VLAN Subinterfaces

This chapter tells how to configure VLAN subinterfaces.


Note


For multiple context mode, complete all tasks in this section in the system execution space. If you are not already in the system execution space, in the Configuration > Device List pane, double-click System under the active device IP address.


About VLAN Subinterfaces

VLAN subinterfaces let you divide a physical or EtherChannel interface into multiple logical interfaces that are tagged with different VLAN IDs. An interface with one or more VLAN subinterfaces is automatically configured as an 802.1Q trunk. Because VLANs allow you to keep traffic separate on a given physical interface, you can increase the number of interfaces available to your network without adding additional physical interfaces or ASAs. This feature is particularly useful in multiple context mode so that you can assign unique interfaces to each context.

You can configure a primary VLAN, as well as one or more secondary VLANs. When the ASA receives traffic on the secondary VLANs, it maps it to the primary VLAN.

Licensing for VLAN Subinterfaces

Model

License Requirement

Firepower 1010

Essentials License: 60

Firepower 1120

Essentials License: 512

Firepower 1140, 1150

Essentials License: 1024

Secure Firewall 1210, 1220

Essentials License: 60

Secure Firewall 3100

Essentials License: 1024

Firepower 4100

Essentials License: 1024

Secure Firewall 4200

Essentials License: 1024

Firepower 9300

Essentials License: 1024

ASA Virtual

Throughput capability:

100 Mbps: 25

1 Gbps: 50

2 Gbps: 200

10 Gbps: 1024

ISA 3000

Essentials License: 5

Security Plus License: 100


Note


For an interface to count against the VLAN limit, you must assign a VLAN to it.


Guidelines and Limitations for VLAN Subinterfaces

Model Support

  • Firepower 1010 and Secure Firewall 1210/1220—VLAN subinterfaces are not supported on switch ports or VLAN interfaces.

  • For ASA models, you cannot configure subinterfaces on the Management interface. See Management Slot/Port Interface for subinterface support.

Additional Guidelines

  • Preventing untagged packets on the physical interface—If you use subinterfaces, you typically do not also want the physical interface to pass traffic, because the physical interface passes untagged packets. This property is also true for the active physical interface for EtherChannel links. Because the physical or EtherChannel interface must be enabled for the subinterface to pass traffic, ensure that the physical or EtherChannel interface does not pass traffic by not configuring a name for the interface. If you want to let the physical or EtherChannel interface pass untagged packets, you can configure the name as usual.

  • All subinterfaces on the same parent interface must be either bridge group members or routed interfaces; you cannot mix and match.

  • The ASA does not support the Dynamic Trunking Protocol (DTP), so you must configure the connected switch port to trunk unconditionally.

  • You might want to assign unique MAC addresses to subinterfaces defined on the ASA, because they use the same burned-in MAC address of the parent interface. For example, your service provider might perform access control based on the MAC address. Also, because IPv6 link-local addresses are generated based on the MAC address, assigning unique MAC addresses to subinterfaces allows for unique IPv6 link-local addresses, which can avoid traffic disruption in certain instances on the ASA.You can automatically generate unique MAC addresses; see Automatically Assign MAC Addresses.

Default Settings for VLAN Subinterfaces

This section lists default settings for interfaces if you do not have a factory default configuration.

Default State of Interfaces

The default state of an interface depends on the type and the context mode.

In multiple context mode, all allocated interfaces are enabled by default, no matter what the state of the interface is in the system execution space. However, for traffic to pass through the interface, the interface also has to be enabled in the system execution space. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it.

In single mode or in the system execution space, interfaces have the following default states:

  • Physical interfaces—Disabled.

  • VLAN subinterfaces—Enabled. However, for traffic to pass through the subinterface, the physical interface must also be enabled.

Configure VLAN Subinterfaces and 802.1Q Trunking

Add a VLAN subinterface to a physical or EtherChannel interface.

Before you begin

For multiple context mode, complete this procedure in the system execution space. If you are not already in the System configuration mode, in the Configuration > Device List pane, double-click System under the active device IP address.

Procedure


Step 1

Depending on your context mode:

  • For single mode, choose the Configuration > Device Setup > Interface Settings > Interfaces pane.

  • For multiple mode in the System execution space, choose the Configuration > Context Management > Interfaces pane.

Step 2

Choose Add > Interface.

The Add Interface dialog box appears.

Note

 

In single mode, this procedure only covers a subset of the parameters on the Edit Interface dialog box; to configure other parameters, see Routed and Transparent Mode Interfaces. Note that in multiple context mode, before you complete your interface configuration, you need to allocate interfaces to contexts. See Configure Multiple Contexts.

Step 3

From the Hardware Port drop-down list, choose the physical or port-channel interface to which you want to add the subinterface.

Step 4

If the interface is not already enabled, check the Enable Interface check box.

The interface is enabled by default.

Step 5

In the VLAN ID field, enter the VLAN ID between 1 and 4094.

Some VLAN IDs might be reserved on connected switches, so check the switch documentation for more information. For multiple context mode, you can only set the VLAN in the system configuration.

Step 6

In the Secondary VLAN ID field, enter one or more VLAN IDs separated by spaces, commas, or dashes (for a contiguous range).

When the ASA receives traffic on the secondary VLANs, it maps the traffic to the primary VLAN.

Step 7

In the Subinterface ID field, enter the subinterface ID as an integer between 1 and 4294967293.

The number of subinterfaces allowed depends on your platform. You cannot change the ID after you set it.

Step 8

(Optional) In the Description field, enter a description for this interface.

The description can be up to 240 characters on a single line, without carriage returns. For multiple context mode, the system description is independent of the context description. In the case of a failover or state link, the description is fixed as “LAN Failover Interface,” “STATE Failover Interface,” or “LAN/STATE Failover Interface,” for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link.

Step 9

Click OK.

You return to the Interfaces pane.


Examples for VLAN Subinterfaces

The following example configures parameters for a subinterface in single mode:


interface gigabitethernet 0/1
  no nameif
  no security-level
  no ip address
  no shutdown
interface gigabitethernet 0/1.1
  vlan 101
  nameif inside
  security-level 100
  ip address 192.168.6.6 255.255.255.0
  no shutdown

The following example shows how VLAN mapping works with the Catalyst 6500. Consult the Catalyst 6500 configuration guide on how to connect nodes to PVLANS.


ASA Configuration

interface GigabitEthernet1/1
  description Connected to Switch GigabitEthernet1/5
  no nameif
  no security-level
  no ip address
  no shutdown
!
interface GigabitEthernet1/1.70
  vlan 70 secondary 71 72
  nameif vlan_map1
  security-level 50
  ip address 10.11.1.2 255.255.255.0
  no shutdown
!
interface GigabitEthernet1/2
  nameif outside
  security-level 0
  ip address 172.16.171.31 255.255.255.0
  no shutdown

Catalyst 6500 Configuration

vlan 70
  private-vlan primary
  private-vlan association 71-72
!
vlan 71
  private-vlan community
!
vlan 72
  private-vlan isolated
!
interface GigabitEthernet1/5
  description Connected to ASA GigabitEthernet1/1
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 70-72
  switchport mode trunk
!

History for VLAN Subinterfaces

Table 1. History for VLAN Subinterfaces

Feature Name

Version

Feature Information

Increased VLANs

7.0(5)

Increased the following limits:

  • ASA5510 Base license VLANs from 0 to 10.

  • ASA5510 Security Plus license VLANs from 10 to 25.

  • ASA5520 VLANs from 25 to 100.

  • ASA5540 VLANs from 100 to 200.

Increased VLANs

7.2(2)

VLAN limits were increased for the ASA 5510 (from 10 to 50 for the Base license, and from 25 to 100 for the Security Plus license), the ASA 5520 (from 100 to 150), the ASA 5550 (from 200 to 250).

Increased VLANs for the ASA 5580

8.1(2)

The number of VLANs supported on the ASA 5580 are increased from 100 to 250.

Support to map a Secondary VLANs to a Primary VLAN

9.5(2)

You can now configure one or more secondary VLANs for a subinterface. When the ASA receives traffic on the secondary VLANs, it maps it to the primary VLAN.

We modified the following screens: Configuration > Device Setup > Interface Settings > Interfaces

Configuration > Device Setup > Interface Settings > Interfaces > Add Interface > General

Increased VLANs for the ISA 3000

9.13(1)

The maximum VLANs for the ISA 3000 with the Security Plus license increased from 25 to 100.