Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Main Interface and Sub Interface


I'm fairly new to ASA firewalls so some help is appreciated. Can anyone explain the point of the below config. I thought that normally when using Vlan's there would be no point on configuring a nameif & security level on the main interface? In this case what would configuring an ACL based NAT exemption on the Trunk interface do to traffic on the sub interfaces?


interface GigabitEthernet1/0

nameif Trunk

security-level 100

no ip address


interface GigabitEthernet1/0.100

vlan 100

nameif VLAN100

security-level 100

ip address standby


interface GigabitEthernet1/0.101

vlan 101

nameif VLAN101

security-level 90

ip address standby


interface GigabitEthernet1/0.102

vlan 102

nameif VLAN102

security-level 80

ip address standby


Thanks Steve


Re: Main Interface and Sub Interface

You're right about the main interface.

If you use subinterfaces, you typically do not also want the physical interface to pass traffic, because the physical interface passes untagged packets. Because the physical interface must be enabled for the subinterface to pass traffic, ensure that the physical interface does not pass traffic by leaving out the nameif command. If you want to let the physical interface pass untagged packets, you can configure the nameif command as usual.

Hope that helps

CreatePlease login to create content