Cisco ASA: Subinterface config

Design & Configure

Configuration General (15)

Design Corner (7)

DevOps (4)

Enterprise Routing (25)

Enterprise Switching (24)

Enterprise WAN (15)

LAN Security (2)

Network Security (33)

Network Services (3)

SD-WAN (3)

Cisco ASA: Subinterface config

Technology: Network Security
Area: Firewalls
Vendor: Cisco
Software: 8.X, 9.X
Platform: Cisco ASA

Most ASA models use routed ports for subinterface creation. To create a subinterface on a routed port, use a vlan tag for which the traffic will be landed and sourced (to and from a subinterface). On the physical port, the subinterface number must be defined. The rest configuration like nameif, security level and ip address still applies.

Example of subinterface creation:

ASA#configure terminal ASA(config)#interface GigabitEthernet1/4.10 ASA(config-if)#vlan 10 ASA(config-if)#nameif SRV ASA(config-if)#security-level 95 ASA(config-if)#ip address 10.254.21.1 255.255.255.0

ASA 5505 and 5506-X use switching physical ports thus the layer 3 interfaces are defined more like in switch with SVI interfaces. The example of L3 interface for ASA 5505 is given below.

Assign a physical port to a vlan like you do for switches:

ASA#configure terminal ASA(config)#interface Ethernet0/0 ASA(config-if)#switchport access vlan 10

Define the related Layer 3 interface and give it a necessary configuration:

ASA#configure terminal ASA(config)#interface Vlan10 ASA(config-if)#nameif inside ASA(config-if)#security-level 90 ASA(config-if)#ip address 10.254.1.241 255.255.255.0

Author: Marcin Bialy