Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
612
Views
10
Helpful
4
Replies

subinterfaces

Go to solution
WILLIAM STEGMAN
Level 4
Level 4

‎07-01-2008 10:21 AM - edited ‎03-11-2019 06:07 AM

Can someone verify the premise behind subinterfaces/vlans on an ASA? I'm a little confused. On a router, a subinterface or secondary interface is a logical interface using a hardware interface. No switch required. But now as I understand subinterface, also called vlans, on an ASA a switch is required. It looks like the ASA interface is merely a trunk link and the switch itself provides port capacity for different vlans. Is my understanding correct?

thank you,

Bill

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
srue
Level 7
Level 7
In response to a.alekseev

‎07-01-2008 11:54 AM

an asa5505 uses switchports, vlan itnerfaces, and switch like commands (such as "switchport access vlan x).

other asa's use subinterfaces - which are then trunked to switches. they use dot1q and are assigned to their vlans using the command "vlan x" in subinterface mode.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
a.alekseev
Level 7
Level 7

‎07-01-2008 11:35 AM

yes, correct.

This is only for ASA5505, which has a buildin switch.

Go to solution
srue
Level 7
Level 7
In response to a.alekseev

‎07-01-2008 11:54 AM

an asa5505 uses switchports, vlan itnerfaces, and switch like commands (such as "switchport access vlan x).

other asa's use subinterfaces - which are then trunked to switches. they use dot1q and are assigned to their vlans using the command "vlan x" in subinterface mode.

0 Helpful

Go to solution
WILLIAM STEGMAN
Level 4
Level 4
In response to srue

‎07-01-2008 12:02 PM

ok, I have a 5510. So what this really allows me to do is breakout the pyhsical interface of a dmz port into multiple vlans on a switch rather than like in the past where a switch would only add port capacity to a single subnet or network.

thank you

0 Helpful

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to WILLIAM STEGMAN

‎07-01-2008 02:05 PM

Bill,

ASA5510 is somewhat different from that of asa5505 which previous posters explain and answered your question which sort of gears towards the 5505 that has builtin-switch, but..generaly 802.1q trunking is a standard that can be applied acrross any platform that supports it.

In the asa5510 there is not built-in switch, so in order for you to create more routable L3 interfaces then you will need to use a physical port and yes.. brake it down of split it into several logical subinterfaces, in this case you will need a switch in order you create the L2 vlans conrespnding to the L3 subinterfaces in the firewall.

In short, your model asa5510 can support up to 50 VLANs with base license or 100 VLANs with Security Plus license per firewall, you may create any combination of subinterfaces with unique names DMZ1, DMZ2 etc. as well as unique security levels.

Creating the subinterfaces off a physical interface on the asa5510 will automatically turn on 802.1q trunking, it will just be a task to configure the switch port connecting the physical port of the firewall with 802.1q encapsulation as well as the L2 VLANS and again assign the switch ports the right vlan numbers.

Rgds

-Jorge

Jorge Rodriguez
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card