Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Main Interface and Sub Interface

Hello,

I'm fairly new to ASA firewalls so some help is appreciated. Can anyone explain the point of the below config. I thought that normally when using Vlan's there would be no point on configuring a nameif & security level on the main interface? In this case what would configuring an ACL based NAT exemption on the Trunk interface do to traffic on the sub interfaces?

!

interface GigabitEthernet1/0

nameif Trunk

security-level 100

no ip address

!

interface GigabitEthernet1/0.100

vlan 100

nameif VLAN100

security-level 100

ip address 192.168.100.1 255.255.255.0 standby 192.168.100.2

!

interface GigabitEthernet1/0.101

vlan 101

nameif VLAN101

security-level 90

ip address 192.168.101.1 255.255.255.0 standby 192.168.101.2

!

interface GigabitEthernet1/0.102

vlan 102

nameif VLAN102

security-level 80

ip address 192.168.102.1 255.255.255.0 standby 192.168.102.2

!

Thanks Steve

1 REPLY

Re: Main Interface and Sub Interface

You're right about the main interface.

If you use subinterfaces, you typically do not also want the physical interface to pass traffic, because the physical interface passes untagged packets. Because the physical interface must be enabled for the subinterface to pass traffic, ensure that the physical interface does not pass traffic by leaving out the nameif command. If you want to let the physical interface pass untagged packets, you can configure the nameif command as usual.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.html#wp1044006

Hope that helps

130
Views
0
Helpful
1
Replies
CreatePlease login to create content