASA While Maintaining Configuration

cisco-asa

My initial problem: I’ve run out of physical ports on my ASA 5525-X

My initial solution: Create sub-interfaces on a port-channel and use a switch to aggregate my VLANs

The subsequent issue: How do I move the names assigned to the original interfaces to the new sub-interfaces while keeping the rest of my configuration in place?

If I issue a ‘no nameif’ directive on the original interface prior to reassigning the name, the ASA will delete every configuration element that referenced that name.

If I reissue the ‘nameif’ directive to rename the interface to something temporary prior to reassigning the original name, all of the configuration elements that referenced the original name will be updated to reflect the new name. In the end, I’m no closer to my goal.

The only solution I’ve fund so far is the obvious one – edit the startup-config offline and reload the firewall with my changes already in place. What I don’t like about this is the reload time – the ASA doesn’t boot quickly. I won’t be able to sneak the downtime into a small maintenance window at the end of the day (is the internet down? Huh, it’s back up now – must have been me). Instead, I’ll will have to schedule a longer maintenance window.

Update: Please check out the related question, Cisco ASA startup-config command ordering for sub-interfaces.

Is there another way to ‘move’ a name from one interface to a new interface while keeping everything else in place?

Best Answer

Leave the physical port you are using as the untagged VLAN. You can direct that traffic to a VLAN# on your switch by setting the Native VLAN the VLAN# you want that traffic to be on.

Then for every new VLAN you are adding to your ASA, make that a sub interface.

I don't have an ASA to validate this code, but it will look something like this:

interface gig0/0
  nameif ORIGINAL-NAMEIF
  security-level 100

interface gig0/0.20
  vlan 20
  nameif NEW-VLAN-2
  security-level 20

interface gig0/0.30
  vlan 30
  nameif NEW-VLAN-3
  security-level 30

etc. It should allow you to add new sub interfaces without making any changes to your original interface. The "root" interface doesn't include a VLAN tag, so that traffic is unchanged.

You can run it this way indefinitely, or change it so everything is using VLAN tags at a later date when its more convenient for you to bring the network down.

Related Topic