Filter
Top Products
7-4
Cisco ASDM User Guide
OL-16647-01
Chapter 7 Configuring Interfaces in Single Mode
Interface Overview
Maximum Subinterfaces
To determine how many subinterfaces are allowed for your platform, see Appendix A, “Feature
Licenses.”
Preventing Untagged Packets on the Physical Interface
If you use subinterfaces, you typically do not also want the physical interface to pass traffic, because the
physical interface passes untagged packets. This property is also true for the active physical interface in
a redundant interface pair. Because the physical or redundant interface must be enabled for the
subinterface to pass traffic, ensure that the physical or redundant interface does not pass traffic by not
naming it. If you want to let the physical or redundant interface pass untagged packets, you can configure
the name command as usual.
Default State of Interfaces
Interfaces have the following default states:
• Physical interfaces—Disabled.
• Redundant Interfaces—Enabled. However, for traffic to pass through the redundant interface, the
member physical interfaces must also be enabled.
• Subinterfaces—Enabled. However, for traffic to pass through the subinterface, the physical interface
must also be enabled.
Default Security Level
The default security level is 0. If you name an interface “inside” and you do not set the security level
explicitly, then the security appliance sets the security level to 100.
Each interface must have a security level from 0 (lowest) to 100 (highest). For example, you should
assign your most secure network, such as the inside host network, to level 100. While the outside
network connected to the Internet can be level 0. Other networks, such as DMZs can be in between. You
can assign interfaces to the same security level. See the “Enabling Same Security Level Communication
(Single Mode)” section on page 7-8 for more information.
The level controls the following behavior:
• Network access—By default, there is an implicit permit from a higher security interface to a lower
security interface (outbound). Hosts on the higher security interface can access any host on a lower
security interface. You can limit access by applying an access list to the interface.
If you enable communication between same security interfaces, there is an implicit permit for
interfaces to access other interfaces on the same security level or lower.
• Inspection engines—Some application inspection engines are dependent on the security level. For
same security interfaces, inspection engines apply to traffic in either direction.
–
NetBIOS inspection engine—Applied only for outbound connections.
–
SQL*Net inspection engine—If a control connection for the SQL*Net (formerly OraServ) port
exists between a pair of hosts, then only an inbound data connection is permitted through the
security appliance.