6

In relation to another question on this forum, Moving interface names on a Cisco ASA while maintaining the rest of the configuration in place, I modified the startup-config on my Cisco ASA 5525-X from...

!    
interface GigabitEthernet0/0    
 channel-group 1 mode active    
 no nameif    
 no security-level    
 no ip address    
!    
interface GigabitEthernet0/1    
 channel-group 1 mode active    
 no nameif    
 no security-level    
 no ip address    
!    
interface GigabitEthernet0/2    
 channel-group 2 mode active    
 no nameif    
 no security-level    
 no ip address    
!    
interface GigabitEthernet0/3    
 channel-group 2 mode active    
 no nameif    
 no security-level    
 no ip address    
!    
interface GigabitEthernet0/4    
 channel-group 3 mode active    
 no nameif    
 no security-level    
 no ip address    
!    
interface GigabitEthernet0/5    
 channel-group 3 mode active    
 no nameif    
 no security-level    
 no ip address    
!    
interface GigabitEthernet0/6    
 description LAN Failover Interface    
!    
interface GigabitEthernet0/7    
 description STATE Failover Interface    
!    
interface Management0/0    
 management-only    
 nameif management    
 security-level 75    
 no ip address    
!    
interface Port-channel1    
 lacp max-bundle 8    
 nameif outside    
 security-level 0    
 ip address xxx.xxx.xxx.xxx 255.255.255.xxx standby xxx.xxx.xxx.xxx     
!    
interface Port-channel2    
 lacp max-bundle 8    
 nameif DMZ    
 security-level 50    
 ip address xxx.xxx.xxx.xxx 255.255.255.xxx standby xxx.xxx.xxx.xxx     
!    
interface Port-channel3    
 lacp max-bundle 8    
 nameif inside    
 security-level 100    
 ip address xxx.xxx.xxx.xxx 255.255.255.xxx standby xxx.xxx.xxx.xxx     
!

to...

!    
interface GigabitEthernet0/0    
 channel-group 1 mode active    
 no nameif    
 no security-level    
 no ip address    
!    
interface GigabitEthernet0/1    
 channel-group 1 mode active    
 no nameif    
 no security-level    
 no ip address    
!    
interface GigabitEthernet0/2    
 no nameif    
 no security-level    
 no ip address    
 shutdown    
!    
interface GigabitEthernet0/3    
 no nameif    
 no security-level    
 no ip address    
 shutdown    
!    
interface GigabitEthernet0/4    
 no nameif    
 no security-level    
 no ip address    
 shutdown    
!    
interface GigabitEthernet0/5    
 no nameif    
 no security-level    
 no ip address    
 shutdown    
!    
interface GigabitEthernet0/6    
 description LAN Failover Interface    
!    
interface GigabitEthernet0/7    
 description STATE Failover Interface    
!    
interface Port-channel1    
 lacp max-bundle 8    
 nameif outside    
 security-level 0    
 ip address xxx.xxx.xxx.xxx 255.255.255.xxx standby xxx.xxx.xxx.xxx     
!    
interface Port-channel1.60    
 nameif DMZ    
 security-level 50    
 ip address xxx.xxx.xxx.xxx 255.255.255.xxx standby xxx.xxx.xxx.xxx    
 vlan 60    
!    
interface Port-channel1.40    
 nameif inside    
 security-level 100    
 ip address xxx.xxx.xxx.xxx 255.255.255.xxx standby xxx.xxx.xxx.xxx    
 vlan 40    
!

After reloading the ASAs, the sub-interfaces were created successfully. However, whereas my config file specified names for the sub-interfaces, the running config displayed a no nameif directive and all of the corresponding configuration elements had been removed.

After some research, I believe my problem lies in the ordering of commands within my startup-config. For example:

! WRONG
interface Port-channel1.60    
 nameif DMZ    
 security-level 50    
 ip address xxx.xxx.xxx.xxx 255.255.255.xxx standby xxx.xxx.xxx.xxx    
 vlan 60    
!

Should have been...

! CORRECT
interface Port-channel1.60    
 vlan 60
 nameif DMZ    
 security-level 50    
 ip address xxx.xxx.xxx.xxx 255.255.255.xxx standby xxx.xxx.xxx.xxx    
!

Is the ordering of commands my problem or am I missing something else - such as an inherent limitation of the 5525-X?

I'm running ASA version 9.3 (2)

Community
  • 1
Matthew Johnson
  • 357
  • 2
  • 12
  • This should be easy enough to test if you have access to any ASA. You can create a mock Port-Channel sub interface and see whether it takes the command in the order you had in mind. – Eddie Jun 03 '15 at 14:42
  • I did as you suggested originally, but experienced a different outcome when loading from a file edited offline. Of course, this might be due to an error on my part. The primary reason I asked here is that I'm not in a great position to test again. I'm also interested in the second part of the questions: "or am I missing something else - such as an inherent limitation of the 5525-X?" – Matthew Johnson Jun 03 '15 at 15:31

1 Answers1

3

There is no inherent limitation regarding the use of sub-interfaces on an ASA 5525-X except for the overall limitation on the number of interfaces allowed. According to page 10-10 of the document, "Cisco ASA Series General Operations CLI Configuration Guide", the base license for the ASA 5525-X allows for a combined sum of 1,316 interfaces across all types - VLANs, physical, redundant, bridge groups, EtherChannel, etc.

The problem I encountered was the result of command ordering, as suspected:

! WRONG
interface Port-channel1.60    
 nameif DMZ    
 security-level 50    
 ip address xxx.xxx.xxx.xxx 255.255.255.xxx standby xxx.xxx.xxx.xxx    
 vlan 60    
!

Should have been...

! CORRECT
interface Port-channel1.60    
 vlan 60
 nameif DMZ    
 security-level 50    
 ip address xxx.xxx.xxx.xxx 255.255.255.xxx standby xxx.xxx.xxx.xxx    
!
Matthew Johnson
  • 357
  • 2
  • 12