InterfacesInterface Config

security-level [0-100]

Sets the security level for an interface, determining traffic flow permissions between interfaces.

Overview

The 'security-level' command on Cisco ASA Firewall assigns a numeric trust value (0-100) to an interface, defining the default traffic flow behavior. The ASA uses a security-centric model where traffic from a higher security level to a lower security level is allowed by default, while traffic from lower to higher is blocked unless explicitly permitted by an access control list (ACL). This concept is fundamental to the ASA's stateful firewall operation. The command is configured in interface configuration mode and is mandatory for each interface that will pass traffic. Without a security level, the interface cannot forward packets. The security level does not affect traffic within the same interface. It is a key differentiator from traditional routers and is used to simplify policy creation. In troubleshooting, verifying security levels helps identify why traffic is being blocked unexpectedly. For example, if an inside host cannot reach the internet, check that the inside interface has a higher security level than the outside interface. The command is platform-specific to Cisco ASA and is not used on IOS routers. It is a simple but powerful tool for defining trust zones.

Syntax·Interface Config
security-level [0-100]

When to Use This Command

  • Assigning a higher security level to an inside interface (e.g., 100) to allow outbound traffic without inspection.
  • Setting a lower security level (e.g., 0) on an outside interface to restrict inbound traffic.
  • Configuring a DMZ interface with an intermediate security level (e.g., 50) for controlled access.
  • Adjusting security levels to enforce specific traffic flows between multiple interfaces.

Parameters

ParameterSyntaxDescription
0-1000-100An integer between 0 and 100 representing the security level. Higher values indicate more trust. 0 is typically used for outside interfaces, 100 for inside, and intermediate values for DMZ.

Command Examples

Setting inside interface security level to 100

interface gigabitethernet0/0 security-level 100
interface gigabitethernet0/0
 security-level 100

The command sets the security level of GigabitEthernet0/0 to 100, indicating it is the most trusted interface.

Setting outside interface security level to 0

interface gigabitethernet0/1 security-level 0
interface gigabitethernet0/1
 security-level 0

The command sets the security level of GigabitEthernet0/1 to 0, indicating it is the least trusted interface.

Understanding the Output

The 'security-level' command does not produce output when configured; it is a configuration command. To verify the security level, use 'show running-config interface' or 'show interface'. In the running config, you will see lines like 'security-level 100' under the interface configuration. A healthy configuration shows the intended security level; a problem would be a missing or incorrect security level, which could cause unexpected traffic flow behavior.

Configuration Scenarios

Basic Inside-Outside Setup

A typical home office ASA with one inside and one outside interface.

Topology

Internet --- [G0/1 (outside, sec 0)] ASA [G0/0 (inside, sec 100)] --- LAN

Steps

  1. 1.Enter global configuration mode.
  2. 2.Select the inside interface: interface gigabitethernet0/0
  3. 3.Assign security level: security-level 100
  4. 4.Select the outside interface: interface gigabitethernet0/1
  5. 5.Assign security level: security-level 0
Configuration
interface gigabitethernet0/0
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface gigabitethernet0/1
 nameif outside
 security-level 0
 ip address dhcp

Verify: Use 'show running-config interface' to verify security levels. Use 'ping' from inside to outside to test connectivity.

Watch out: If the security levels are reversed, inside hosts will not be able to access the internet without explicit ACLs.

Troubleshooting with This Command

When troubleshooting traffic flow issues on a Cisco ASA, the security level is often the first thing to check. Use 'show running-config interface' to list all interfaces and their security levels. Ensure that the inside interface has a higher security level than the outside. If traffic from a higher security interface to a lower one is failing, check for ACLs that might be blocking it. If traffic from lower to higher is failing, verify that an ACL permits it. Also, check for NAT configurations that might interfere. The 'show interface' command can show interface status, but not security level. For a quick view, use 'show nameif' which displays interface names and security levels. Remember that security levels are only compared between interfaces; traffic within the same interface is not affected. If you have multiple interfaces with the same security level, traffic between them is blocked by default; you must use ACLs to permit it. This is a common misconfiguration. In summary, the security level is a simple but critical parameter that dictates the default traffic flow direction.

CCNA Exam Tips

1.

Remember that traffic flows from higher to lower security levels by default without inspection.

2.

Security levels are used in conjunction with ACLs; a higher security level does not automatically permit all traffic.

3.

The security level range is 0-100, with 0 being the lowest (least trusted) and 100 the highest (most trusted).

Common Mistakes

Setting the same security level on two interfaces, which can cause asymmetric routing issues.

Forgetting to assign a security level, which prevents the interface from passing traffic.

Assuming a higher security level allows all inbound traffic; ACLs are still required for inbound traffic from lower to higher security levels.

Platform Notes

On Cisco ASA, the security-level command is mandatory for each interface that will pass traffic. This differs from Cisco IOS routers, which do not have security levels. In IOS, traffic flow is determined solely by routing and ACLs. On other firewall platforms like Palo Alto, zones are used instead of numeric levels. The ASA's security level is a unique concept that simplifies policy creation but can be confusing for those familiar with other platforms. In ASA version 8.3 and later, the security level behavior remains unchanged. Note that the security level does not affect management traffic (e.g., SSH, HTTPS) which is controlled by management-access commands. Also, the security level is not used in transparent firewall mode; in that mode, traffic is bridged and security levels are not applied. Always ensure that the security level is set correctly to avoid unexpected traffic drops.

Related Commands

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions