Showing results for 
Search instead for 
Did you mean: 

Subinterfaces vs Physical Interfaces on ASA for LANs with VPN Tunnel

We are in the process of moving one of our departments to a new location where we will need to create a point to point VPN tunnel using an ASA-5505 at the far end and a Palo Alto at our core location.  I am much more familiar with configuring the PA than the Cisco ASA and would  appreciate some advice.  We need to create three new LAN's that will be vlanned out at the new location.  Would it be more advantageous to separate these networks by using logical subinterfaces one a single interface or would it be better to use a separate physical interface for each network?  What are the pros and cons of one way vs the other?  Also we have a cisco voip system with call manager and will be deploying phones to the new location.  Anything that should be noted for routing the traffic across the tunnel?  -Thanks

VIP Expert

I cannot really offer advice on your basic question, however, concerning running VoIP across an Internet VPN tunnel, I can suggest, as I would with any other connection, provide the VoIP traffic prioritization for its bearer component and a bandwidth guarantee for its control component.

Although the Internet doesn't support QoS, the Internet "cloud", and most ISPs, have sufficient "cloud" bandwidth that Internet interface congestion is often not an issue. However, your links to the Internet are often bottlenecks and often need QoS policies to insure VoIP obtains what it needs to for its SLAs.

Many Cisco devices support some form of egress QoS support that would provide the service "guarantees" needed by VoIP.

However, what's often a problem is congestion on the link from the Internet to your site (as ISP will almost always not provide any QoS policy). That, though, can be dealt with by 1) not using that Internet connection for traffic other than you VPN traffic (if you want to provide general Internet access, use another link for that), and 2) insuring you don't send traffic from one site (or sites) that would oversubscribe the bandwidth.

For example given a hub with 10 Mbps and four branches each with 2 Mbps, the hub would insure traffic to each branch is shaped for 2 Mbps (to each branch). Or, if hub, again, had 10 Mbps, and you had six branches, each, again, with 2 Mbps, you would need to insure the aggregate of the branches does not exceed 10 Mbps (your choice how you divide the 10 Mbps bandwidth between sites). (BTW, if branches had a physical interface more than 2 Mbps, you would also need to shape to insure not exceed the allocated bandwidth cap of 2 Mbps, each.)
Hall of Fame Master

Hello @dbuckley77 ,

for the LAN interfaces the best option is to use a port channel with two member interfaces and having Vlan based subinterfaces of the port channel.

In this way you avoid the single point of failure of a single interface dedicated to a subnet.

For security reason the interface going to the "outside" world should be on a separate interface dedicated to this purpose.

This is recommended to avoid to have the Internet facing Vlan/subnet connected to internal switches.


As a final note you need to check the license of the ASA, three Vlans should not be an issue, the basic license should provide 5. But if you want to add more Vlans later  you may need to verify the max Vlan limit .


Hope to help




It just occurred to me that the ASA only has 10/100 intefaces and our ISP circuit will be 600Mbps.  How much bandwidth is recommended to run Cisco voip across a vpn?


Hello @dbuckley77 ,

you will need a DMZ switch to land the ISP circuit .


For VOIP calls you need to consider roughly 100 Kbps of traffic for the bearer channel not encrypted.

The VOIP RTP packets are really small so you can consider that encryption can double the rate you will need 1 Mbps for every 5 simultaneus VOIP calls.

So bandwidth is not an issue in your case if this is a branch office with only 20-30 IP phones.


The real issue  I see is that the ASA 5505 is likely not able to use all this bandwidth 600 Mbps  for IPSec encrypted traffic bidirectional.

So on the long term you may want to change it with a newer more powerful firewall.


Hope to help



Content for Community-Ad