Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

5520 ASA, create subinterfaces or use available physical interface?

I need to divide part of my network using VLANs and give a department a segmented internet connection. I was thinking about creating subinterfaces on my 5520 but have never configured these before and the firewall is so complex right now I don't feel comfortable changing the way an interface works, I have a feeling it might lead to an unexpected long downtime. The 5520 does have 1 available interface and I was wondering if I could put this on a seperate network on the 5520 as another inside interface, then create new rules pertaining only to that network, thus not having to worry about messing with the current configuration for my network.

I'd appreciate any advice!

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

5520 ASA, create subinterfaces or use available physical interfa

Mark,

I guess everything depends on your company requirements, if in the future you need to add more separate networks you may end up using sub-interface. As you said, moving from physical to logical will require major changes on your network, your switch must be configure as a trunk and the entire network must be re-design and you may need to re-configure the inside interface.

If the network is not meant to increase, at least in the next year probably the easiest way will be to use that available interface and configure a second inside interface with the corresponding rules.

Regards,

Juan Lombana

Please rate helpful posts.

5 REPLIES
Bronze

5520 ASA, create subinterfaces or use available physical interfa

Mark,

I guess everything depends on your company requirements, if in the future you need to add more separate networks you may end up using sub-interface. As you said, moving from physical to logical will require major changes on your network, your switch must be configure as a trunk and the entire network must be re-design and you may need to re-configure the inside interface.

If the network is not meant to increase, at least in the next year probably the easiest way will be to use that available interface and configure a second inside interface with the corresponding rules.

Regards,

Juan Lombana

Please rate helpful posts.

New Member

5520 ASA, create subinterfaces or use available physical interfa

Thank you for the reply. My network is currently undergoing a redesign. I am implementing 2 redundant L3 switches with 3 VLANs configured on them. The link from the redundant switches to the firewall will remain as it is, as an access port. I believe this should forward traffic untagged as it currently is for 2 of my networks. I plan on using the extra interface on the ASA for the 3rd VLAN's internet access.

I hope to not have to reconfigure the ASA until we can possibly just replace the device with something newer.

Bronze

5520 ASA, create subinterfaces or use available physical interfa

Mark,

Sounds good, in your case you can use the third interface since you may need to re-configure your inside interface if using sub-interfaces.

Glad I could help.

Regards,

Juan Lombana

Bronze

5520 ASA, create subinterfaces or use available physical interfa

and please do remember to mark the reply as the correct answer if it answered your question.

New Member

5520 ASA, create subinterfaces or use available physical interfa

Thanks again for your help!

191
Views
5
Helpful
5
Replies
CreatePlease to create content