VLAN Subinterfaces

This chapter tells how to configure VLAN subinterfaces.

Note For multiple context mode, complete all tasks in this section in the system execution space. If you are not
already in the system execution space, in the Configuration > Device List pane, double-click System under
the active device IP address.

• About VLAN Subinterfaces, on page 1

• Licensing for VLAN Subinterfaces, on page 1
• Guidelines and Limitations for VLAN Subinterfaces, on page 2
• Default Settings for VLAN Subinterfaces, on page 3
• Configure VLAN Subinterfaces and 802.1Q Trunking, on page 3
• Examples for VLAN Subinterfaces, on page 4
• History for VLAN Subinterfaces, on page 5

About VLAN Subinterfaces

VLAN subinterfaces let you divide a physical, redundant, or EtherChannel interface into multiple logical
interfaces that are tagged with different VLAN IDs. An interface with one or more VLAN subinterfaces is
automatically configured as an 802.1Q trunk. Because VLANs allow you to keep traffic separate on a given
physical interface, you can increase the number of interfaces available to your network without adding
additional physical interfaces or ASAs. This feature is particularly useful in multiple context mode so that
you can assign unique interfaces to each context.

Licensing for VLAN Subinterfaces

Model License Requirement

Firepower 9300 Standard License: 1024

ASAv5 Standard License: 25

ASAv10 Standard License: 50

VLAN Subinterfaces
1
 VLAN Subinterfaces
Guidelines and Limitations for VLAN Subinterfaces

Model License Requirement

ASAv30 Standard License: 200

ASA 5506-X Base License: 5

ASA 5506W-X Security Plus License: 30
ASA 5506H-X

ASA 5508-X Base License: 50

ASA 5512-X Base License: 50

Security Plus License: 100

ASA 5515-X Base License: 100

ASA 5516-X Base License: 50

ASA 5525-X Base License: 200

ASA 5545-X Base License: 300

ASA 5555-X Base License: 500

ASA 5585-X Base and Security Plus License: 1024

ASASM No support.

ISA 3000 Base License: 5

Security Plus License: 25

Note For an interface to count against the VLAN limit, you must assign a VLAN to it.

Guidelines and Limitations for VLAN Subinterfaces

Model Support
• ASASM—VLAN subinterfaces are not supported on the ASASM; ASASM interfaces are already VLAN
interfaces assigned from the switch.
• For most ASA models, you cannot configure subinterfaces on the Management interface. See Management
Slot/Port Interface for subinterface support.

Additional Guidelines
• Preventing untagged packets on the physical interface—If you use subinterfaces, you typically do not
also want the physical interface to pass traffic, because the physical interface passes untagged packets.
This property is also true for the active physical interface in a redundant interface pair and for EtherChannel

VLAN Subinterfaces
2
 VLAN Subinterfaces
Default Settings for VLAN Subinterfaces

links. Because the physical, redundant, or EtherChannel interface must be enabled for the subinterface
to pass traffic, ensure that the physical, redundant, or EtherChannel interface does not pass traffic by not
configuring a name for the interface. If you want to let the physical, redundant, or EtherChannel interface
pass untagged packets, you can configure the name as usual.
• The ASA does not support the Dynamic Trunking Protocol (DTP), so you must configure the connected
switch port to trunk unconditionally.
• You might want to assign unique MAC addresses to subinterfaces defined on the ASA, because they use
the same burned-in MAC address of the parent interface. For example, your service provider might
perform access control based on the MAC address. Also, because IPv6 link-local addresses are generated
based on the MAC address, assigning unique MAC addresses to subinterfaces allows for unique IPv6
link-local addresses, which can avoid traffic disruption in certain instances on the ASA.

Default Settings for VLAN Subinterfaces

This section lists default settings for interfaces if you do not have a factory default configuration.

Default State of Interfaces

The default state of an interface depends on the type and the context mode.
In multiple context mode, all allocated interfaces are enabled by default, no matter what the state of the
interface is in the system execution space. However, for traffic to pass through the interface, the interface also
has to be enabled in the system execution space. If you shut down an interface in the system execution space,
then that interface is down in all contexts that share it.
In single mode or in the system execution space, interfaces have the following default states:
• Physical interfaces—Disabled.
• VLAN subinterfaces—Enabled. However, for traffic to pass through the subinterface, the physical
interface must also be enabled.

Configure VLAN Subinterfaces and 802.1Q Trunking

Add a VLAN subinterface to a physical, redundant, or EtherChannel interface.

Before you begin

For multiple context mode, complete this procedure in the system execution space. If you are not already in
the System configuration mode, in the Configuration > Device List pane, double-click System under the
active device IP address.

Procedure

Step 1 Depending on your context mode:

• For single mode, choose the Configuration > Device Setup > Interface Settings > Interfaces pane.

VLAN Subinterfaces
3
 VLAN Subinterfaces
Examples for VLAN Subinterfaces

• For multiple mode in the System execution space, choose the Configuration > Context Management
> Interfaces pane.

Step 2 Choose Add > Interface.

The Add Interface dialog box appears.
Note In single mode, this procedure only covers a subset of the parameters on the Edit Interface dialog
box; to configure other parameters, see Routed and Transparent Mode Interfaces. Note that in
multiple context mode, before you complete your interface configuration, you need to allocate
interfaces to contexts. See Configure Multiple Contexts.

Step 3 From the Hardware Port drop-down list, choose the physical, redundant, or port-channel interface to which
you want to add the subinterface.
Step 4 If the interface is not already enabled, check the Enable Interface check box.
The interface is enabled by default.

Step 5 In the VLAN ID field, enter the VLAN ID between 1 and 4094.
Some VLAN IDs might be reserved on connected switches, so check the switch documentation for more
information. For multiple context mode, you can only set the VLAN in the system configuration.

Step 6 In the Subinterface ID field, enter the subinterface ID as an integer between 1 and 4294967293.
The number of subinterfaces allowed depends on your platform. You cannot change the ID after you set it.

Step 7 (Optional) In the Description field, enter a description for this interface.
The description can be up to 240 characters on a single line, without carriage returns. For multiple context
mode, the system description is independent of the context description. In the case of a failover or state link,
the description is fixed as “LAN Failover Interface,” “STATE Failover Interface,” or “LAN/STATE Failover
Interface,” for example. You cannot edit this description. The fixed description overwrites any description
you enter here if you make this interface a failover or state link.

Step 8 Click OK.

You return to the Interfaces pane.

Related Topics
Licensing for VLAN Subinterfaces, on page 1

Examples for VLAN Subinterfaces

The following example configures parameters for a subinterface in single mode:

interface gigabitethernet 0/1

no nameif
no security-level
no ip address
no shutdown
interface gigabitethernet 0/1.1
vlan 101
nameif inside

VLAN Subinterfaces
4
 VLAN Subinterfaces
History for VLAN Subinterfaces

security-level 100
ip address 192.168.6.6 255.255.255.0
no shutdown

History for VLAN Subinterfaces

Table 1: History for VLAN Subinterfaces

Feature Name Version Feature Information

Increased VLANs 7.0(5) Increased the following limits:

• ASA5510 Base license VLANs from 0 to 10.
• ASA5510 Security Plus license VLANs from 10 to 25.
• ASA5520 VLANs from 25 to 100.
• ASA5540 VLANs from 100 to 200.

Increased VLANs 7.2(2) VLAN limits were increased for the ASA 5510 (from 10 to 50 for the Base license,
and from 25 to 100 for the Security Plus license), the ASA 5520 (from 100 to 150),
the ASA 5550 (from 200 to 250).

Increased VLANs for the ASA 5580 8.1(2) The number of VLANs supported on the ASA 5580 are increased from 100 to 250.

VLAN Subinterfaces
5
 VLAN Subinterfaces
History for VLAN Subinterfaces

VLAN Subinterfaces
6