Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
701
Views
0
Helpful
3
Replies

Migrate ASA 5510 Inside Interface to Multiple Sub-interfaces

John Woods
Level 1
Level 1

‎11-03-2013 01:11 AM - edited ‎03-11-2019 07:59 PM

Hello,

We currently have an ASA 5510 as our edge firewall that is connected on e0/1 to our core switch, a 4510R+E. The connection from the ASA is to an access port (vlan 99) on the 4510. I would like to migrate this configuration to subinterfaces on the ASA. I would like to have the existing configuration applied to e0/1 migrate to e0/1.1 and then add e0/1.2 for a guest wireless vlan. What is the best way to make these changes without having to completely reconfigure the ASA? I know I will need to trunk the connection from the ASA to the 4510 but I am looking for the best way to make these changes without having to completely reconfigure the ASA.

Thank you,

JW

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎11-03-2013 01:37 AM

Hi,

While I would probably myself configure this so that I would leave out all configurations on the current physical interface Ethernet0/1 I think there is an option for you which enabled you to leave the current interface configuration intact and just start adding subinterfaces to the physical interface Ethernet0/1.

To my understanding you could do the following

  • Configure the additional subinterfaces under the physical interface Ethernet0/1 on the ASA. For example just the IP address etc so enabled pinging to them after the Trunk has bee configured.
  • Configure the switch side to Trunk and configure the Native Vlan for that trunk as Vlan 99 so that the ASA will continue to receive untagged traffic for that vlan like it is now (Access mode port) As the main Ethernet0/1 port is not tagged it should keep working to my understanding.

I am a bit rusty on the switching side but the above is to my understanding what you could do. This should mean that you would not have to change anything on the ASA side. Ofcourse you would be adding the subinterfaces and their configurations but nothing that would change the current setup.

Naturally the switch side configuration change to Trunk would cause outage in your setup.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed.

- Jouni

0 Helpful

John Woods
Level 1
Level 1
In response to Jouni Forss

‎11-03-2013 01:44 AM

Jouni,

Thank you. Very intriguing approach. It makes sense. I will try this in our lab setup and see what happens...

I appreciate your quick reply,

JW

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to John Woods

‎11-05-2013 10:21 AM

Hi,

Have you had the opportunity to test this yet?

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card