This topic is to discuss the following lesson:
Question:
Why I can not create sub-interfaces if I have the security plus license?
Maximum Physical Interfaces : 8 perpetual
VLANs : 20 DMZ Unrestricted
Dual ISPs : Enabled perpetual
VLAN Trunk Ports : 8 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 25 perpetual
Total VPN Peers : 25 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5505 Security Plus license.
Please advise
Hi Alfredo,
The ASA 5505 only has switchports and it doesn’t support sub-interfaces. To make it work, you should make one of the interfaces a trunk that connects to the switch and then use SVI interfaces. For example:
interface Ethernet 0/0
switchport mode trunk
interface vlan 10
nameif INSIDE
security-level 100
ip address 192.168.10.254 255.255.255.0
Did this from memory but that should do the job.
Rene
If I have an existing interface on an ASA5580 redundant pair and want to create subinterfaces on that interface are there any production challenges I will face? Let say I have Gi8/2 with an existing ip 172.21.16.254, now I want to create two subinterface on Gi8/2 one for 172.21.16.x and one for 10.248.80.x. I know how to create sub-interfaces however not sure of the impact, I know when I move 172.21.16 to a subinterface I will lose connectivity while I reconfig the interface but I am wondering if I need to reload the ASA once the config is done or will it update as I config without a reload requirement. Any other thoughts you might have. I also realize that I need to change the access switchport connection to a trunk port.
Hi Bill,
It shouldn’t be a problem and downtime should be minimum. Once you move the configuration from the physical interface to the sub-interface and set the switchport to trunk, it will work immediately. No need to reboot the ASA or anything.
Rene
Hello Rene,
This seems to work on the 5506 so far, Is there a way to specify a native VLAN on the ASA port?
Thanks,
Chris
Hi Chris,
I don’t think you can change the native VLAN on the ASA, by default everything you send on the physical interface will be untagged and all sub-interfaces will be tagged (if you add a VLAN on it).
So there’s 3 ways to work around this:
- Use the physical interface on the ASA for the native VLAN.
- Configure the switch to tag the native VLAN.
- Don’t use the native VLAN between the switch and ASA.
Rene
Hi Rene,
In the design above would R1 be able to talk to R2 due to the security levels (70 going to an 80). Do Security level rules work the same for Sub Interfaces?
Thanks
Rob
Hi Rob,
That’s right, they work similar for sub-interfaces.
Rene
Thanks Rene,
Just to confirm - If we wanted R1 to talk to R2, we would need an ACL?
Cheers
Hi Rob,
If you go from a high security level to a low security level then you won’t need an access-list. R1 will be able to reach R2, there’s no need to configure anything else. You could however restrict this with an access-list.
If you want to permit traffic from R2 to R1 then you’ll need an access-list since you go from a low to a higher security level.
Rene
Hi Rene,
Is it not vice versa for your diagram above?
e.g
INSIDE1 which uses VLAN 10 and has a security level of 70 - Router 1
INSIDE2 which uses VLAN 20 and has a security level of 80. - Router 2
R1 to R2 would need AN ACL
R2 to R1 would not?
Or have I got the routers mixed up maybe.
You are totally right Rob…I mixed up those two routers Time for another coffee here hehe.
can the ASA participate in a VTP domain in transparent mode
so that it can share vlan info -
the link between the ASA and L3 switches need to be routed ports
ASA ---------------L3 SWITCH ------------------L3 SWITCH-------------ASA
trunk link TRUNK LINK
SWITCH SWITCH
Hi Aaron,
I’m afraid not, no VTP support for the ASA.
Rene
hi
Is it best to configure inside interfaces with vlans as at the moment all I have configured on them is routing with an IP address assigned to each ?
Hi Aaron,
It really depends on what you are trying to achieve. If you have a small network then an INSIDE, DMZ and OUTSIDE zone might be all that you need. If you require more zones then you’ll need to use VLANs since the ASA doesn’t have that many interfaces.
Rene
Hi
I have a stacked pair layer 3 switch configured with 6 SVI’s .
The firewall is connected to this with EIGRP routing enabled on all links ( inside and outside ) . All the firewall is doing at the moment is routing and filtering traffic before it hits the vlans
The firewall is then connected to a second pair of stacked switches . So why would I need to configure vlans on the firewall ?
stacked switch
ASA
Stacked switch ( ROUTED PORTS TOWARDS ASA )
( 6 SVI’S )
Thanks Rene , I appreciate your help
Hi Aaron,
There’s a couple of different options here. Right now you are using the switch for interVLAN routing, your ASA is only used when traffic from the VLANs leave your LAN and head out to the Internet. You don’t need anything else but an INSIDE and OUTSIDE on your ASA and that’s it. A static route (or routing protocol) on your switch to the ASA (and vice versa) and you are done. You can enforce some security between VLANs by using access-lists on your switch.
Now imagine you only have a layer 2 switch or perhaps you want some extra security between your VLANs…if this were the case then you could use the ASA for interVLAN routing. You would have to configure a trunk from the ASA to your switch and use sub-interfaces with VLANs in this scenario. I don’t recommend doing this for your LAN but it could be useful for your DMZ. Instead of having one big DMZ with all your servers you could break it down into multiple smaller DMZs and have traffic from server 1 in DMZ go through the ASA towards server 2 in DMZ 2 etc.
Hope this helps!
Rene
Hi Rene !
Need your experience !
Problem -
I have a stacked pair of layer 3 switches configured with 5 vlans
Also connected to the switches are a pair of ASA configured with HA
The stacked pair of switches are connected to a different site via fibre
Is there any need configure the connections to the ASA 's as trunk ports ? or is ok just to use static routes ?
Will there be 2 insides interfaces and 2 outside interfaces ?
I am happy with inside interfaces but will the outside interfaces connect to the stacked 3850’s configured with staitic routes ?