Main Interface and Sub Interface

stevenmcnamara · ‎07-08-2008

Hello,

I'm fairly new to ASA firewalls so some help is appreciated. Can anyone explain the point of the below config. I thought that normally when using Vlan's there would be no point on configuring a nameif & security level on the main interface? In this case what would configuring an ACL based NAT exemption on the Trunk interface do to traffic on the sub interfaces?

!

interface GigabitEthernet1/0

nameif Trunk

security-level 100

no ip address

!

interface GigabitEthernet1/0.100

vlan 100

nameif VLAN100

security-level 100

ip address 192.168.100.1 255.255.255.0 standby 192.168.100.2

!

interface GigabitEthernet1/0.101

vlan 101

nameif VLAN101

security-level 90

ip address 192.168.101.1 255.255.255.0 standby 192.168.101.2

!

interface GigabitEthernet1/0.102

vlan 102

nameif VLAN102

security-level 80

ip address 192.168.102.1 255.255.255.0 standby 192.168.102.2

!

Thanks Steve

Collin Clark · ‎07-09-2008

You're right about the main interface.

If you use subinterfaces, you typically do not also want the physical interface to pass traffic, because the physical interface passes untagged packets. Because the physical interface must be enabled for the subinterface to pass traffic, ensure that the physical interface does not pass traffic by leaving out the nameif command. If you want to let the physical interface pass untagged packets, you can configure the nameif command as usual.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.html#wp1044006

Hope that helps