cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1944
Views
0
Helpful
4
Replies

ASA Vlan subinterfaces multiple contexts applications

Not applicable

Is it possible to do this on an ASA with mutliple contexts?? :

Context A

Interface 1/0

interface1/0.260 

Context B

Interface 2/0

interface2/0.260

I am currently running two contexts, and am trying to assign the same vlan between these contexts, with different ip addresses.  I do have the auto generation of mac address enabled, and i also would have two different IP addresses on these subinterfaces(within the same subnet obviously).  This comes from us scaling down from two firewalls to a single HA pair of firewalls and moving the previous devices into contexts on one HA pair.  Is this possible to do?  As right now, the ASA is barking at us telling us that we already have vlan 260 assigned to interface1/0, even though I have already assigned the interfaces into different contexts.  Thanks for any support.  

4 Replies 4

Aditya Ganjoo
Cisco Employee
Cisco Employee

Hi,

Yes, you should be able to do this.

You can assign the same IP address to multiple interfaces in a different context.

Although this is possible, a separate MAC address must be assigned for this interface in each context in order to classify the traffic into the context as shown.

Note: If the admin does not wish to assign the MAC address with the manual method, you can use the mac-address auto command. This command assigns the MAC address automatically to all interfaces, inclusive of subinterfaces.

This command assigns the MAC address automatically to all interfaces, inclusive of subinterfaces.

For more info:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/m1.html

Regards,

Aditya

Please rate helpful and mark correct answers

I agree with you, but I was asking about subinterfaces with a vlan assigned to it.  Can you take separate interfaces, assign them to separate contexts in the firewall, and then assign them the same vlan subinterface (vlan 260) - like two routers on a stick, between separate contexts, with the same vlan.  I'm finding that the ASA complains and states that one interface already has vlan 260 on it, and won't let me configure this vlan subinterface on any other trunk interface on an ASA. 

Context A

Interface 1/0

interface1/0.260  - ip addres 192.168.1.2

Context B

Interface 2/0

interface2/0.260 - ip addres 192.168.1.3

Bumping this in case anyone else sees this for a reply.  

I am having this same issue, really hoped your question will be answered. I don't want to post the same question again. This should work, because technically each context is it's own firewall. So it shouldn't matter if the same vlan id is used, but it still doesn't like it. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: