DMZ Sub interfaces into sub interface

saeedccie · ‎07-06-2012

Hi,

We have ASA FW 5010 in our organization and we have 4 DMZ's under the DMZ interface on ASA and all DMZ's are created on sub interfaces and assigned different VLANS on each DMZ's like

DMZ-1 = 172.20.1.x - VLAN 1000

DMZ-2 = 172.20.2.x - VLAN 1200

DMZ-3 = 172.20.3.x - VLAN 1300

DMZ-4 = 172.20.4.x - VLAN 1400

My question is:

Can we break sub interface (DMZ-4) into again another sub interface and assign another IP address like

DMZ-4 = 172.20.4.x

---------= 172.20.5.x

Means one VLAN has two IP addresses for gateway.

One thing more how many times we can break one interface into subinterfaces.

I hope my question is enough for understanding.

Regards,

Saeed

deyster94 · ‎07-06-2012

No, this is not a supported feature.

I think you can put 250 subinterfaces on a physical interface.

saeedccie · ‎07-06-2012

Thanks for the reply.

Can we break this feature on catalyst switches 2960 or 3560?

rizwanr74 · ‎07-06-2012

"Can we break this feature on catalyst switches 2960 or 3560?"

Answer is still no.

Hope that answers your question.

thanks

Rizwan Rafeek.

Karsten Iwen · ‎07-06-2012

> Can we break this feature on catalyst switches 2960 or 3560?

You just want to have two IP-networks in one VLAN? If yes, that is possible on Routers and Switches with secondary IP-addresses. But the ASA doesn't support that.

nkarthikeyan · ‎07-07-2012

Hi Saeed,

You can create sub interface for the sub interface... because virtual interfaces can be created on the physical interfaces...... But two ip segments for a single vlan is possible in L3 switches / Routers. I never tried it in firewalls....

Here is the example in L3 switch

interface Vlan100

ip address 10.0.0.4 255.255.255.0 secondary

ip address 10.2.2.4 255.255.254.0

no shut

!

nkarthikeyan · ‎07-07-2012

Sorry... Small correction... You cannot create....

nkarthikeyan · ‎07-07-2012

ASA 5510 supports max of 100 sub interfaces / vlans.....