Cisco ASA 5520 – Creating Subinterfaces

5:05 p.m. at the courier’s office.

Me and the cabling guys arrive to do the network cutover. We knock on the funny little door where customers pick up their packages. It is a Dutch door, split horizontally at waist-level like a stable door. During business hours, they swing open the upper half of the door, and the whole affair serves as a reception counter for the steady trickle of customers that amble by to collect their packages. At waist-height, just where top and bottom half meet, there is a narrow ledge where you can perch a package, or sign a clipboard. You only ever open the bottom half of the door if you need to walk through it.

But at 5:05 p.m., everyone in the office has buggered off, and it does not matter which half of the door we jiggle. We’re locked out. Our customer (the IT manager for the courier’s office) is running late. Fabulous. Do we wait here, or go find a pub?

The youngest of our cabling guys eyes the open transom above the door speculatively. He hops up on the narrow ledge and hands himself through the open transom with a fluid motion, feet-first. He lands with a soft thud on the other side of the door, and unlocks it from the inside for us, with a flash of gold teeth. I’ve seen David Belle do this move before on TV. The French King of Parkour.

We clap the grinning cabling guy on the shoulder and shuffle through the entryway; a single door frame that actually contains 3 doors.

Why Use Subinterfaces?

On the Cisco ASA 5510 and higher models, you can configure subinterfaces on any physical, redundant or EtherChannel interface. So, a single interface can be divided into multiple logical interfaces, each tagged with a different VLAN ID. An interface (physical, redundant, EtherChannel) with one or more VLAN subinterfaces is automatically configured as an 802.1q trunk.

By using VLANs and subinterfaces, you have the ability to separate traffic that is sharing the same physical interface. Thus, you do not need to add additional physical interfaces.

The number of VLANs per physical interface is limited by licensing. (See licensing requirements for each model here.)

Configuration Example

On my Cisco ASA 5520, I’ve enabled the GigabitEthernet0/1 interface with the no shutdown command, but I have not configured anything else. The show run interface coughs up this information:

ciscoasa(config-if)# sh ru int         
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 5.5.5.1 255.255.255.0 
!
interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only

I’m going to add a subinterface for the 10.30.10.0/24 network on the GigabitEthernet 0/1 interface, and give it a name and IP address:

ciscoasa# con t
ciscoasa(config)# int g 0/1.10
ciscoasa(config-subif)# vlan 10
ciscoasa(config-subif)# nameif SubnetTen
INFO: Security level for "SubnetTen" set to 0 by default.
ciscoasa(config-subif)# ip address 10.30.10.1 255.255.255.0

And I’m adding another subinterface for the 10.30.20.0/24 network:

ciscoasa(config-subif)# int g 0/1.20
ciscoasa(config-subif)# vlan 20
ciscoasa(config-subif)# nameif SubnetTwenty
INFO: Security level for "SubnetTwenty" set to 0 by default.
ciscoasa(config-subif)# ip address 10.30.20.1 255.255.255.0

Now a show run interface command shows that two subinterfaces have been created on the GigabitEthernet 0/1 interface:

ciscoasa(config-subif)# sh ru int
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 5.5.5.1 255.255.255.0 
!
interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1.10
 vlan 10
 nameif SubnetTen
 security-level 0
 ip address 10.30.10.1 255.255.255.0 
!
interface GigabitEthernet0/1.20
 vlan 20
 nameif SubnetTwenty
 security-level 0
 ip address 10.30.20.1 255.255.255.0 
!
interface GigabitEthernet0/2
 shutdown
 no nameif    
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only

Additional Information:

nameif command in the Cisco ASA 8.4 and 8.5 Command Reference.

security-level command in the Cisco ASA 8.4 and 8.5 Command Reference.

ip address command in the Cisco ASA 8.4 and 8.5 Command Reference.

shutdown command in the Cisco ASA 8.4 and 8.5 Command Reference.

show run interface command in the Cisco ASA 8.4 and 8.5 Command Reference.

vlan command in the Cisco ASA 8.4 and 8.5 Command Reference.

This entry was posted in geek, mecha, v4vendetta and tagged , , , , , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

4 Comments

  1. Hassan Tofaha
    Posted September 17, 2012 at 3:48 pm | Permalink

    can i assign the interface GigabitEthernet0/1 an ip address ? or the subnetting prevent that

  2. gomjabbar
    Posted September 17, 2012 at 9:16 pm | Permalink

    Yes you can. And it will pass untagged packets.

  3. Joaquimtchipa
    Posted December 22, 2012 at 7:17 pm | Permalink

    Hi everyone….

    what a great post it was…

    so will that be possible to add more then 8 subinterfaces with different public ip addresses?
    from which outside users will be accessing. i mean having on those subinterfaces on the DMZ, and have a server running a certain service.. and on the other subinterface to like have a web page, and so on??

    Coz on my senario, i got a bolck of public ip addresses and which and using now… therefore, as our need grows, we are about to have some other services running like Lync Server, a new web page, and other webpage and so on.
    So as we are running out of public ip address.. we asked our service provider for more 8 public ip addressing.

    So they have given us,,, but in different block range as the preavious.
    So how can i assign these those new blocks of public addresses into the services above, with the help of subinterface??

    I thank you very much for t«your tima and cooperation

    tchipa
    Luanda-Angola

  4. Posted November 26, 2017 at 1:33 am | Permalink

    I was extremely pleased to discover this site. I wanted to thank
    you for your time for this wonderful read!! I definitely really liked every bit
    of it and I have you book-marked to check out new stuff in your site.

One Trackback

Post a Comment

Your email is never published nor shared. Required fields are marked *

You may use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*
*