Cisco ASA: Subinterface config

Design & Configure

Configuration General (15)

Design Corner (7)

DevOps (4)

Enterprise Routing (25)

Enterprise Switching (24)

Enterprise WAN (15)

LAN Security (2)

Network Security (33)

Network Services (3)

SD-WAN (3)

Cisco ASA: Subinterface config

Technology: Network Security
Area: Firewalls
Vendor: Cisco
Software: 8.X, 9.X
Platform: Cisco ASA

Most ASA models use routed ports for subinterface creation. To create subinterface on routed port, use vlan tag for which the traffic will be landed and sourced (to and from subinterface). On physical port the subinterface number must be defined. The rest configuration like nameif, security level and ip address still applies.

Example of subinterface creation:

ASA#configure terminal ASA(config)#interface GigabitEthernet1/4.10 ASA(config-if)#vlan 10 ASA(config-if)#nameif SRV ASA(config-if)#security-level 95 ASA(config-if)#ip address 10.254.21.1 255.255.255.0

ASA 5505 and 5506-X use switching physical ports thus the layer 3 interfaces are defined more like in switch with SVI interfaces. The example of L3 interface for ASA 5505 is given below.

Assign physical port to a vlan like you do for switches:

ASA#configure terminal ASA(config)#interface Ethernet0/0 ASA(config-if)#switchport access vlan 10

Define the related Layer 3 interface and give it necessary configuration:

ASA#configure terminal ASA(config)#interface Vlan10 ASA(config-if)#nameif inside ASA(config-if)#security-level 90 ASA(config-if)#ip address 10.254.1.241 255.255.255.0

Author: Marcin Bialy