01-09-2013 08:54 AM - edited 03-11-2019 05:45 PM
We have a active/active context firewall and would like to add an sub-interface to the exisitng context. Can someone share the link on how to do this?
All cisco documentation is for creating a context and allocating interface from scratch but I could not find any document for adding an interface to an exisiting context.
-Mohan
Solved! Go to Solution.
01-09-2013 08:59 AM
Hi,
Taking as example one of our ASA-5585-X ASAs with Trunk interfaces subinterface
I think you need to connect to the ASA which is Active for the admin context. And for the actual user/customer Context you have to connect to the device where its Active. Hopefully I remembered the "logic" correctly.
Create the sub-interface in the System Context space
interface TenGigabitEthernet0/9.2000
description New Link
vlan 2000
Attach the created interface to an Context
Context CONTEXT1
allocate-interface TenGigabitEthernet0/9.2000
Configure the interface configurations under Context
changeto context CONTEXT1
interface TenGigabitEthernet0/9.200
nameif inside
security-level 100
ip add 10.10.10.1 255.255.255.0
The above should handle the very basic regarding the actual interface. Naturally you need all the other firewall configuration and also actually make sure that on the connected device this sub-interface/Vlan ID actually leads somewhere.
Please rate if the information was helpfull and/or ask more if needed
- Jouni
01-09-2013 08:59 AM
Hi,
Taking as example one of our ASA-5585-X ASAs with Trunk interfaces subinterface
I think you need to connect to the ASA which is Active for the admin context. And for the actual user/customer Context you have to connect to the device where its Active. Hopefully I remembered the "logic" correctly.
Create the sub-interface in the System Context space
interface TenGigabitEthernet0/9.2000
description New Link
vlan 2000
Attach the created interface to an Context
Context CONTEXT1
allocate-interface TenGigabitEthernet0/9.2000
Configure the interface configurations under Context
changeto context CONTEXT1
interface TenGigabitEthernet0/9.200
nameif inside
security-level 100
ip add 10.10.10.1 255.255.255.0
The above should handle the very basic regarding the actual interface. Naturally you need all the other firewall configuration and also actually make sure that on the connected device this sub-interface/Vlan ID actually leads somewhere.
Please rate if the information was helpfull and/or ask more if needed
- Jouni
01-10-2013 03:00 AM
Hi,
This is the basic configuration for allocating a sub-interface.
But my question is can I add a sub-interface to a context which is already configured with a config-url and is actively running.
Below is a note taken from a cisco documentation
Note
Enter the allocate-interface command(s) before you enter the config-url command. If you enter the config-url command first, the ASA loads the context configuration immediately. If the context contains any commands that refer to (not yet configured) interfaces, those commands fail. Note Enter the allocate-interface command(s) before you enter the config-url command. If you enter the config-url command first, the ASA loads the context configuration immediately. If the context contains any commands that refer to (not yet configured) interfaces, those commands fail.
Does this mean I have to restart the context for the interface to be added to the context?
-Mohan
01-10-2013 06:03 AM
Ah, now I understand your question better.
Yes, you can just add the "allocate-interface
After you have added the interface with the "allocate-interface" command under the Context and move to the Context with the command "changeto context
After this you simply start configuring the interface with "description", "nameif", "security-level", "ip address" and so on and start creating rules for it.
The situation that the Cisco quote above refers to is the following situation
Now consider the more typical situation while configuring Contexts
So in shorts
Hopefully I wasnt too complex with the writing. Im pretty tired at the moment and hard to concentrate
Please rate if you have found the information helpfull And also ask more if needed.
- Jouni
05-28-2016 11:48 PM
Thank you Jouni, You saved my day..
-Zakir
05-02-2018 07:07 PM - edited 05-02-2018 07:08 PM
@Jouni Forss wrote:
Hi,
Taking as example one of our ASA-5585-X ASAs with Trunk interfaces subinterface
I think you need to connect to the ASA which is Active for the admin context. And for the actual user/customer Context you have to connect to the device where its Active. Hopefully I remembered the "logic" correctly.
Create the sub-interface in the System Context space
interface TenGigabitEthernet0/9.2000
description New Link
vlan 2000
Attach the created interface to an Context
Context CONTEXT1
allocate-interface TenGigabitEthernet0/9.2000
Configure the interface configurations under Context
changeto context CONTEXT1
interface TenGigabitEthernet0/9.200
nameif inside
security-level 100
ip add 10.10.10.1 255.255.255.0
The above should handle the very basic regarding the actual interface. Naturally you need all the other firewall configuration and also actually make sure that on the connected device this sub-interface/Vlan ID actually leads somewhere.
Please rate if the information was helpfull and/or ask more if needed
- Jouni
Is there anyway to combine context configs.
Example: If I want to combine CONTEXT-A and CONTEXT-B to reduce the context? any suggestion on the best approach?
context CONTEXT-A
allocate-interface Port-channel1.115 visible
config-url disk0:/CONTEXT-A.cfg
context CONTEXT-B
allocate-interface Port-channel1.115 visible
allocate-interface Port-channel11.3016-Port-channel11.3018 visible
config-url disk0:/CONTEXT-B.cfg
05-03-2018 01:28 AM
05-03-2018 03:32 PM
Migrate the config from one context to another.
05-04-2018 02:02 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide