VLAN Subinterfaces

This chapter tells how to configure VLAN subinterfaces.


Note

For multiple context mode, complete all tasks in this section in the system execution space. To change from the context to the system execution space, enter the changeto system command.

About VLAN Subinterfaces

VLAN subinterfaces let you divide a physical, redundant, or EtherChannel interface into multiple logical interfaces that are tagged with different VLAN IDs. An interface with one or more VLAN subinterfaces is automatically configured as an 802.1Q trunk. Because VLANs allow you to keep traffic separate on a given physical interface, you can increase the number of interfaces available to your network without adding additional physical interfaces or ASAs. This feature is particularly useful in multiple context mode so that you can assign unique interfaces to each context.

Licensing for VLAN Subinterfaces

Model

License Requirement

Firepower 9300

Standard License: 1024

ASAv5

Standard License: 25

ASAv10

Standard License: 50

ASAv30

Standard License: 200

ASA 5506-X



ASA 5506W-X

ASA 5506H-X

Base License: 5

Security Plus License: 30

ASA 5508-X

Base License: 50

ASA 5512-X

Base License: 50

Security Plus License: 100

ASA 5515-X

Base License: 100

ASA 5516-X

Base License: 50

ASA 5525-X

Base License: 200

ASA 5545-X

Base License: 300

ASA 5555-X

Base License: 500

ASA 5585-X

Base and Security Plus License: 1024

ASASM

No support.

ISA 3000

Base License: 5

Security Plus License: 25


Note

For an interface to count against the VLAN limit, you must assign a VLAN to it. For example:
 


interface gigabitethernet 0/0.100
  vlan 100

Guidelines and Limitations for VLAN Subinterfaces

Model Support

  • ASASM—VLAN subinterfaces are not supported on the ASASM; ASASM interfaces are already VLAN interfaces assigned from the switch.

  • For most ASA models, you cannot configure subinterfaces on the Management interface. See Management Slot/Port Interface for subinterface support.

Additional Guidelines

  • Preventing untagged packets on the physical interface—If you use subinterfaces, you typically do not also want the physical interface to pass traffic, because the physical interface passes untagged packets. This property is also true for the active physical interface in a redundant interface pair and for EtherChannel links. Because the physical, redundant, or EtherChannel interface must be enabled for the subinterface to pass traffic, ensure that the physical, redundant, or EtherChannel interface does not pass traffic by leaving out the nameif command. If you want to let the physical, redundant, or EtherChannel interface pass untagged packets, you can configure the nameif command as usual.

  • The ASA does not support the Dynamic Trunking Protocol (DTP), so you must configure the connected switch port to trunk unconditionally.

  • You might want to assign unique MAC addresses to subinterfaces defined on the ASA, because they use the same burned-in MAC address of the parent interface. For example, your service provider might perform access control based on the MAC address. Also, because IPv6 link-local addresses are generated based on the MAC address, assigning unique MAC addresses to subinterfaces allows for unique IPv6 link-local addresses, which can avoid traffic disruption in certain instances on the ASA.

Default Settings for VLAN Subinterfaces

This section lists default settings for interfaces if you do not have a factory default configuration.

Default State of Interfaces

The default state of an interface depends on the type and the context mode.

In multiple context mode, all allocated interfaces are enabled by default, no matter what the state of the interface is in the system execution space. However, for traffic to pass through the interface, the interface also has to be enabled in the system execution space. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it.

In single mode or in the system execution space, interfaces have the following default states:

  • Physical interfaces—Disabled.

  • VLAN subinterfaces—Enabled. However, for traffic to pass through the subinterface, the physical interface must also be enabled.

Configure VLAN Subinterfaces and 802.1Q Trunking

Add a VLAN subinterface to a physical, redundant, or EtherChannel interface.

Before you begin

For multiple context mode, complete this procedure in the system execution space. To change from the context to the system execution space, enter the changeto system command.

Procedure

Step 1

Specify the new subinterface:

interface {physical_interface | redundant number | port-channel number}.subinterface

Example:


ciscoasa(config)# interface gigabitethernet 0/1.100

The redundant number argument is the redundant interface ID, such as redundant 1.

The port-channel number argument is the EtherChannel interface ID, such as port-channel 1.

The subinterface ID is an integer between 1 and 4294967293.

Step 2

Specify the VLAN for the subinterface:

vlan vlan_id

Example:


ciscoasa(config-subif)# vlan 101

The vlan_id is an integer between 1 and 4094. Some VLAN IDs might be reserved on connected switches, so check the switch documentation for more information.

You can only assign a single VLAN to a subinterface. You cannot assign the same VLAN to multiple subinterfaces. You cannot assign a VLAN to the physical interface. Each subinterface must have a VLAN ID before it can pass traffic. To change a VLAN ID, you do not need to remove the old VLAN ID with the no option; you can enter the vlan command with a different VLAN ID, and the ASA changes the old ID.

Monitoring VLAN Subinterfaces

See the following commands:

  • show interface

    Displays interface statistics.

  • show interface ip brief

    Displays interface IP addresses and status.

Examples for VLAN Subinterfaces

The following example configures parameters for a subinterface in single mode: 


interface gigabitethernet 0/1
  no nameif
  no security-level
  no ip address
  no shutdown
interface gigabitethernet 0/1.1
  vlan 101
  nameif inside
  security-level 100
  ip address 192.168.6.6 255.255.255.0
  no shutdown

History for VLAN Subinterfaces

Table 1. History for VLAN Subinterfaces

Feature Name

Version

Feature Information

Increased VLANs

7.0(5)

Increased the following limits:

  • ASA5510 Base license VLANs from 0 to 10.

  • ASA5510 Security Plus license VLANs from 10 to 25.

  • ASA5520 VLANs from 25 to 100.

  • ASA5540 VLANs from 100 to 200.

Increased VLANs

7.2(2)

VLAN limits were increased for the ASA 5510 (from 10 to 50 for the Base license, and from 25 to 100 for the Security Plus license), the ASA 5520 (from 100 to 150), the ASA 5550 (from 200 to 250).

Increased VLANs for the ASA 5580

8.1(2)

The number of VLANs supported on the ASA 5580 are increased from 100 to 250.