Sub-If and Loopback

  • …where can i use this kind of interfaces or what is the main difference between sub-if and loopback interface?


  • Thanks for explanation.
    I have one more question about NAT pools that you mention it (and NAT will gone “soon” with IPv6 thanks to god 🙂 )?

    OK, if some packet with destination IP arrive on loopback interface with the same (or different) IP as loopback interface then the device can perform NATting?

  • Oldo has the definition right…

    I’ll only add that the loopback interfaces are mainly used for management interfaces and you can also use them for (mainly incoming) NAT pools. I’ve also got a config that uses loopback interfaces for redundant VPN links between two SSGs with a loadblancer in between.

    e.g. with a remote SSG/NS, you set your SNMP & ping check management to look at small subnet on the loopback interface which will always stay up. If you point towards the “classic” trust interface it will go down if the equipment on site is removed. Makes troubleshooting and management easier.

    Also you can use loopback interfaces for OSPF. Each OSPF device addresses itself on the OSPF routing table via it’s higher IP number interface. As most firewalls have multiple IP addresses it will just happen to pick the biggest number. So if you give each firewall a loopback address bigger than the rest of your ranges you’ll have a nice neat routing table that you can easily identify all the the devices on. (I’ve not done this in practice though)

  • sub-if is a vlan interface, ie a tagged interface. A loopback-if is a logical interface that always is up.