Scribd
Upload
30 views6 pages

Configuring VLAN Subinterfaces on ASA

This document discusses configuring VLAN subinterfaces on ASA devices. It provides guidelines on licensing requirements for VLAN subinterfaces on different ASA models and guidelines for configuring VLAN subinterfaces. It also provides examples of configuring VLAN subinterfaces and assigning them to contexts.

Uploaded by

Ali Kazmi
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
30 views6 pages

Configuring VLAN Subinterfaces on ASA

This document discusses configuring VLAN subinterfaces on ASA devices. It provides guidelines on licensing requirements for VLAN subinterfaces on different ASA models and guidelines for configuring VLAN subinterfaces. It also provides examples of configuring VLAN subinterfaces and assigning them to contexts.

Uploaded by

Ali Kazmi
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

VLAN Subinterfaces

This chapter tells how to configure VLAN subinterfaces.

Note For multiple context mode, complete all tasks in this section in the system execution space. If you are not
already in the system execution space, in the Configuration > Device List pane, double-click System under
the active device IP address.

• About VLAN Subinterfaces, on page 1


• Licensing for VLAN Subinterfaces, on page 1
• Guidelines and Limitations for VLAN Subinterfaces, on page 2
• Default Settings for VLAN Subinterfaces, on page 3
• Configure VLAN Subinterfaces and 802.1Q Trunking, on page 3
• Examples for VLAN Subinterfaces, on page 4
• History for VLAN Subinterfaces, on page 5

About VLAN Subinterfaces


VLAN subinterfaces let you divide a physical, redundant, or EtherChannel interface into multiple logical
interfaces that are tagged with different VLAN IDs. An interface with one or more VLAN subinterfaces is
automatically configured as an 802.1Q trunk. Because VLANs allow you to keep traffic separate on a given
physical interface, you can increase the number of interfaces available to your network without adding
additional physical interfaces or ASAs. This feature is particularly useful in multiple context mode so that
you can assign unique interfaces to each context.

Licensing for VLAN Subinterfaces


Model License Requirement

Firepower 9300 Standard License: 1024

ASAv5 Standard License: 25

ASAv10 Standard License: 50

VLAN Subinterfaces
1
VLAN Subinterfaces
Guidelines and Limitations for VLAN Subinterfaces

Model License Requirement

ASAv30 Standard License: 200

ASA 5506-X Base License: 5


ASA 5506W-X Security Plus License: 30
ASA 5506H-X

ASA 5508-X Base License: 50

ASA 5512-X Base License: 50


Security Plus License: 100

ASA 5515-X Base License: 100

ASA 5516-X Base License: 50

ASA 5525-X Base License: 200

ASA 5545-X Base License: 300

ASA 5555-X Base License: 500

ASA 5585-X Base and Security Plus License: 1024

ASASM No support.

ISA 3000 Base License: 5


Security Plus License: 25

Note For an interface to count against the VLAN limit, you must assign a VLAN to it.

Guidelines and Limitations for VLAN Subinterfaces


Model Support
• ASASM—VLAN subinterfaces are not supported on the ASASM; ASASM interfaces are already VLAN
interfaces assigned from the switch.
• For most ASA models, you cannot configure subinterfaces on the Management interface. See Management
Slot/Port Interface for subinterface support.

Additional Guidelines
• Preventing untagged packets on the physical interface—If you use subinterfaces, you typically do not
also want the physical interface to pass traffic, because the physical interface passes untagged packets.
This property is also true for the active physical interface in a redundant interface pair and for EtherChannel

VLAN Subinterfaces
2
VLAN Subinterfaces
Default Settings for VLAN Subinterfaces

links. Because the physical, redundant, or EtherChannel interface must be enabled for the subinterface
to pass traffic, ensure that the physical, redundant, or EtherChannel interface does not pass traffic by not
configuring a name for the interface. If you want to let the physical, redundant, or EtherChannel interface
pass untagged packets, you can configure the name as usual.
• The ASA does not support the Dynamic Trunking Protocol (DTP), so you must configure the connected
switch port to trunk unconditionally.
• You might want to assign unique MAC addresses to subinterfaces defined on the ASA, because they use
the same burned-in MAC address of the parent interface. For example, your service provider might
perform access control based on the MAC address. Also, because IPv6 link-local addresses are generated
based on the MAC address, assigning unique MAC addresses to subinterfaces allows for unique IPv6
link-local addresses, which can avoid traffic disruption in certain instances on the ASA.

Default Settings for VLAN Subinterfaces


This section lists default settings for interfaces if you do not have a factory default configuration.

Default State of Interfaces


The default state of an interface depends on the type and the context mode.
In multiple context mode, all allocated interfaces are enabled by default, no matter what the state of the
interface is in the system execution space. However, for traffic to pass through the interface, the interface also
has to be enabled in the system execution space. If you shut down an interface in the system execution space,
then that interface is down in all contexts that share it.
In single mode or in the system execution space, interfaces have the following default states:
• Physical interfaces—Disabled.
• VLAN subinterfaces—Enabled. However, for traffic to pass through the subinterface, the physical
interface must also be enabled.

Configure VLAN Subinterfaces and 802.1Q Trunking


Add a VLAN subinterface to a physical, redundant, or EtherChannel interface.

Before you begin


For multiple context mode, complete this procedure in the system execution space. If you are not already in
the System configuration mode, in the Configuration > Device List pane, double-click System under the
active device IP address.

Procedure

Step 1 Depending on your context mode:


• For single mode, choose the Configuration > Device Setup > Interface Settings > Interfaces pane.

VLAN Subinterfaces
3
VLAN Subinterfaces
Examples for VLAN Subinterfaces

• For multiple mode in the System execution space, choose the Configuration > Context Management
> Interfaces pane.

Step 2 Choose Add > Interface.


The Add Interface dialog box appears.
Note In single mode, this procedure only covers a subset of the parameters on the Edit Interface dialog
box; to configure other parameters, see Routed and Transparent Mode Interfaces. Note that in
multiple context mode, before you complete your interface configuration, you need to allocate
interfaces to contexts. See Configure Multiple Contexts.

Step 3 From the Hardware Port drop-down list, choose the physical, redundant, or port-channel interface to which
you want to add the subinterface.
Step 4 If the interface is not already enabled, check the Enable Interface check box.
The interface is enabled by default.

Step 5 In the VLAN ID field, enter the VLAN ID between 1 and 4094.
Some VLAN IDs might be reserved on connected switches, so check the switch documentation for more
information. For multiple context mode, you can only set the VLAN in the system configuration.

Step 6 In the Subinterface ID field, enter the subinterface ID as an integer between 1 and 4294967293.
The number of subinterfaces allowed depends on your platform. You cannot change the ID after you set it.

Step 7 (Optional) In the Description field, enter a description for this interface.
The description can be up to 240 characters on a single line, without carriage returns. For multiple context
mode, the system description is independent of the context description. In the case of a failover or state link,
the description is fixed as “LAN Failover Interface,” “STATE Failover Interface,” or “LAN/STATE Failover
Interface,” for example. You cannot edit this description. The fixed description overwrites any description
you enter here if you make this interface a failover or state link.

Step 8 Click OK.


You return to the Interfaces pane.

Related Topics
Licensing for VLAN Subinterfaces, on page 1

Examples for VLAN Subinterfaces


The following example configures parameters for a subinterface in single mode:

interface gigabitethernet 0/1


no nameif
no security-level
no ip address
no shutdown
interface gigabitethernet 0/1.1
vlan 101
nameif inside

VLAN Subinterfaces
4
VLAN Subinterfaces
History for VLAN Subinterfaces

security-level 100
ip address [Link] [Link]
no shutdown

History for VLAN Subinterfaces


Table 1: History for VLAN Subinterfaces

Feature Name Version Feature Information

Increased VLANs 7.0(5) Increased the following limits:


• ASA5510 Base license VLANs from 0 to 10.
• ASA5510 Security Plus license VLANs from 10 to 25.
• ASA5520 VLANs from 25 to 100.
• ASA5540 VLANs from 100 to 200.

Increased VLANs 7.2(2) VLAN limits were increased for the ASA 5510 (from 10 to 50 for the Base license,
and from 25 to 100 for the Security Plus license), the ASA 5520 (from 100 to 150),
the ASA 5550 (from 200 to 250).

Increased VLANs for the ASA 5580 8.1(2) The number of VLANs supported on the ASA 5580 are increased from 100 to 250.

VLAN Subinterfaces
5
VLAN Subinterfaces
History for VLAN Subinterfaces

VLAN Subinterfaces
6

Common questions

Powered by AI

In single mode and system execution space, physical interfaces default to being disabled, while VLAN subinterfaces are enabled by default but need the parent physical interface to be enabled for traffic to pass. In multiple context mode, all interfaces allocated to contexts are enabled by default, regardless of the system execution space interface state. This configuration ensures that traffic can flow between contexts while maintaining centralized control over the interface states .

Without support for Dynamic Trunking Protocol (DTP), users must manually configure connected switch ports to trunk mode, increasing the risk of misconfigurations if not meticulously managed. This manual configuration requirement can complicate network management, possibly resulting in connectivity issues if the trunk mode is not correctly enabled on the switch port .

Default descriptions for failover and state links are fixed as "LAN Failover Interface," "STATE Failover Interface," or similar to maintain consistency and clarity in critical network roles. This defaulting ensures operational transparency, reducing risk of error in urgent scenarios, though it restricts custom labeling, which could be useful for context-specific annotating .

Over time, VLAN support limits on various ASA models have increased, such as ASA 5510 going from a base license support for 10 to 50 VLANs and the Security Plus license from 25 to 100 VLANs. Similar changes occurred in other models, with increases reflecting evolving network requirements and technological advancements, enhancing the scalability of ASA devices .

When configuring VLAN subinterfaces on an ASA device, some key guidelines and limitations include: you cannot configure subinterfaces on the ASASM because ASASM interfaces are already VLAN interfaces assigned from the switch. Subinterfaces cannot be on the Management interface for most ASA models, and you should not allow the physical interface to pass untagged packets if using subinterfaces, which means not configuring a name for the physical interface. Additionally, the ASA does not support the Dynamic Trunking Protocol (DTP), so you must configure the connected switch port to trunk unconditionally .

802.1Q trunking is integral to VLAN subinterfaces as it allows multiple VLANs to be carried across a single physical link by tagging traffic frames. Configuration involves setting up subinterfaces on a chosen physical or port-channel interface, then assigning unique VLAN IDs to each subinterface. This trunking enables the efficient use of physical resources by expanding link capacity and supports virtual network segmentation .

When assigning VLAN and subinterface IDs on ASA devices, it's essential to select IDs not reserved on connected switches, and consider platform limitations on the number of subinterfaces. Multiple context mode adds complexity as VLAN must be defined in the system configuration, necessitating careful planning across contexts to avoid conflicts and ensure resource allocation aligns with network design .

For configuring VLAN subinterfaces in multiple context mode, you must perform tasks in the system execution space as subinterface VLANs are set globally. This involves selecting the interface in the Context Management Interface pane and ensuring that interfaces are allocated to contexts. Potential complexities include managing interface states across contexts, ensuring each context has the required subinterface configurations, and handling the allocation of VLAN IDs which is centralized in the system configuration .

Assigning unique MAC addresses to VLAN subinterfaces can be beneficial because it allows for unique IPv6 link-local addresses, which can prevent traffic disruption linked to MAC address conflicts on the same parent interface. This is especially useful if a service provider performs access control based on the MAC address .

Licensing considerations for deploying VLAN subinterfaces vary across ASA models, affecting the limit on VLANs that can be created. For instance, a Firepower 9300 with a standard license can support 1024 VLANs, while an ASA 5506-X with a base license supports only 5 VLANs. Ensuring compliance with licenses is crucial for operational legality and network configuration flexibility; thus, understanding these limits is imperative in planning and scaling networks .

You might also like