Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

how to create trunk port with ASA 5520


We need creat multi vlan in the ASA 5520 dmz, dmz switch is cisco 2960. How to config ASA dmz sub interface to 2960 trunk port? could send a example?




Re: how to create trunk port with ASA 5520

Hi ,

You may create subinterfaces using gi0/2 interface and connect this interface to trunk port of 2960. The physical port by itself will act as trunk port and you dont need to configure this separately.

We need to keep in mind that if you have created subinterfaces and have not given any nameif command on the main physical interface then this interface will only accept tagged packets. Thus packets from native vlan on switch trunk will be dropped. If you need to pass these native vlan packets also, you can give nameif command on the main physical interface. So lets say you have following


nameif dmz


nameif dmz1

vlan 10


nameif dmz2

vlan 20

so you need to connect gi0/2 port to the trunk port of 2960. ASA would accept tagged packets for vlan 10, 20 and these will be sent to gi0/2.1 and gi0/2.2 respectively. Untagged packets will be sent directly on the physical interface which would be part of native vlan.

Following link may be helpful:

Hope this helps.



New Member

Re: how to create trunk port with ASA 5520

Thanks Vibhor.

Do I still need setup "encapsulation dot1Q vlan name" in the sub interface or only setup dot1q in the switch side?



Re: how to create trunk port with ASA 5520

ASA/PIX by default only support 802.1q encapsulation. However on the switch side you need to configure trunk for 802.1q encapsulation.



New Member

Re: how to create trunk port with ASA 5520

I know this is an old thead but this came up when I was searching for an answer to my question.

I have an ASA5510.

Below is Ethernet0/0 and it's subinterfaces. The physical Ethernet 0/0 is connected to a Gig port on a 2950T that is set to trunk.

I'm not using the native vlan so is the ASA dropping the native vlan? and can I change the 2950T from trunk to allowing vlans?

My reason for wanting to do this is because I have a Barracuda WebFilter that is designed to be inline. In my case between the ASA and switch. The webfilter can handle vlan traffic but not trunked.

Thank for any input.

interface Ethernet0/0
no nameif
no security-level
no ip address
interface Ethernet0/0.50
vlan 50
nameif Engineering
security-level 80
ip address
interface Ethernet0/0.100
vlan 100
nameif OfficeNet
security-level 90
ip address
interface Ethernet0/0.200
vlan 200
nameif Automation
security-level 100
ip address
interface Ethernet0/0.201
vlan 201
nameif Enco
security-level 100
ip address
interface Ethernet0/0.202
vlan 202
nameif Traffic
security-level 95
ip address