Solved: Re: Cisco ASA VLAN understanding

Yannis94 · ‎04-08-2025

Hello team,

I have been searching for a document that indicates the information I need and I have not find it so I believe may find something from your knowledge as well.

I have an FTD that is managed by a FMC.
The FTD has a physical interface that has some VLANs subinterfaces underneath and it is connected to a switch with the the same vlans on its trunk.
Let's suppose that the subnet I am interested is 10.10.10.0/24 and it is vlan 2.
Right now whoever wants to find 10.10.10.0/24 goes to the ASA and it sees that the vlan is directly connected so it forwards the traffic.

The question I have is that, if I go on the trunk port of the switch and remove vlan 2, will the FTD understand this change and the vlan will go down from its side as well, so the traffic to 10.10.10.0/24 will be forwarded to the default route or it will continue to forward the traffic to the interface gig1/1.2?

nspasov · ‎04-09-2025

Perhaps you can try and confirm this by creating a new sub-interface, give it an IP and allow the vlan on the trunk. Then prune it and observe the behavior

Thank you for rating helpful posts!

View solution in original post

Jens Albrecht · ‎04-09-2025

By default all sub-interfaces simply follow the state of the physical interface. So if you prune a vlan on the trunk at the switch, the sub-interface at the firewall will remain UP. All frames with or without tag arrive at the physical interface and based on the tag they will then be handled by the corresponding sub-interface as required. So how should the firewall notice that it will no longer receive tagged frames for that vlan?

Things do change if you start using tools like IP SLA or BFD to track the reachability of the neighbor.
Otherwise the firewall will continue to send traffic out of the sub-interface and the switch will drop it as the vlan is pruned.
You can also check whether your firewall allows you to seperately shutdown sub-interfaces, preferably with a newly created one.

HTH!

View solution in original post

nspasov · ‎04-08-2025

Removing the VLAN from the trunk will cause the VLAN to be "pruned" from that trunk. As a result, no traffic for that VLAN will be allowed to transit the trunk port. However, I am not sure I understand your question

"will the FTD understand this change and the vlan will go down from its side as well, so the traffic to 10.10.10.0/24 will be forwarded to the default route or it will continue to forward the traffic to the interface gig1/1.2?"

So I will have to answer your question with a question What are you trying to accomplish? My guess is that you are planning on moving the default gateway for this subnet/VLAN from the Firewall to another device? If yes, then will the Firewall still be in the path of the traffic? If yes, then you will need to address things like routing since you will no longer have a "Firewall-on-a-stick" and as such it will need to know how to route traffic to/from these subnets as they will no longer be "directly connected." Depending on your setup, other things such as NAT, ACLs, etc. may also need tweaking. If the firewall will no longer be in the picture, then you should plan on manually clearing the arp cache. Otherwise, traffic will not "use" the new device as its default gateway until the arp cache automatic purging takes place (Typically 4 hours)

I hope this helps!

Thank you for rating helpful posts!

Yannis94 · ‎04-09-2025

Hello and thank you for your response.

What I am trying to do is move the gateway for this subnet and I do not want to wait for the FMC to deploy the deletion of the interface because it takes over 4 minutes.

The way I have it in my mind is that for a router if I had the same topology, if I removed the VLAN from the trunk of the switch the SVI would be in UP/DOWN state so most probably if traffic towards the subnet 10.10.10.0/24 reached the router it would most forward it to the default route since it will not recognize it as a directly connected subnet. Maybe I have it wrong for the router as well. But if my thinking is correct would the same happen for the FTD?

nspasov · ‎04-09-2025

As an active CCIE (R&S) holder I am embarrassed to admit that I don't remember the behavior of an SVI when the VLAN is pruned from the trunk If memory serves me right, the SVI does go down. About the new gateway device: The failover would really depend on your setup but the firewall will be isolated from that subnet once the VLAN is pruned from the trunk. However, as I stated before, arp cache will need to still be manually cleared to help speed the convergence process.

Thank you for rating helpful posts!

Yannis94 · ‎04-09-2025

I am sure that we face so many things during each day that it is difficult to keep all this info.

The odd thing is that I can not find any documentation from Cisco that indicates this behavior if this action occurs.

nspasov · ‎04-09-2025

Perhaps you can try and confirm this by creating a new sub-interface, give it an IP and allow the vlan on the trunk. Then prune it and observe the behavior

Thank you for rating helpful posts!

Jens Albrecht · ‎04-09-2025

By default all sub-interfaces simply follow the state of the physical interface. So if you prune a vlan on the trunk at the switch, the sub-interface at the firewall will remain UP. All frames with or without tag arrive at the physical interface and based on the tag they will then be handled by the corresponding sub-interface as required. So how should the firewall notice that it will no longer receive tagged frames for that vlan?

Things do change if you start using tools like IP SLA or BFD to track the reachability of the neighbor.
Otherwise the firewall will continue to send traffic out of the sub-interface and the switch will drop it as the vlan is pruned.
You can also check whether your firewall allows you to seperately shutdown sub-interfaces, preferably with a newly created one.

HTH!

Yannis94 · ‎04-10-2025

Thank you both for your help and thoughts.
I am going to perform a lab in order to find out on a live environment and not just in theory.

Thank you!

Jens Albrecht · ‎04-10-2025

Setting up a lab is indeed a great idea! You can learn much more from practicing than just reading books or discussions.

There is always some kind of logic behind the default behavior.
If you create a SVI on a switch and the corresponding vlan is bound to any active interface, the SVI goes up in order to be ready to receive traffic for that subnet. The switch does not know whether this subnet does exist anywhere else and whether it will ever receive any traffic but the switch needs to be prepared to handle it. Once you remove the vlan from any and all interfaces, the SVI will go down because now the switch knows for sure that it will never be able to receive any traffic for that subnet.

If you have an active interface on a router/firewall and create a sub-interface for that interface, then the sub-interface will automatically go up as it follows the state of the physical interface by default. Similar logic here. The router does not know whether it will ever receive traffic for that sub-interface but since the physical interface is up, the router must be prepared to handle it. Most platforms allow you to explicitly shutdown sub-interfaces which tells the router/firewall to remove that network and related routes from its routing table.

As mentioned before there are a couple of tools like IP SLA or BFD that allow you to track the reachability of neighbors. This enables a device to detect that the neighbor is no longer reachable, so that it can react even if the corresponding interface is still up.

Happy labbing!

nspasov · ‎04-10-2025

I am glad this conversation helped! Also, thank you for updating us on the outcome of the lab tests!

Thank you for rating helpful posts!