Showing results for 
Search instead for 
Did you mean: 

Moving off of Physical to Logical Interface on ASA

Gerard Roy

We are adding a 3rd ISP to our ASA. It is ASA 5525-X that has 8 Physical Interfaces. I was looking for the best method to recover a physical interface for use with the new ISP (Cox). G0/0 and G0/1 are connecting to two existing ISP's. G0/2 - G0/3 are used for Port-channel1 and G0/4-G0/5 are used for Port-channel2. (See attached image). So I moved "Starwood" off of the physical interface G0/6 and created a sub-interface G0/6.2. It has a new vlan of 36. I also have a (user acceptance testing) uat interface on vlan 35. If I move the existing cable to another port on the HP switch, I lose my vlan35 and vlan36 connections. Notice G0/6 is native vlan 1 and sub-interfaces are G0/6.1 and G0/6.2 with vlans 35 and 36 respectively. Do I just tag the vlans to the existing ports on the switch?Interfaces.jpg

6 Replies 6

Georg Pauwen
VIP Master VIP Master
VIP Master



not really sure what you are asking. If you use subinterfaces on the ASA, whatever is physically connected to the main interface (GigabitEthernet6) needs to be a trunk.


What is 'Starwood' ? Is that the HP switch ? Either way, make the link between the HP and the ASA a trunk.


That said, you also have GigabitEthernet 7 and 8, can't you use these interfaces ?

G0/7 is used for LAN/STATE Failover to a secondary ASA and there is no G0/8. Only ports G0/0 - G0/7.
To make it it little more complex, Each ASA is plugged into a different switch within the switch stack so there is redundancy in switches as well. I will confirm if this was trunked. Looking now and will get back shortly.

Sorry, other Projects have taken me away from this and now it is becoming urgent.


To clarify We have a customer called starwood that was assigned to the physical interface ge0/6. We moved them off of interface ge6/0 to a sub-interface ge0/6.2 (See above) Anyways, we now want to use the "Physical" interface ge6/0 for a new ISP Cox for failover (interface name outside-CX), we have no other ports available on the asa. The issue is the other sub interface ge0/6.1 has loads of traffic and I cannot bring it down for any length of time. In the image above, you can see interface ge0/6, is it using the native vlan1? GE0/6.1 is assigned a vlan 35. The switch the asa is connected to is an HP5500 and the port 21 shows it is assigned as tagged. See image below. So I am not sure what that means in HP land BAGG????. Cox is the new ISP.


Here is an image of the devices and connections.


So the switches all have an IP address on the same subnet Notice the Top switches have a Vlan6 that looks like it was used for a prior ISP. Do I run a cable between the lower switch to the upper switch?
Really confused at the moment. This HP crap has me second guessing. Definitely NOT Cisco.