5:05 p.m. at the courier’s office.
Me and the cabling guys arrive to do the network cutover. We knock on the funny little door where customers pick up their packages. It is a Dutch door, split horizontally at waist-level like a stable door. During business hours, they swing open the upper half of the door, and the whole affair serves as a reception counter for the steady trickle of customers that amble by to collect their packages. At waist-height, just where top and bottom half meet, there is a narrow ledge where you can perch a package, or sign a clipboard. You only ever open the bottom half of the door if you need to walk through it.
But at 5:05 p.m., everyone in the office has buggered off, and it does not matter which half of the door we jiggle. We’re locked out. Our customer (the IT manager for the courier’s office) is running late. Fabulous. Do we wait here, or go find a pub?
The youngest of our cabling guys eyes the open transom above the door speculatively. He hops up on the narrow ledge and hands himself through the open transom with a fluid motion, feet-first. He lands with a soft thud on the other side of the door, and unlocks it from the inside for us, with a flash of gold teeth. I’ve seen David Belle do this move before on TV. The French King of Parkour.
We clap the grinning cabling guy on the shoulder and shuffle through the entryway; a single door frame that actually contains 3 doors.
Why Use Subinterfaces?
On the Cisco ASA 5510 and higher models, you can configure subinterfaces on any physical, redundant or EtherChannel interface. So, a single interface can be divided into multiple logical interfaces, each tagged with a different VLAN ID. An interface (physical, redundant, EtherChannel) with one or more VLAN subinterfaces is automatically configured as an 802.1q trunk.
By using VLANs and subinterfaces, you have the ability to separate traffic that is sharing the same physical interface. Thus, you do not need to add additional physical interfaces.
The number of VLANs per physical interface is limited by licensing. (See licensing requirements for each model here.)
Configuration Example
On my Cisco ASA 5520, I’ve enabled the GigabitEthernet0/1 interface with the no shutdown command, but I have not configured anything else. The show run interface coughs up this information:
ciscoasa(config-if)# sh ru int ! interface GigabitEthernet0/0 nameif outside security-level 0 ip address 5.5.5.1 255.255.255.0 ! interface GigabitEthernet0/1 no nameif no security-level no ip address ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only
I’m going to add a subinterface for the 10.30.10.0/24 network on the GigabitEthernet 0/1 interface, and give it a name and IP address:
ciscoasa# con t ciscoasa(config)# int g 0/1.10 ciscoasa(config-subif)# vlan 10 ciscoasa(config-subif)# nameif SubnetTen INFO: Security level for "SubnetTen" set to 0 by default. ciscoasa(config-subif)# ip address 10.30.10.1 255.255.255.0
And I’m adding another subinterface for the 10.30.20.0/24 network:
ciscoasa(config-subif)# int g 0/1.20 ciscoasa(config-subif)# vlan 20 ciscoasa(config-subif)# nameif SubnetTwenty INFO: Security level for "SubnetTwenty" set to 0 by default. ciscoasa(config-subif)# ip address 10.30.20.1 255.255.255.0
Now a show run interface command shows that two subinterfaces have been created on the GigabitEthernet 0/1 interface:
ciscoasa(config-subif)# sh ru int ! interface GigabitEthernet0/0 nameif outside security-level 0 ip address 5.5.5.1 255.255.255.0 ! interface GigabitEthernet0/1 no nameif no security-level no ip address ! interface GigabitEthernet0/1.10 vlan 10 nameif SubnetTen security-level 0 ip address 10.30.10.1 255.255.255.0 ! interface GigabitEthernet0/1.20 vlan 20 nameif SubnetTwenty security-level 0 ip address 10.30.20.1 255.255.255.0 ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only
Additional Information:
nameif command in the Cisco ASA 8.4 and 8.5 Command Reference.
security-level command in the Cisco ASA 8.4 and 8.5 Command Reference.
ip address command in the Cisco ASA 8.4 and 8.5 Command Reference.
shutdown command in the Cisco ASA 8.4 and 8.5 Command Reference.
show run interface command in the Cisco ASA 8.4 and 8.5 Command Reference.
vlan command in the Cisco ASA 8.4 and 8.5 Command Reference.