subinterfaces

Answered Question
Jul 1st, 2008

Can someone verify the premise behind subinterfaces/vlans on an ASA? I'm a little confused. On a router, a subinterface or secondary interface is a logical interface using a hardware interface. No switch required. But now as I understand subinterface, also called vlans, on an ASA a switch is required. It looks like the ASA interface is merely a trunk link and the switch itself provides port capacity for different vlans. Is my understanding correct?

thank you,

Bill

I have this problem too.
0 votes
Correct Answer by srue about 8 years 6 months ago

an asa5505 uses switchports, vlan itnerfaces, and switch like commands (such as "switchport access vlan x).

other asa's use subinterfaces - which are then trunked to switches. they use dot1q and are assigned to their vlans using the command "vlan x" in subinterface mode.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
a.alekseev Tue, 07/01/2008 - 11:35

yes, correct.

This is only for ASA5505, which has a buildin switch.

Correct Answer
srue Tue, 07/01/2008 - 11:54

an asa5505 uses switchports, vlan itnerfaces, and switch like commands (such as "switchport access vlan x).

other asa's use subinterfaces - which are then trunked to switches. they use dot1q and are assigned to their vlans using the command "vlan x" in subinterface mode.

WILLIAM STEGMAN Tue, 07/01/2008 - 12:02

ok, I have a 5510. So what this really allows me to do is breakout the pyhsical interface of a dmz port into multiple vlans on a switch rather than like in the past where a switch would only add port capacity to a single subnet or network.

thank you

JORGE RODRIGUEZ Tue, 07/01/2008 - 14:05

Bill,

ASA5510 is somewhat different from that of asa5505 which previous posters explain and answered your question which sort of gears towards the 5505 that has builtin-switch, but..generaly 802.1q trunking is a standard that can be applied acrross any platform that supports it.

In the asa5510 there is not built-in switch, so in order for you to create more routable L3 interfaces then you will need to use a physical port and yes.. brake it down of split it into several logical subinterfaces, in this case you will need a switch in order you create the L2 vlans conrespnding to the L3 subinterfaces in the firewall.

In short, your model asa5510 can support up to 50 VLANs with base license or 100 VLANs with Security Plus license per firewall, you may create any combination of subinterfaces with unique names DMZ1, DMZ2 etc. as well as unique security levels.

Creating the subinterfaces off a physical interface on the asa5510 will automatically turn on 802.1q trunking, it will just be a task to configure the switch port connecting the physical port of the firewall with 802.1q encapsulation as well as the L2 VLANS and again assign the switch ports the right vlan numbers.

Rgds

-Jorge

Actions

This Discussion