ASA VLAN trunking


I need to upgrade an existing ASA 5515 architecture and I have a couple of open questions.

The current setup is simple:
- 2 interfaces in standard mode with associated IPs (office/prod)
- 1 vpn on the office interface
- a couple ACLs on prod interface

The new requirement is to bring 3 additional VLANs on this ASA, while keeping the VPN in place.
I decided to turn the prod interface into vlan trunking mode and create sub-interfaces for each VLAN, including the initial prod one (hence 4 total).

My first question is, how to make the interface config change? I intend to do:
no nameif
no security-level
no ip address
no shut
and then create the 4 sub interfaces…

Second, will it affect in any way the current VPN (which is associated to the office interface, untouched here)? I assume no but I would like confirmation.

Third, I have read that dropping the interface will remove all associated ACLs. Does this mean that I will loose only the ACL associated to my prod interface with the access-group command? Or all ACLs, including the VPN one?

Last, I read about Inter-VLAN routing but I’m not sure if that applies to me. I intend to setup the core switch as
switchport mode trunk
switchport trunk allowed vlan 11,22,33,44
and each ASA sub-interface will have its IP.
My understanding is that the ASA will basically “route” traffic from one VLAN to the other under the ACLs’ conditions. So I do not understand commands like
static (interface1,interface2) netmask
that I have read on some other forums.
Did I miss anything? Do I need to define default routes/gateways for each sub interface?

Let me know your thoughts,


Hi Jeff,

Changing the interfaces as you described will work. Your end result will look like this:

interface GigabitEthernet1/1
 no nameif
 no security-level
 no ip address

interface GigabitEthernet1/1.10
 description CAMERAS
 vlan 10
 nameif CAMERAS
 security-level 100
 ip address 

interface GigabitEthernet1/1.20
 description DESKTOPS
 vlan 20
 nameif DESKTOPS
 security-level 100
 ip address

The output above is from an ASA I use here. Moving the configuration of the physical interface to a sub-interface is no problem.

When you remove the “nameif” from an interface then it will remove all commands where your name is used. Here’s an example:

ASA1(config)# sh run | incl access
access-list TEST extended permit ip any any 
access-group TEST in interface INSIDE

Above I have an access-list called TEST that is applied to my INSIDE interface. Once I remove it, the access-group command is gone:

ASA1(config)# interface GigabitEthernet 0/0
ASA1(config-if)# no nameif INSIDE

ASA1# sh run | incl access         
access-list TEST extended permit ip any any

The access-list is still there but it’s not active anymore. You might want to check your running-config to find commands that refer to your interface name(s) before removing anything.

The ASA will route from one interface to another. Just make sure your hosts are using the IP addresses on the sub-interfaces as their default gateway. The “static” command you refer to looks like a NAT command. That’s not required for inter-VLAN routing (unless you have a reason to use NAT for your LAN).


This is great, thanks.

I presume the best approach would be to make a backup of the running config before changing anything. I’ll look into that.