InterfacesPrivileged EXEC

show interface

Displays detailed status and statistics for all or specified interfaces on the Cisco ASA Firewall.

Overview

The 'show interface' command is a fundamental diagnostic tool on Cisco ASA Firewalls, providing a comprehensive view of interface status, configuration, and performance statistics. It is essential for verifying that interfaces are operational, correctly configured, and free from errors. The command displays both physical and logical interface information, including hardware details, IP addressing, and traffic counters. In the context of ASA, interfaces are the gateways for all traffic passing through the firewall, so understanding their health is critical for security and performance. Network engineers use this command during initial setup to confirm connectivity, during troubleshooting to isolate faults, and during monitoring to detect anomalies. The output is divided into sections: status line, hardware description, IP configuration, and counters. The status line indicates whether the interface is up or down at both physical and data link layers. The hardware line shows negotiated speed and duplex, which should match the connected device. The IP line confirms the assigned address. The counters section reveals packet counts and errors; high error rates often point to cabling issues, duplex mismatches, or faulty hardware. In ASA, this command also works for VLAN interfaces (subinterfaces) and management interfaces. It fits into a troubleshooting workflow: start with 'show interface' to check link status, then use 'show interface detail' for more granular statistics, and finally 'clear interface counters' to reset counters before further monitoring. The command is also used to verify interface configuration after changes, such as speed/duplex settings or IP address modifications. Overall, 'show interface' is the first line of defense in network troubleshooting on ASA.

Syntax·Privileged EXEC
show interface [interface_name] [detail | ip | mac | stats | flow | error | brief]

When to Use This Command

  • Verify interface link status and speed/duplex settings after a physical connection change.
  • Troubleshoot packet drops by checking input/output errors and queue statistics.
  • Monitor interface bandwidth utilization and packet rates during traffic spikes.
  • Confirm IP address assignment and MAC address for security audits.

Parameters

ParameterSyntaxDescription
interface_nameinterface_nameSpecifies a particular interface (e.g., GigabitEthernet0/0, Management0/0, or VLAN subinterface). If omitted, all interfaces are displayed.
detaildetailProvides extended information including packet drops, queue statistics, and flow control settings.
ipipDisplays only IP-related information for the interface, such as address, subnet mask, and broadcast address.
macmacShows the MAC address and its associated counters, useful for troubleshooting layer 2 issues.
statsstatsDisplays only the traffic statistics (packets, bytes, errors) without the status and configuration lines.
flowflowShows flow control statistics, including pause frames sent and received.
errorerrorDisplays only error counters, helping to quickly identify problematic interfaces.
briefbriefProvides a summary table of all interfaces with key fields: name, IP, status, protocol.

Command Examples

Basic Interface Status Check

show interface gigabitethernet0/0
Interface GigabitEthernet0/0 "outside", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 100 usec
        Full-Duplex, 1000 Mbps, Auto-Negotiation
        MAC address 0011.2233.4455, MTU 1500
        IP address 203.0.113.1, subnet mask 255.255.255.0
        5 packets input, 600 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
        10 packets output, 1200 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        Rx load average : 0.01, Tx load average : 0.02

Interface is up/up, full-duplex at 1 Gbps. IP and MAC are shown. Input/output counters show no errors, indicating healthy operation.

Brief Interface Summary

show interface brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         203.0.113.1     YES manual up                    up
GigabitEthernet0/1         10.0.0.1        YES manual up                    up
GigabitEthernet0/2         unassigned      YES unset  administratively down down
Management0/0              192.168.1.1     YES manual up                    up

Quick overview of all interfaces: IP, status, protocol. 'administratively down' indicates the interface is shut down.

Understanding the Output

The 'show interface' output begins with the interface name and status line: 'Interface [name] is up, line protocol is up' indicates the physical layer and data link layer are operational. 'up/down' means physical link is good but no carrier (e.g., no cable). 'administratively down' means the interface is shut down. The hardware line shows speed, duplex, and auto-negotiation settings. MAC address and MTU are critical for troubleshooting layer 2 issues. IP address and subnet mask confirm layer 3 configuration. Input/output counters: 'packets input/output' show total traffic; 'no buffer' indicates packet drops due to lack of memory; 'input errors' include CRC, frame, runts, giants—high values suggest cabling or duplex mismatch. 'output errors' and 'collisions' indicate layer 1/2 issues. 'Rx/Tx load average' is a 5-minute average of utilization (0.00 to 1.00). Healthy values: all error counters near zero, load averages below 0.50 for normal operation. Problem values: high input errors, CRC errors, or collisions indicate physical issues; high 'no buffer' suggests oversubscription; 'interface resets' may indicate flapping.

Configuration Scenarios

Verifying Interface Configuration After Initial Setup

A network engineer has just configured the outside interface of an ASA with IP 203.0.113.1/24 and needs to confirm it is operational.

Topology

[Internet] --- [ASA Gig0/0] --- [Internal Network]

Steps

  1. 1.Connect to the ASA via console or SSH.
  2. 2.Enter privileged EXEC mode.
  3. 3.Run 'show interface gigabitethernet0/0' to check status and IP.
  4. 4.Verify the interface is up/up and IP is correct.
Configuration
! Configuration snippet
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 203.0.113.1 255.255.255.0
 no shutdown

Verify: Use 'show interface gigabitethernet0/0' and confirm 'Interface GigabitEthernet0/0 "outside", is up, line protocol is up' and 'IP address 203.0.113.1'.

Watch out: If the interface shows 'administratively down', ensure 'no shutdown' is configured. If it shows 'up/down', check the cable and connected device.

Troubleshooting with This Command

When troubleshooting connectivity issues on a Cisco ASA, the 'show interface' command is the starting point. Begin by checking the interface status: if it shows 'administratively down', the interface is disabled via 'shutdown' command; enable it with 'no shutdown'. If it shows 'up/down', the physical link is active but the line protocol is down—this often indicates a missing cable, wrong cable type, or a connected device that is powered off or misconfigured. If both are 'up', examine the counters for errors. High 'input errors' or 'CRC' suggest cabling issues or duplex mismatch. For duplex mismatch, one side is full-duplex and the other half-duplex; symptoms include high CRC errors on the full-duplex side and collisions on the half-duplex side. Correct by setting both sides to the same duplex (preferably auto-negotiation). 'No buffer' drops indicate the interface is receiving more traffic than it can process; this may require upgrading hardware or implementing QoS. 'Output errors' and 'underruns' suggest the interface is unable to transmit fast enough, possibly due to congestion or a faulty cable. 'Interface resets' indicate the interface has been reset due to errors or administrative actions; frequent resets may point to hardware issues. Also check the 'Rx load average' and 'Tx load average'—values consistently above 0.70 indicate high utilization that could lead to performance degradation. For subinterfaces, ensure the parent interface is up. Use 'show interface detail' for deeper queue statistics. After making changes, clear counters with 'clear interface counters' to start fresh monitoring. In summary, systematic interpretation of 'show interface' output allows rapid identification of physical, configuration, or performance issues.

CCNA Exam Tips

1.

Remember that 'show interface' is the first command to check when troubleshooting connectivity; focus on the status line and error counters.

2.

For CCNP Security, know that ASA uses 'show interface ip brief' to see IP addresses quickly, similar to 'show ip interface brief' on IOS.

3.

Be able to interpret duplex mismatch symptoms: high CRC errors on one side and collisions on the other.

Common Mistakes

Confusing 'line protocol is up' with 'interface is up'—both must be up for connectivity.

Ignoring 'no buffer' drops, which indicate the interface is overwhelmed and packets are being dropped.

Assuming 'show interface' shows only physical interfaces; it also shows VLAN interfaces and subinterfaces.

Platform Notes

On Cisco ASA, the 'show interface' command behaves similarly to Cisco IOS but with some differences. ASA does not support all IOS interface subcommands; for example, 'show interface status' is not available—use 'show interface brief' instead. ASA also includes ASA-specific fields like 'nameif' and 'security-level' in the interface configuration, but these are not shown in 'show interface' output; use 'show running-config interface' to see them. The ASA supports physical interfaces, VLAN subinterfaces, and management interfaces. The 'Management0/0' interface is a dedicated management port that is not used for data traffic by default. In ASA version 9.x and later, the output format is consistent. For equivalent commands on other platforms: on Cisco IOS routers, 'show interfaces' is similar; on NX-OS, 'show interface' also works but with different formatting. On Palo Alto firewalls, 'show interface' provides similar information but with different syntax. On Juniper SRX, 'show interfaces terse' gives a brief summary. ASA also supports 'show interface ip brief' to quickly see IP addresses, which is analogous to 'show ip interface brief' on IOS. Note that ASA does not support 'show interface description'—use 'show running-config interface' to see descriptions. When upgrading ASA code, the output may vary slightly, but core fields remain the same.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions