Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
855
Views
5
Helpful
5
Replies

5520 ASA, create subinterfaces or use available physical interface?

Go to solution
Mark Mattix
Level 2
Level 2

‎09-19-2013 06:12 AM - edited ‎03-11-2019 07:40 PM

I need to divide part of my network using VLANs and give a department a segmented internet connection. I was thinking about creating subinterfaces on my 5520 but have never configured these before and the firewall is so complex right now I don't feel comfortable changing the way an interface works, I have a feeling it might lead to an unexpected long downtime. The 5520 does have 1 available interface and I was wondering if I could put this on a seperate network on the 5520 as another inside interface, then create new rules pertaining only to that network, thus not having to worry about messing with the current configuration for my network.

I'd appreciate any advice!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
julomban
Level 3
Level 3

‎09-19-2013 12:55 PM

Mark,

I guess everything depends on your company requirements, if in the future you need to add more separate networks you may end up using sub-interface. As you said, moving from physical to logical will require major changes on your network, your switch must be configure as a trunk and the entire network must be re-design and you may need to re-configure the inside interface.

If the network is not meant to increase, at least in the next year probably the easiest way will be to use that available interface and configure a second inside interface with the corresponding rules.

Regards,

Juan Lombana

Please rate helpful posts.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
julomban
Level 3
Level 3

‎09-19-2013 12:55 PM

Mark,

I guess everything depends on your company requirements, if in the future you need to add more separate networks you may end up using sub-interface. As you said, moving from physical to logical will require major changes on your network, your switch must be configure as a trunk and the entire network must be re-design and you may need to re-configure the inside interface.

If the network is not meant to increase, at least in the next year probably the easiest way will be to use that available interface and configure a second inside interface with the corresponding rules.

Regards,

Juan Lombana

Please rate helpful posts.

0 Helpful

Go to solution
Mark Mattix
Level 2
Level 2
In response to julomban

‎09-19-2013 01:07 PM

Thank you for the reply. My network is currently undergoing a redesign. I am implementing 2 redundant L3 switches with 3 VLANs configured on them. The link from the redundant switches to the firewall will remain as it is, as an access port. I believe this should forward traffic untagged as it currently is for 2 of my networks. I plan on using the extra interface on the ASA for the 3rd VLAN's internet access.

I hope to not have to reconfigure the ASA until we can possibly just replace the device with something newer.

0 Helpful

Go to solution
julomban
Level 3
Level 3
In response to Mark Mattix

‎09-19-2013 01:11 PM

Mark,

Sounds good, in your case you can use the third interface since you may need to re-configure your inside interface if using sub-interfaces.

Glad I could help.

Regards,

Juan Lombana

Go to solution
julomban
Level 3
Level 3
In response to julomban

‎09-19-2013 01:16 PM

and please do remember to mark the reply as the correct answer if it answered your question.

0 Helpful

Go to solution
Mark Mattix
Level 2
Level 2
In response to julomban

‎09-19-2013 01:18 PM

Thanks again for your help!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card