In relation to another question on this forum, Moving interface names on a Cisco ASA while maintaining the rest of the configuration in place, I modified the startup-config on my Cisco ASA 5525-X from…
!
interface GigabitEthernet0/0
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
channel-group 2 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
channel-group 2 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
channel-group 3 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
channel-group 3 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
description LAN Failover Interface
!
interface GigabitEthernet0/7
description STATE Failover Interface
!
interface Management0/0
management-only
nameif management
security-level 75
no ip address
!
interface Port-channel1
lacp max-bundle 8
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.xxx standby xxx.xxx.xxx.xxx
!
interface Port-channel2
lacp max-bundle 8
nameif DMZ
security-level 50
ip address xxx.xxx.xxx.xxx 255.255.255.xxx standby xxx.xxx.xxx.xxx
!
interface Port-channel3
lacp max-bundle 8
nameif inside
security-level 100
ip address xxx.xxx.xxx.xxx 255.255.255.xxx standby xxx.xxx.xxx.xxx
!
to…
!
interface GigabitEthernet0/0
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet0/4
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet0/5
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet0/6
description LAN Failover Interface
!
interface GigabitEthernet0/7
description STATE Failover Interface
!
interface Port-channel1
lacp max-bundle 8
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.xxx standby xxx.xxx.xxx.xxx
!
interface Port-channel1.60
nameif DMZ
security-level 50
ip address xxx.xxx.xxx.xxx 255.255.255.xxx standby xxx.xxx.xxx.xxx
vlan 60
!
interface Port-channel1.40
nameif inside
security-level 100
ip address xxx.xxx.xxx.xxx 255.255.255.xxx standby xxx.xxx.xxx.xxx
vlan 40
!
After reloading the ASAs, the sub-interfaces were created successfully. However, whereas my config file specified names for the sub-interfaces, the running config displayed a no nameif directive and all of the corresponding configuration elements had been removed.
After some research, I believe my problem lies in the ordering of commands within my startup-config. For example:
! WRONG
interface Port-channel1.60
nameif DMZ
security-level 50
ip address xxx.xxx.xxx.xxx 255.255.255.xxx standby xxx.xxx.xxx.xxx
vlan 60
!
Should have been…
! CORRECT
interface Port-channel1.60
vlan 60
nameif DMZ
security-level 50
ip address xxx.xxx.xxx.xxx 255.255.255.xxx standby xxx.xxx.xxx.xxx
!
Is the ordering of commands my problem or am I missing something else – such as an inherent limitation of the 5525-X?
I'm running ASA version 9.3 (2)
Best Answer
There is no inherent limitation regarding the use of sub-interfaces on an ASA 5525-X except for the overall limitation on the number of interfaces allowed. According to page 10-10 of the document, "Cisco ASA Series General Operations CLI Configuration Guide", the base license for the ASA 5525-X allows for a combined sum of 1,316 interfaces across all types - VLANs, physical, redundant, bridge groups, EtherChannel, etc.
The problem I encountered was the result of command ordering, as suspected:
Should have been...