Creating sub-interfaces on Cisco ASA 5505.
I am trying to setup sub-interfaces on my Cisco ASA 5505 firewall, and when I try to create the subinterface, it tells me I cannot do so:
Firewall(config)# interface Ethernet0/7.1
^
ERROR: % Invalid input detected at '^' marker.
(The arrow is under the (e) for ethernet if it doesn't display properly here)
I think this may be due to the face that interface 0/7 is currently assigned to another VLAN in the GUI of the Cisco configuration. Both interface 0/1 and 0/7 are part of Vlan 1. However, when I try to remove interface 7 from the Vlan using the GUI, it will not remove, and when I hit apply it says "no changes have been made."
Any ideas on this?
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 74.94.82.28 255.255.255.248
ospf cost 10
!
interface Vlan12
nameif ifacevlan12
security-level 98
ip address 192.168.3.1 255.255.255.0
ospf cost 10
!
interface Vlan32
nameif ifacevlan32
security-level 99
ip address 192.168.5.1 255.255.255.0
ospf cost 10
!
interface Vlan42
nameif ifacevlan42
security-level 99
ip address 192.168.7.1 255.255.255.0
ospf cost 10
!
interface Vlan72
nameif ifacevlan72
security-level 99
ip address 192.168.4.1 255.255.255.0
ospf cost 10
!
interface Vlan82
nameif ifacevlan82
security-level 99
ip address 192.168.6.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 12
!
interface Ethernet0/3
switchport access vlan 42
!
interface Ethernet0/4
switchport access vlan 32
!
interface Ethernet0/5
switchport access vlan 72
!
interface Ethernet0/6
switchport access vlan 82
!
interface Ethernet0/7
!
Firewall(config)# interface Ethernet0/7.1
^
ERROR: % Invalid input detected at '^' marker.
(The arrow is under the (e) for ethernet if it doesn't display properly here)
I think this may be due to the face that interface 0/7 is currently assigned to another VLAN in the GUI of the Cisco configuration. Both interface 0/1 and 0/7 are part of Vlan 1. However, when I try to remove interface 7 from the Vlan using the GUI, it will not remove, and when I hit apply it says "no changes have been made."
Any ideas on this?
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 74.94.82.28 255.255.255.248
ospf cost 10
!
interface Vlan12
nameif ifacevlan12
security-level 98
ip address 192.168.3.1 255.255.255.0
ospf cost 10
!
interface Vlan32
nameif ifacevlan32
security-level 99
ip address 192.168.5.1 255.255.255.0
ospf cost 10
!
interface Vlan42
nameif ifacevlan42
security-level 99
ip address 192.168.7.1 255.255.255.0
ospf cost 10
!
interface Vlan72
nameif ifacevlan72
security-level 99
ip address 192.168.4.1 255.255.255.0
ospf cost 10
!
interface Vlan82
nameif ifacevlan82
security-level 99
ip address 192.168.6.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 12
!
interface Ethernet0/3
switchport access vlan 42
!
interface Ethernet0/4
switchport access vlan 32
!
interface Ethernet0/5
switchport access vlan 72
!
interface Ethernet0/6
switchport access vlan 82
!
interface Ethernet0/7
!
Jody Lemoine
According to your configuration, interface Ethernet0/7 has been removed from the VLAN and is currently a member of VLAN1. Ethernet interfaces on the ASA5505 are switch interfaces, so sub-interfaces aren't possible in the sense that you seem to be using. What is it you're trying to accomplish with the sub-interface? Perhaps I can assist in going about it in a way that the ASA will be more amenable to.
Hi,
you able to do that but, the ethernet ports are switcports,,,
so
int eth 0/7
switchport mode trunk
you able to do that but, the ethernet ports are switcports,,,
so
int eth 0/7
switchport mode trunk
ASKER
I tried switching the mode to trunk and I ge the same error, although the GUI says that port is now free to use.
We currently have a company connected to each port on the 5505, and they all get their own vlan so we can monitor bandwidth usage by company and vlan. We ran out of physical ports on the back of the 5505 but we will still be connecting more companies to our firewall and we would like to be able to assosciate a vlan for each company. Is this possible with sub-interfaces, or is this not even doable?
We currently have a company connected to each port on the 5505, and they all get their own vlan so we can monitor bandwidth usage by company and vlan. We ran out of physical ports on the back of the 5505 but we will still be connecting more companies to our firewall and we would like to be able to assosciate a vlan for each company. Is this possible with sub-interfaces, or is this not even doable?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So a 3Com 3300 MM managed switch should be able to use the VLAN trunking on the ASA 5505?
As long as the 3300MM supports carrying multiple tagged VLANs over an 802.1Q trunked interface and separating that traffic out to respective VLANs, yes.