Home > Articles > Cisco Certification > CCNP > CCNP Security Firewall Cert Guide: Configuring ASA Interfaces

CCNP Security Firewall Cert Guide: Configuring ASA Interfaces

Chapter Description

This chapter covers the following topics from the 642-618 exam objectives: Configuring Physical Interfaces, Configuring VLAN Interfaces, Configuring Interface Security Parameters, Configuring the Interface MTU, and Verifying Interface Operation.

Configuring VLAN Interfaces

keytopic.jpg

A physical ASA interface can be configured to connect to multiple logical networks. To do this, the interface is configured to operate as a VLAN trunk link. On ASA 5510 and higher platforms, each VLAN that is carried over the trunk link terminates on a unique subinterface of a physical interface. On an ASA 5505, each VLAN is defined by a unique VLAN interface and can connect to physical interfaces and be carried over a VLAN trunk link.

VLAN Interfaces and Trunks on ASA 5510 and Higher Platforms

An ASA trunk link supports only the IEEE 802.1Q trunk encapsulation method. As each packet is sent over a trunk link, it is tagged with its source VLAN number. As packets are removed from the trunk, the tag is examined and removed so that the packets can be forwarded to their appropriate VLANs. Figure 3-11 shows how a trunk link between an ASA and a switch can encapsulate or carry frames from multiple VLANs.

Figure 3-11

Figure 3-11. IEEE 802.1Q Trunk Link Operation with an ASA

IEEE 802.1Q trunk links support the concept of a native VLAN. Frames coming from the native VLAN are sent over the trunk link without a tag, while frames from other VLANs have a tag added while in the trunk. By default, only packets that are sent out the ASA’s physical interface itself are not tagged, and they appear to use the trunk’s native VLAN. Packets that are sent out a subinterface do receive a VLAN tag.

You can configure a trunk link by using the following configuration commands:

ciscoasa(config)# interface hardware_id.subinterface
ciscoasa(config-subif)# vlan vlan_id

First, use the interface command to identify the physical interface that will become a trunk link and the subinterface that will be associated with a VLAN number. The physical interface is given as hardware_id, such as Ethernet0/3, followed by a dot or period. A subinterface number is added to the physical interface name to create the logical VLAN interface. This is an arbitrary number that must be unique for each logical interface.

Use the vlan vlan_id subinterface configuration command to specify the VLAN number. The subinterface number does not have to match the VLAN number, although it can for convenience and readability.

As an example, Figure 3-12 shows a network diagram of a trunk link between an ASA and a switch. ASA physical interface Ethernet0/3 is used as the trunk link. VLAN 10 is carried over ASA subinterface Ethernet0/3.1, while VLAN 20 is carried over Ethernet0/3.2. The trunk link can be configured with the commands listed in Example 3-9.

Figure 3-12

Figure 3-12. Network Diagram for Example 3-9 Trunk Link Configuration

Example 3-9. Configuring a Trunk Link on an ASA

ciscoasa(config)# interface ethernet0/3
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface ethernet0/3.1
ciscoasa(config-subif)# vlan 10
ciscoasa(config-subif)# no shutdown
ciscoasa(config-subif)# interface ethernet0/3.2
ciscoasa(config-subif)# vlan 20
ciscoasa(config-subif)# no shutdown

The same trunk link configuration can be accomplished with ASDM. Subinterfaces used in a trunk link must first be added or created. In the interface list view, select the Add > Interface function in the upper-right corner of the ASDM application. Select the hardware port or physical interface that will be used for the trunk link. In Figure 3-13, Ethernet0/3 is used. Because subinterface Ethernet0/3.1 is being created, the subinterface ID is set to 1. The VLAN ID is set to 10.

Figure 3-13

Figure 3-13. Configuring a Trunk Link in ASDM

VLAN Interfaces and Trunks on an ASA 5505

keytopic.jpg

On an ASA 5505, VLANs are supported on the physical interfaces, but only if corresponding logical VLAN interfaces are configured. For example, if VLAN 1 is to be used, the interface vlan 1 command must be entered to create the internal VLAN and the VLAN interface.

By default, the ASA 5505 platform includes the interface vlan 1 and interface vlan 2 commands in its configuration.

Other parameters, such as the interface name, security level, and IP address, should be configured on VLAN interfaces rather than on physical interfaces. These are discussed in the section, “Configuring Interface Security Parameters.”

If you need to carry multiple VLANs over a link to a neighboring switch, you can configure an ASA 5505 physical interface as a VLAN trunk link. First, create the individual VLANs with the interface vlan vlan-id configuration command. Then, configure the physical interface to operate in IEEE 802.1Q trunk mode and allow specific VLANs to be carried over it with the following interface configuration commands:

ciscoasa(config-if)# switchport mode trunk
ciscoasa(config-if)# switchport trunk allowed vlan vlan-list

By default, no VLANs are permitted to be carried over a trunk link. You must identify which VLANs can be carried by entering vlan-list, which is a comma-separated list of VLAN numbers. In Example 3-10, an ASA 5505 is configured to support VLANs 10 and 20 and carry those VLANs over interface Ethernet0/5, which is configured as a trunk link.

Example 3-10. ASA VLAN CLI Configuration

ciscoasa(config)# interface vlan 10
ciscoasa(config-if)# exit
ciscoasa(config)# interface vlan 20
ciscoasa(config-if)# exit
ciscoasa(config)# interface ethernet0/5
ciscoasa(config-if)# switchport mode trunk
ciscoasa(config-if)# switchport trunk allowed vlan 10,20
5. Configuring Interface Security Parameters | Next Section Previous Section