ASAv 9.7 Vlans

Paul Grates · ‎02-23-2018

Hi,

I'm trying to setup my lab ASAv (Cisco Adaptive Security Appliance Software Version 9.7(1)8) but I got stuck. When I try to create a VLAN I get this:

firewall# conf t

firewall(config)# interface vlan 100

^

ERROR: % Invalid input detected at '^' marker.

firewall(config)# interface ?

configure mode commands/options:

BVI Bridge-Group Virtual Interface

GigabitEthernet GigabitEthernet IEEE 802.3z

Management Management interface

Redundant Redundant Interface

Tunnel Tunnel interface

vni VNI Interface

<cr>

However on my old ASA 5505 (Cisco Adaptive Security Appliance Software Version 9.2(4)27)

firewall# conf t

firewall(config)# interface ?

configure mode commands/options:

Ethernet IEEE 802.3

Vlan Catalyst Vlans

<cr>

My question is - how do you create vlans on ASAv 9.7 ?

Thanks

Mark DeLong · ‎02-23-2018

The ASA 5505 was the only ASA model that supported VLAN interfaces. This is because it was the only ASA model that used a 8 port switch fabric for port connectivity. All other ASA physical models had routed ports (like a Cisco router) and the ASAv uses the same methodology even though it is virtual.

So, like a router, you create sub-interfaces to terminate multiple VLANs on a physical port:

interface G0/0

no shut

interface G0/0.100

vlan 100

nameif inside

ip address 10.10.10.1 255.255.255.0

interface G0/0.200

vlan 200

nameif outside

ip address 10.20.20.1 255.255.255.0

Note: A Cisco router uses a different command to assign the VLAN to a sub-interface. ASA just uses "vlan X". Simpler I think.

You can see documentation for ASAv interfaceing here: CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.2 - Basic Interface Configuration (ASAv) [Cis…

That all said, most people don't use sub-interfaces on the ASAv. Usually you would just create a VmWare port group assigned to a different VLAN for each interface you want to make on the ASA. Assign a VLAN to that port group and then assign that port group to your ASAv interfaces under the "edit settings" section of the VM in your VMWare inventory. There's an example of my ASAv's VmWare settings attached. Its important to note that the "Network Adapter 1" in VmWare is the Management interface on the ASAv. The rest of the interfaces go in order of "Network Adapter 2" = "G0/0 and so on. The document above shows this mapping too for your reference. So my first interface (network adapter 1) is setup on a port group VLAN 200 (which is assigned to VLAN 200 in my vSwitch) as that is my management VLAN. The next two our my inside and outside VLANs for this ASAv. The last two our assigned to some unused VLAN cuz I'm not using those interfaces in this ASAv. Also, in ASAv you can add up to like 8 interfaces total I think. So you can add more adapters if you need them. Hence why most people probably don't use sub-interfaces...that and ASAv's tend to not need as many interfaces as some other firewalls do.

One last note: If you want to create sub-interfaces on the ASAv still then when you create your port group instead of assigning it a VLAN tag you will need to say "All (4095)" under the VLAN so the port-group can handle more than one VLAN. Also, if you want these VLANs to access a physical network outside of VmWare then the physical port going into this vSwitch will need to be a trunk to a switch of course.

Hope that helps!

Thanks!

Mark

BERNHARD FABRICIUS · ‎03-20-2020

You most certainly want to create sub-interfaces on your ASAv if you are doing VPN and wants to use VLAN-allow policies.