security-level [0-100]
Sets the security level for an interface, determining traffic flow permissions between interfaces.
Overview
The 'security-level' command on Cisco ASA Firewall assigns a numeric trust value (0-100) to an interface, defining the default traffic flow behavior. The ASA uses a security-centric model where traffic from a higher security level to a lower security level is allowed by default, while traffic from lower to higher is blocked unless explicitly permitted by an access control list (ACL). This concept is fundamental to the ASA's stateful firewall operation. The command is configured in interface configuration mode and is mandatory for each interface that will pass traffic. Without a security level, the interface cannot forward packets. The security level does not affect traffic within the same interface. It is a key differentiator from traditional routers and is used to simplify policy creation. In troubleshooting, verifying security levels helps identify why traffic is being blocked unexpectedly. For example, if an inside host cannot reach the internet, check that the inside interface has a higher security level than the outside interface. The command is platform-specific to Cisco ASA and is not used on IOS routers. It is a simple but powerful tool for defining trust zones.
security-level [0-100]When to Use This Command
- Assigning a higher security level to an inside interface (e.g., 100) to allow outbound traffic without inspection.
- Setting a lower security level (e.g., 0) on an outside interface to restrict inbound traffic.
- Configuring a DMZ interface with an intermediate security level (e.g., 50) for controlled access.
- Adjusting security levels to enforce specific traffic flows between multiple interfaces.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| 0-100 | 0-100 | An integer between 0 and 100 representing the security level. Higher values indicate more trust. 0 is typically used for outside interfaces, 100 for inside, and intermediate values for DMZ. |
Command Examples
Setting inside interface security level to 100
interface gigabitethernet0/0
security-level 100interface gigabitethernet0/0 security-level 100
The command sets the security level of GigabitEthernet0/0 to 100, indicating it is the most trusted interface.
Setting outside interface security level to 0
interface gigabitethernet0/1
security-level 0interface gigabitethernet0/1 security-level 0
The command sets the security level of GigabitEthernet0/1 to 0, indicating it is the least trusted interface.
Understanding the Output
The 'security-level' command does not produce output when configured; it is a configuration command. To verify the security level, use 'show running-config interface' or 'show interface'. In the running config, you will see lines like 'security-level 100' under the interface configuration. A healthy configuration shows the intended security level; a problem would be a missing or incorrect security level, which could cause unexpected traffic flow behavior.
Configuration Scenarios
Basic Inside-Outside Setup
A typical home office ASA with one inside and one outside interface.
Topology
Internet --- [G0/1 (outside, sec 0)] ASA [G0/0 (inside, sec 100)] --- LANSteps
- 1.Enter global configuration mode.
- 2.Select the inside interface: interface gigabitethernet0/0
- 3.Assign security level: security-level 100
- 4.Select the outside interface: interface gigabitethernet0/1
- 5.Assign security level: security-level 0
interface gigabitethernet0/0 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface gigabitethernet0/1 nameif outside security-level 0 ip address dhcp
Verify: Use 'show running-config interface' to verify security levels. Use 'ping' from inside to outside to test connectivity.
Watch out: If the security levels are reversed, inside hosts will not be able to access the internet without explicit ACLs.
Troubleshooting with This Command
When troubleshooting traffic flow issues on a Cisco ASA, the security level is often the first thing to check. Use 'show running-config interface' to list all interfaces and their security levels. Ensure that the inside interface has a higher security level than the outside. If traffic from a higher security interface to a lower one is failing, check for ACLs that might be blocking it. If traffic from lower to higher is failing, verify that an ACL permits it. Also, check for NAT configurations that might interfere. The 'show interface' command can show interface status, but not security level. For a quick view, use 'show nameif' which displays interface names and security levels. Remember that security levels are only compared between interfaces; traffic within the same interface is not affected. If you have multiple interfaces with the same security level, traffic between them is blocked by default; you must use ACLs to permit it. This is a common misconfiguration. In summary, the security level is a simple but critical parameter that dictates the default traffic flow direction.
CCNA Exam Tips
Remember that traffic flows from higher to lower security levels by default without inspection.
Security levels are used in conjunction with ACLs; a higher security level does not automatically permit all traffic.
The security level range is 0-100, with 0 being the lowest (least trusted) and 100 the highest (most trusted).
Common Mistakes
Setting the same security level on two interfaces, which can cause asymmetric routing issues.
Forgetting to assign a security level, which prevents the interface from passing traffic.
Assuming a higher security level allows all inbound traffic; ACLs are still required for inbound traffic from lower to higher security levels.
Platform Notes
On Cisco ASA, the security-level command is mandatory for each interface that will pass traffic. This differs from Cisco IOS routers, which do not have security levels. In IOS, traffic flow is determined solely by routing and ACLs. On other firewall platforms like Palo Alto, zones are used instead of numeric levels. The ASA's security level is a unique concept that simplifies policy creation but can be confusing for those familiar with other platforms. In ASA version 8.3 and later, the security level behavior remains unchanged. Note that the security level does not affect management traffic (e.g., SSH, HTTPS) which is controlled by management-access commands. Also, the security level is not used in transparent firewall mode; in that mode, traffic is bridged and security levels are not applied. Always ensure that the security level is set correctly to avoid unexpected traffic drops.
Related Commands
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions