Hi,

This is the basic configuration for allocating a sub-interface.

But my question is can I add a sub-interface to a context which is already configured with a config-url and is actively running.

Below is a note taken from a cisco documentation

Note

Enter the allocate-interface command(s) before you enter the config-url command. If you enter the config-url command first, the ASA loads the context configuration immediately. If the context contains any commands that refer to (not yet configured) interfaces, those commands fail. Note Enter the allocate-interface command(s) before you enter the config-url command. If you enter the config-url command first, the ASA loads the context configuration immediately. If the context contains any commands that refer to (not yet configured) interfaces, those commands fail.

Does this mean I have to restart the context for the interface to be added to the context?

-Mohan

Ah, now I understand your question better.

Yes, you can just add the "allocate-interface " to the Context configurations while its in production. All that this command will do at this point is add another interface under the Context.

After you have added the interface with the "allocate-interface" command under the Context and move to the Context with the command "changeto context ", you will only see a interface with blank configuration and ALL of the configuration you had there before adding the new interface.

After this you simply start configuring the interface with "description", "nameif", "security-level", "ip address" and so on and start creating rules for it.

The situation that the Cisco quote above refers to is the following situation

• You have a ready made configuration file for your ASA context
• You load that file to the Flash of the ASA
• You want to apply the configuration on the Flash to the Context you created 
  • One reason for having a ready configuration might be that your previous ASA has broken down and you are now in the process of recovery with a replacement device and have all the configuration backups and are loading them to the ASA and creating all the Context that were on the previous ASA
• IF you were to create the Context and immediately issue the "config-url" thats configuration refers to certain interfaces THEN naturally the ASA couldnt insert those old backup configurations to the Context as it didnt have those interfaces attached yet.
• This is why that in the above case you would first attach the interfaces to the context and THEN insert the Flash filesystem path where the already ready configuration would be located that the Context could use to fully configure and restore the Context.

Now consider the more typical situation while configuring Contexts

• You already have an Context with a "config-url" set where the Context configuration gets saved.
• When you add a new interface to the Context, nothing happens to the current configuration or firewall operation
• Because the current configuration doesnt refer to the new interface in any way it wont naturally get any configurations when you attach it to the Context.
• When you move under the Context, you can just start configuring the interface settings and configuration related to that interface
• AFTER you issue "write mem" command and save the configuration, it will be saved to the file/path configured in the "config-url" configuration and will after this naturally contain the new interfaces (and all related configurations) in its configurations.

So in shorts

• If you are adding new interfaces to production firewalls you can just use the "allocate-interface" command.
• If you have a ready made configuration before creating the actual context THEN you will have to make sure that the context has the interfaces attached BEFORE you attach the "config-url" configuration  witth the ready made file OR IF NOT it will only apply configuration for the interfaces which are attached before this. And naturally the global configurations that dont apply to any specific interface

Hopefully I wasnt too complex with the writing. Im pretty tired at the moment and hard to concentrate

Please rate if you have found the information helpfull And also ask more if needed.

- Jouni

Thank you Jouni, You saved my day..

-Zakir

---

@Jouni Forss wrote:

Hi,

 

Taking as example one of our ASA-5585-X ASAs with Trunk interfaces subinterface

 

I think you need to connect to the ASA which is Active for the admin context. And for the actual user/customer Context you have to connect to the device where its Active. Hopefully I remembered the "logic" correctly.

 

 

Create the sub-interface in the System Context space

 

interface TenGigabitEthernet0/9.2000

description New Link

vlan 2000

 

Attach the created interface to an Context

 

Context CONTEXT1

allocate-interface TenGigabitEthernet0/9.2000

 

 

Configure the interface configurations under Context

 

changeto context CONTEXT1

 

interface TenGigabitEthernet0/9.200

nameif inside

security-level 100

ip add 10.10.10.1 255.255.255.0

 

The above should handle the very basic regarding the actual interface. Naturally you need all the other firewall configuration and also actually make sure that on the connected device this sub-interface/Vlan ID actually leads somewhere.

 

Please rate if the information was helpfull and/or ask more if needed

 

- Jouni

---

Is there anyway to combine context configs.

Example: If I want to combine CONTEXT-A and CONTEXT-B to reduce the context? any suggestion on the best approach?

context CONTEXT-A
allocate-interface Port-channel1.115 visible
config-url disk0:/CONTEXT-A.cfg

context CONTEXT-B
allocate-interface Port-channel1.115 visible
allocate-interface Port-channel11.3016-Port-channel11.3018 visible
config-url disk0:/CONTEXT-B.cfg

Migrate the config from one context to another.