Cisco ASA VLANs and Sub-Interfaces

Each interface on a Cisco ASA firewall is a security zone so normally this means that the number of security zones is limited to the number of physical interfaces that we have. For example, the ASA 5510 has 4 physical interfaces and often you will only see the following three security zones:

  • Inside
  • Outside
  • DMZ

For a simple scenario this is more than enough but sometimes it’s useful to create additional security zones. For example, maybe you don’t want one “big” DMZ with all your servers but more separation. You could create a security zone with all your mail servers, another one with all the DNS servers and one more with all web servers. This is a good security practice but we’ll need more interfaces to accomplish this.

Luckily the ASA supports trunking and logical interfaces which means we can create multiple logical sub-interfaces on a single physical interface. Each sub-interface can be assigned to a different security zone and they are separated by VLANs.

This means you can create way more than 4 security zones, depending on your ASA model you can create up to 1024 VLANs.

The physical interface on the ASA will become a trunk interface which is not assigned to any security zone. Each sub-interface will be configured for a VLAN, security zone and security level.

Here’s a picture to visualize this:

ASA Trunk Physical Sub Interfaces

In the example above we have a Ethernet 0/0 physical interface and two sub-interfaces:

  • Ethernet 0/0.10 will be used for security zone “INSIDE1” and uses VLAN 10.
  • Ethernet 0/0.20 will be used for security zone “INSIDE2” and uses VLAN 20.
  • The physical interface is not configured for any security zone.

Basically this is the same thing as the router on a stick configuration on Cisco IOS routers but on the ASA we also have security zones.


Let’s take a look at a configuration example for this. I’ll use the following topology:

Cisco ASA Trunk Switch Routers

On the left side we have our ASA, it’s Ethernet 0/0 interface will be used for trunking. The switch in the middle is connected to two routers, R1 and R2. Each router represents a host in a different security zone:

  • INSIDE1 which uses VLAN 10 and has a security level of 70.
  • INSIDE2 which uses VLAN 20 and has a security level of 80.

Let’s start with the ASA configuration…

ASA Configuration

ASA1(config)# interface Ethernet 0/0
ASA1(config-if)# no nameif
ASA1(config-if)# no security-level 
ASA1(config-if)# no ip address 
ASA1(config-if)# no shutdown

The configuration above is the default configuration for an interface on the ASA, there should be no security zone, no security-level and no IP address. Make sure the interface is not in shutdown and we can continue with the sub-interfaces:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 660 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

507 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,

Forum Replies

  1. Hi Regina,

    The configuration on the Cisco switch is pretty straightforward. The interface connected to the router has to be a trunk:

    interface fa0/24
    description LINK_TO_ROUTER
    switchport mode trunk

    And the interfaces that connect to the host are regular access ports:

    interface fa0/1

    description HOST_IN_VLAN_10
    switchport mode access
    switchport access vlan 10

    You don’t need to use VLAN SVIs…a layer 2 switch uses the SVI only for management purposes. A layer 3 switch uses a SVI per VLAN which hosts can use as default gateway (in that case you don’t need a

    ... Continue reading in our forum

  2. Hi Rene/Moderators,

    What happens if I do not configure the sub interfaces?
    Would only intervlan routing be affected?
    What if they are on the same vlan?

  3. Hello Ian

    If you don’t configure subinterfaces on the router, then no tagged traffic will enter the interface. The switch is set up to send frames to the router using dot1q encapsulation. This is where the VLAN number of each specific frame is added to the header as a tag. When the router receives these frames, it will drop them because they include a tag. By adding subinterfaces and the appropriate dot1q encapsulation, you are allowing the router to be able to receive tagged frames and to allow them to egress on the appropriate subinterface.

    If communicati

    ... Continue reading in our forum

  4. Hi if any rate limit configuration needs to be done on the interface we should do in interface level or sub interface level

  5. Question. I see you created sub-interfaces on the routers 0/0 interface. I understand that. But what if you did not use sub-interfaces. What if instead you assigned Router Fa0/0 to ip address and you assigned Router interface fa0/1 to ip address So two connected routes (2 separate IP addresses) on the router connected to the same single switch (switch is divided into VLAN 10 and VLAN 20). Would that work?

30 more replies! Ask a question or join the discussion by visiting our Community Forum