Cisco ASA VLANs and Sub-Interfaces

ReneMolenaar · December 19, 2016, 4:38pm

This topic is to discuss the following lesson:

Openlearner · January 27, 2015, 1:55am

Question:

Why I can not create sub-interfaces if I have the security plus license?
Maximum Physical Interfaces : 8 perpetual
VLANs : 20 DMZ Unrestricted
Dual ISPs : Enabled perpetual
VLAN Trunk Ports : 8 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 25 perpetual
Total VPN Peers : 25 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual

This platform has an ASA 5505 Security Plus license.
Please advise

ReneMolenaar · January 27, 2015, 8:11am

Hi Alfredo,

The ASA 5505 only has switchports and it doesn’t support sub-interfaces. To make it work, you should make one of the interfaces a trunk that connects to the switch and then use SVI interfaces. For example:

interface Ethernet 0/0
switchport mode trunk

interface vlan 10
nameif INSIDE
security-level 100
ip address 192.168.10.254 255.255.255.0

Did this from memory but that should do the job.

Rene

bill.macmillan · March 5, 2015, 4:33pm

If I have an existing interface on an ASA5580 redundant pair and want to create subinterfaces on that interface are there any production challenges I will face? Let say I have Gi8/2 with an existing ip 172.21.16.254, now I want to create two subinterface on Gi8/2 one for 172.21.16.x and one for 10.248.80.x. I know how to create sub-interfaces however not sure of the impact, I know when I move 172.21.16 to a subinterface I will lose connectivity while I reconfig the interface but I am wondering if I need to reload the ASA once the config is done or will it update as I config without a reload requirement. Any other thoughts you might have. I also realize that I need to change the access switchport connection to a trunk port.

ReneMolenaar · March 10, 2015, 12:42pm

Hi Bill,

It shouldn’t be a problem and downtime should be minimum. Once you move the configuration from the physical interface to the sub-interface and set the switchport to trunk, it will work immediately. No need to reboot the ASA or anything.

Rene

chris.m.chavez · July 10, 2015, 11:00am

Hello Rene,

This seems to work on the 5506 so far, Is there a way to specify a native VLAN on the ASA port?

Thanks,

Chris

ReneMolenaar · July 10, 2015, 11:07am

Hi Chris,

I don’t think you can change the native VLAN on the ASA, by default everything you send on the physical interface will be untagged and all sub-interfaces will be tagged (if you add a VLAN on it).

So there’s 3 ways to work around this:

Use the physical interface on the ASA for the native VLAN.
Configure the switch to tag the native VLAN.
Don’t use the native VLAN between the switch and ASA.

Rene

r.grant3779 · July 12, 2015, 9:39pm

Hi Rene,

In the design above would R1 be able to talk to R2 due to the security levels (70 going to an 80). Do Security level rules work the same for Sub Interfaces?

Thanks
Rob

ReneMolenaar · July 13, 2015, 10:01am

Hi Rob,

That’s right, they work similar for sub-interfaces.

Rene

r.grant3779 · July 13, 2015, 10:11am

Thanks Rene,

Just to confirm - If we wanted R1 to talk to R2, we would need an ACL?

Cheers

ReneMolenaar · July 13, 2015, 10:17am

Hi Rob,

If you go from a high security level to a low security level then you won’t need an access-list. R1 will be able to reach R2, there’s no need to configure anything else. You could however restrict this with an access-list.

If you want to permit traffic from R2 to R1 then you’ll need an access-list since you go from a low to a higher security level.

Rene

r.grant3779 · July 13, 2015, 10:36am

Hi Rene,

Is it not vice versa for your diagram above?

e.g

INSIDE1 which uses VLAN 10 and has a security level of 70 - Router 1
INSIDE2 which uses VLAN 20 and has a security level of 80. - Router 2

R1 to R2 would need AN ACL
R2 to R1 would not?

Or have I got the routers mixed up maybe.

ReneMolenaar · July 13, 2015, 10:51am

You are totally right Rob…I mixed up those two routers Time for another coffee here hehe.

aaronbinnersley · July 30, 2015, 1:21pm

can the ASA participate in a VTP domain in transparent mode

so that it can share vlan info -
the link between the ASA and L3 switches need to be routed ports

ASA ---------------L3 SWITCH ------------------L3 SWITCH-------------ASA
trunk link TRUNK LINK
SWITCH SWITCH

ReneMolenaar · July 30, 2015, 8:29pm

Hi Aaron,

I’m afraid not, no VTP support for the ASA.

Rene

aaronbinnersley · August 26, 2015, 6:00pm

hi
Is it best to configure inside interfaces with vlans as at the moment all I have configured on them is routing with an IP address assigned to each ?

ReneMolenaar · August 26, 2015, 7:27pm

Hi Aaron,

It really depends on what you are trying to achieve. If you have a small network then an INSIDE, DMZ and OUTSIDE zone might be all that you need. If you require more zones then you’ll need to use VLANs since the ASA doesn’t have that many interfaces.

Rene

aaronbinnersley · August 27, 2015, 10:05am

Hi

I have a stacked pair layer 3 switch configured with 6 SVI’s .

The firewall is connected to this with EIGRP routing enabled on all links ( inside and outside ) . All the firewall is doing at the moment is routing and filtering traffic before it hits the vlans

The firewall is then connected to a second pair of stacked switches . So why would I need to configure vlans on the firewall ?

stacked switch
ASA
Stacked switch ( ROUTED PORTS TOWARDS ASA )
( 6 SVI’S )

Thanks Rene , I appreciate your help

ReneMolenaar · August 27, 2015, 11:25am

Hi Aaron,

There’s a couple of different options here. Right now you are using the switch for interVLAN routing, your ASA is only used when traffic from the VLANs leave your LAN and head out to the Internet. You don’t need anything else but an INSIDE and OUTSIDE on your ASA and that’s it. A static route (or routing protocol) on your switch to the ASA (and vice versa) and you are done. You can enforce some security between VLANs by using access-lists on your switch.

Now imagine you only have a layer 2 switch or perhaps you want some extra security between your VLANs…if this were the case then you could use the ASA for interVLAN routing. You would have to configure a trunk from the ASA to your switch and use sub-interfaces with VLANs in this scenario. I don’t recommend doing this for your LAN but it could be useful for your DMZ. Instead of having one big DMZ with all your servers you could break it down into multiple smaller DMZs and have traffic from server 1 in DMZ go through the ASA towards server 2 in DMZ 2 etc.

Hope this helps!

Rene

aaronbinnersley · September 21, 2015, 10:30am

Hi Rene !

Need your experience !

Problem -

I have a stacked pair of layer 3 switches configured with 5 vlans
Also connected to the switches are a pair of ASA configured with HA

The stacked pair of switches are connected to a different site via fibre

Is there any need configure the connections to the ASA 's as trunk ports ? or is ok just to use static routes ?
Will there be 2 insides interfaces and 2 outside interfaces ?
I am happy with inside interfaces but will the outside interfaces connect to the stacked 3850’s configured with staitic routes ?