45-7
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter45 Managing Firewall Devices
Configuring Firewall Device Interfaces
Configuring Subinterfaces (PIX/ASA)
Subinterfaces let you divide a physical interface into multiple logical interfaces that are tagged with
different VLAN IDs. Because VLANs keep traffic separate on a given physical interface, you can
increase the number of interfaces available to your network without adding additional physical interfaces
or security appliances. This feature is particularly useful in multiple-context mode, letting you assign
unique interfaces to each context.
Note If you use subinterfaces, you typically do not also want the physical interface to pass traffic, as the
physical interface passes untagged packets. Because the physical interface must be enabled for the
subinterface to pass traffic, do not name the physical interface to ensure it does not pass traffic. However,
if you do want to let the physical interface pass untagged packets, you can name the interface as usual.
Note This option is available only on PIX 7.0+ and non-5505 ASA devices.
Defining Subinterfaces
Follow these steps to configure a subinterface in the Add/Edit Interface (ASA/PIX 7.0+) dialog box,
which is accessed from the device Interfaces page (see Managing Device Interfaces, Hardware Ports, and
Bridge Groups, page 45-14).
1. Choose Subinterface as the interface Type in the Add/Edit Interface dialog box.
The VLAN ID and Subinterface ID fields appear below the Hardware Port, Name and Security Level
fields.
2. Choose the desired Hardware Port from the list of previously defined interface ports. If you do not
see a desired interface ID, be sure that Interface is defined and enabled.
3. VLAN ID – Provide a VLAN ID for this subinterface: enter a value between 1 and 4094. The
specified VLAN ID must not be in use on any connected device.
Some VLAN IDs might be reserved on connected switches; see the switch documentation for more
information. In multiple-context mode, you can only set the VLAN ID in the system configuration.
4. Subinterface ID – Provide an integer between 1 and 4294967293 as the Subinterface ID. The
number of subinterfaces allowed depends on your platform.
For subinterface port identification, this ID is appended to the chosen Hardware Port. For example,
GigabitEthernet0.4 represents the subinterface assigned an ID of 4, operating on the port
GigabitEthernet0.
Note You cannot change the Subinterface ID after you set it.
5. Continue configuring this interface, as described in Add/Edit Interface Dialog Box (PIX
7.0+/ASA/FWSM), page 45-19.
Configuring Redundant Interfaces
Beginning with Security Manager 3.2.2, you can define logical “redundant” interfaces to increase
security appliance reliability. A redundant interface is a specific pair of physical interfaces, with one
designated as active (or primary) and the other as standby (or secondary). If the active interface fails, the