Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Conversion of access ports to trunked sub-interfaces ports

Our corporate firewalls were setup many years ago when the company was much smaller than it is today, and they were setup with all the switch ports connected to the ASA's as access ports. Well the company has grown larger than one subnet can support and we are moving to multiple VLAN's off the switches hooked up to the ASA's. Since we are segmenting things into different security zones (DMZ-general, DMZ-web servers, etc) on the switches, I need to change the interfaces from access to trunked sub-interface ports. However, we have numerous ACL's, VPN tunnels, etc that all are setup. If I change the current access port to a trunked sub-interface port will that break all the current config? Will I have to rebuild the ACL's and VPN tunnels? Or can I make this change and as long as the sub-interface IP's remain the same (and I keep the same interface security level/name) everything will still work without change?

Everyone's tags (5)

Conversion of access ports to trunked sub-interfaces ports

If you remove the interface configuration of the currently configured interface, then all configuration that references that interface (nameif and IP) will be removed also.

Your VPN is attached to the outside interface most likely, so unless you change the subnets that are to be encrypted over the VPN this should still be fine...might just need to teardown and rebuild the VPN using clear crypto ipsec sa and clear crypto isakmp, if the tunnel doesn't rebuild automatically that is.

This not a small change and will require a service window.  If all IPs will remain the same you can just take a full backup of the current configuration and then change the interface configuration to subinterfaces and keep the exact same IP, nameif, security level.  Then just by copy pasting the original commands that reference the interface name or IP is needed.

You might also need to clear the mac address-table on the attached devices as they will have an incorrect mapping and unless the timeout has been manually changed til will only timeout in 4 hours.  so keep that in mind if things don't come up immediately.

Other than that the outage you should expect is the amount of time it takes you to configure the new subinterfaces and the copy paste of the old config back into the ASA.


Please rate all helpful posts.

Please remember to rate and select a correct answer

Conversion of access ports to trunked sub-interfaces ports

FYI: Remember to keep layer to interface on the switch for the sub-interfaces that you will create on the ASA, you don´t want to have the switch and the ASA routing for the VLANs involved, inter-vlan routing should only be done the ASA if it has sub interfaces or on the switch if for say as an example you have several network behind the inside interface of the ASA through an internal layer 3 switch.

Value our effort and rate the assistance!

Value our effort and rate the assistance!
Community Member

Conversion of access ports to trunked sub-interfaces ports

1.     backup running config or just copy run start

2.     remove interface ip address for the physical interface(note: this will cause an outage)

3.     make sure interface is not shut down

4.     configure subinterfaces, IP address, vlan and security level (recommend to use same as the previous physical interface config)

5.      make sure switchport is configured for trunking (by default all vlans are allowed on cisco switches)

6.     make sure you have same security inter-interface and intra-interface enabled

7.    If you have nat enabled to connect to the internet (i assume you are, most people do), i,e nat (DMZ) 101, note that traffic through the interface to other DMZs (i.e DMZ2) will be natted also. So remember to do nat0 for that traffic class.

Btw - If you use thesame interface paramter you removed from the physical interface, you should be fine.

notting else comes to mind at this of luck.


CreatePlease to create content