Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4008
Views
15
Helpful
5
Replies

SubInterfaces on an ASA

Go to solution
mumbles202
Level 5
Level 5

‎04-05-2022 11:41 AM

Is best practice still to either tag nothing or tag everything on an interface on the ASA?  As in, either leave it as an untagged and then pick the appropriate vlan on the downstream switch:

 

GigabitEthernet0/2

nameif inside

security-level 100

ip address 192.168.100.1 255.255.255.0

 

and then if I need to come back and add a sub-interface later on move the inside configuration to something like this:

 

GigabitEthernet0/2

 no nameif
 no security-level
 no ip address

 

GigabitEthernet0/2.100

 vlan 100

 nameif inside

 security-level 100

 ip address 192.168.100.1 255.255.255.0

 

GigabitEthernet0/2.200

 vlan 200

 nameif inside2

 security-level 100

 ip address 192.168.200.1 255.255.255.0

 

 

Or is adding the Gi0/2.200 to the first configuration I listed fine?  I know either will work, just trying to limit the amount of downtime in removing and reapplying all the configuration that was associated w/ the original interface since I'll need to remove the interface and ip so I can apply them to the sub-interface.

1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎04-05-2022 12:01 PM

@mumbles202 I generally do the first option, but as a dedicated routed link/vlan as a transit (no hosts) for traffic routed to the core switch. I then let the core switch do the intervlan routing.

 

If you want to firewall traffic between the different vlans then yes use option 2.

 

Your configuration and understanding is correct, just preference.

View solution in original post

5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎04-05-2022 12:01 PM

@mumbles202 I generally do the first option, but as a dedicated routed link/vlan as a transit (no hosts) for traffic routed to the core switch. I then let the core switch do the intervlan routing.

 

If you want to firewall traffic between the different vlans then yes use option 2.

 

Your configuration and understanding is correct, just preference.

Go to solution
mumbles202
Level 5
Level 5
In response to Rob Ingram

‎04-05-2022 01:14 PM

Thanks.  The core is L3 and does the inter-vlan routing for the network and is hanging off of Gig 0/1.  The interface in question is really a DMZ and the new sub-interface will also be another isolated segment (security levels will really be 50 and 40 for the old and the new), so the firewall will be the gateway for both networks. I'd like to refrain from taking the DMZ down while adding a 2nd subnet if possible so was looking to add DMZ2 to the same interface as the existing DMZ.  

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to mumbles202

‎04-05-2022 01:25 PM

@mumbles202 yep fine, so my second answer fits. 2 dmz networks should firewalled off between each other.

Using sub interfaces in this scenario is fine.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎04-05-2022 01:16 PM

main interface have IP address and then config sub interface later with IP address I think this not work 
I will go with your second config 
config subinterface for VLAN 100 and then if I need add other sub interface it easy by add sub interface BUT you must sure that the SW side allow all VLAN "which you add it in feature".

0 Helpful

Go to solution
mumbles202
Level 5
Level 5
In response to MHM Cisco World

‎04-05-2022 01:45 PM

Thanks.  I think either way technically works, just adding a sub to an existing interface is frowned upon, at least how I've always known it.  I'll go w/ option 2 and just schedule an outage window while I migrate the configuration to a sub.  Thanks.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card