7-7
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter7 Starting Interface Configuration (ASA 5505)
Starting ASA 5505 Interface Configuration
Detailed Steps
What to Do Next
Configure the switch ports. See the “Configuring and Enabling Switch Ports as Access Ports” section on
page 7-7 and the “Configuring and Enabling Switch Ports as Trunk Ports” section on page7-9.
Configuring and Enabling Switch Ports as Access Ports
By default (with no configuration), all switch ports are shut down, and assigned to VLAN 1. To assign
a switch port to a single VLAN, configure it as an access port. To create a trunk port to carry multiple
VLANs, see the “Configuring and Enabling Switch Ports as Trunk Ports” section on page7-9. If you
have a factory default configuration, see the “ASA 5505 Default Configuration” section on page2-11 to
check if you want to change the default interface settings according to this procedure.
For more information about ASA 5505 interfaces, see the “Information About ASA 5505 Interfaces”
section on page 7-1.
Command Purpose
Step1 interface vlan number
Example:
hostname(config)# interface vlan 100
Adds a VLAN interface, where the number is between 1 and 4090.
To remove this VLAN interface and all associated configuration,
enter the no interface vlan command. Because this interface also
includes the interface name configuration, and the name is used in
other commands, those commands are also removed.
Step2 (Optional for the Base license)
no forward interface vlan number
Example:
hostname(config-if)# no forward interface
vlan 101
Allows this interface to be the third VLAN by limiting it from
initiating contact to one other VLAN.
The number specifies the VLAN ID to which this VLAN interface
cannot initiate traffic.
With the Base license, you can only configure a third VLAN if
you use this command to limit it.
For example, you have one VLAN assigned to the outside for
Internet access, one VLAN assigned to an inside business
network, and a third VLAN assigned to your home network. The
home network does not need to access the business network, so
you can use the no forward interface command on the home
VLAN; the business network can access the home network, but
the home network cannot access the business network.
If you already have two VLAN interfaces configured with a
nameif command, be sure to enter the no forward interface
command before the nameif command on the third interface; the
ASA does not allow three fully functioning VLAN interfaces with
the Base license on the ASA 5505.
Note If you upgrade to the Security Plus license, you can
remove this command and achieve full functionality for
this interface. If you leave this command in place, this
interface continues to be limited even after upgrading.