5520 ASA, create subinterfaces or use available physical interface?

Answered Question
Sep 19th, 2013
User Badges:

I need to divide part of my network using VLANs and give a department a segmented internet connection. I was thinking about creating subinterfaces on my 5520 but have never configured these before and the firewall is so complex right now I don't feel comfortable changing the way an interface works, I have a feeling it might lead to an unexpected long downtime. The 5520 does have 1 available interface and I was wondering if I could put this on a seperate network on the 5520 as another inside interface, then create new rules pertaining only to that network, thus not having to worry about messing with the current configuration for my network.


I'd appreciate any advice!

Correct Answer by julomban about 3 years 11 months ago

Mark,


I guess everything depends on your company requirements, if in the future you need to add more separate networks you may end up using sub-interface. As you said, moving from physical to logical will require major changes on your network, your switch must be configure as a trunk and the entire network must be re-design and you may need to re-configure the inside interface.


If the network is not meant to increase, at least in the next year probably the easiest way will be to use that available interface and configure a second inside interface with the corresponding rules.


Regards,

Juan Lombana


Please rate helpful posts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
julomban Thu, 09/19/2013 - 12:55
User Badges:
  • Bronze, 100 points or more

Mark,


I guess everything depends on your company requirements, if in the future you need to add more separate networks you may end up using sub-interface. As you said, moving from physical to logical will require major changes on your network, your switch must be configure as a trunk and the entire network must be re-design and you may need to re-configure the inside interface.


If the network is not meant to increase, at least in the next year probably the easiest way will be to use that available interface and configure a second inside interface with the corresponding rules.


Regards,

Juan Lombana


Please rate helpful posts.

Mark Mattix Thu, 09/19/2013 - 13:07
User Badges:

Thank you for the reply. My network is currently undergoing a redesign. I am implementing 2 redundant L3 switches with 3 VLANs configured on them. The link from the redundant switches to the firewall will remain as it is, as an access port. I believe this should forward traffic untagged as it currently is for 2 of my networks. I plan on using the extra interface on the ASA for the 3rd VLAN's internet access.


I hope to not have to reconfigure the ASA until we can possibly just replace the device with something newer.

julomban Thu, 09/19/2013 - 13:11
User Badges:
  • Bronze, 100 points or more

Mark,


Sounds good, in your case you can use the third interface since you may need to re-configure your inside interface if using sub-interfaces.


Glad I could help.


Regards,

Juan Lombana

julomban Thu, 09/19/2013 - 13:16
User Badges:
  • Bronze, 100 points or more

and please do remember to mark the reply as the correct answer if it answered your question.

Actions

This Discussion