show interface ip brief
Displays a summary of all interfaces with their IP address and status, useful for quickly verifying interface configuration and connectivity.
Overview
The 'show interface ip brief' command is a quick and essential tool for any network engineer working with Cisco ASA Firewalls. It provides a snapshot of all interfaces, their IP addresses, and their operational status. This command is particularly useful during initial configuration, troubleshooting, and routine health checks. The ASA firewall, being a security appliance, often has multiple interfaces assigned to different security zones (inside, outside, DMZ). Using this command, you can quickly verify that each interface has the correct IP address and is in the expected state (up/up). The command is similar to the Cisco IOS 'show ip interface brief' but adapted for the ASA's interface naming and security context. In a troubleshooting workflow, this command is typically the first step when investigating connectivity issues: if an interface is down or has no IP, further diagnostics are needed. The output is concise, making it ideal for scripting and automation. Understanding the output fields—Interface, IP-Address, OK?, Method, Status, Protocol—is fundamental. The 'Status' column reflects the line protocol (Layer 1), while 'Protocol' indicates the data link layer (Layer 2). Both must be 'up' for the interface to pass traffic. Common issues include an interface being 'administratively down' (needs 'no shutdown'), 'down/down' (cable or hardware problem), or 'up/down' (encapsulation mismatch or keepalive failure). The 'Method' column shows how the IP was obtained: CONFIG for static, DHCP for dynamic, PPPoE for PPP over Ethernet, etc. The 'OK?' column is typically 'YES' for valid IPs; 'NO' indicates a problem such as a duplicate IP. This command is also useful for verifying that management interfaces (Management0/0) have the correct IP for out-of-band management. In summary, 'show interface ip brief' is a powerful, time-saving command that every ASA administrator should master.
show interface ip briefWhen to Use This Command
- Quickly verify which interfaces are up/up and have IP addresses assigned.
- Identify interfaces that are administratively down or have no IP address.
- Check the IP address assignment on multiple interfaces without detailed output.
- Troubleshoot connectivity issues by confirming interface status at a glance.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| No parameters | show interface ip brief | This command does not accept any parameters. It displays a summary of all interfaces. |
Command Examples
Basic output showing all interfaces
show interface ip briefInterface IP-Address OK? Method Status Protocol GigabitEthernet0/0 192.168.1.1 YES CONFIG up up GigabitEthernet0/1 10.0.0.1 YES CONFIG up up GigabitEthernet0/2 unassigned YES unset administratively down down GigabitEthernet0/3 172.16.0.1 YES CONFIG up up Management0/0 192.168.0.1 YES CONFIG up up
Each line shows an interface, its IP address (or 'unassigned'), whether the IP is valid (OK? column), method of assignment (CONFIG for static, DHCP, etc.), line protocol status (up/down), and overall interface status (up/down).
Interface with no IP address
show interface ip briefInterface IP-Address OK? Method Status Protocol GigabitEthernet0/0 192.168.1.1 YES CONFIG up up GigabitEthernet0/1 unassigned YES unset up up GigabitEthernet0/2 unassigned YES unset administratively down down
GigabitEthernet0/1 is up/up but has no IP address (unassigned). This could be a layer 2 interface or a misconfiguration. GigabitEthernet0/2 is administratively down.
Understanding the Output
The output of 'show interface ip brief' on a Cisco ASA Firewall provides a concise view of each interface's IP address, status, and protocol condition. The 'Interface' column lists the interface name. 'IP-Address' shows the assigned IP address or 'unassigned' if none is configured. 'OK?' indicates whether the IP address is valid (YES) or not (NO). 'Method' shows how the IP was assigned: CONFIG for static, DHCP, PPPoE, etc. 'Status' reflects the line protocol state: 'up' means the interface is operational, 'administratively down' means it was manually disabled, and 'down' indicates a physical or lower-layer issue. 'Protocol' indicates the data link layer status: 'up' means the protocol is running, 'down' means there is a problem (e.g., no cable, mismatched encapsulation). Healthy values are 'up' in both Status and Protocol columns. Problem values include 'administratively down' (needs 'no shutdown'), 'down/down' (physical issue), or 'up/down' (protocol mismatch).
Configuration Scenarios
Verifying interface configuration after initial setup
After configuring interfaces on a new ASA, you want to confirm all are up and have correct IPs.
Topology
Internet --- [Outside: Gig0/0 1.1.1.1] --- ASA --- [Inside: Gig0/1 192.168.1.1] --- LAN
|--- [DMZ: Gig0/2 10.0.0.1] --- ServersSteps
- 1.Configure interfaces with IP addresses and security levels.
- 2.Issue 'show interface ip brief' to verify status.
- 3.Check that all interfaces show 'up' in both Status and Protocol.
! Example configuration interface GigabitEthernet0/0 nameif outside security-level 0 ip address 1.1.1.1 255.255.255.0 no shutdown ! interface GigabitEthernet0/1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 no shutdown ! interface GigabitEthernet0/2 nameif dmz security-level 50 ip address 10.0.0.1 255.255.255.0 no shutdown
Verify: show interface ip brief should show all three interfaces with correct IPs and up/up status.
Watch out: If an interface shows 'administratively down', you forgot the 'no shutdown' command.
Troubleshooting with This Command
When troubleshooting connectivity issues on a Cisco ASA, 'show interface ip brief' is your first diagnostic command. Start by checking if the interface you expect to be active is listed as 'up/up'. If it shows 'administratively down', the interface has been shut down manually; use 'no shutdown' in interface configuration mode. If it shows 'down/down', there is a physical layer problem: check cables, transceivers, and the connected device. If it shows 'up/down', the line protocol is up but the data link protocol is down; this can be due to mismatched encapsulation (e.g., one side using PPP and the other HDLC), or a keepalive issue. On ASA, interfaces are typically Ethernet, so 'up/down' is rare but can occur with VLAN mismatches or if the interface is part of a redundant pair. Also verify the IP address: if the interface shows 'unassigned', no IP is configured; if the IP is incorrect, use 'ip address' to correct it. The 'OK?' column should be 'YES'; if 'NO', the IP is invalid (e.g., duplicate IP detected). The 'Method' column indicates how the IP was obtained: if it shows 'DHCP' but you expected static, check the interface configuration. For management access, ensure the Management0/0 interface (if present) has an IP and is up. In multi-context mode, the command shows interfaces for the current context. If you suspect a hardware issue, compare the output with 'show interface' for detailed counters. Remember that the ASA may have logical interfaces (subinterfaces, VLANs) that also appear in the output. Always correlate with 'show running-config interface' to see the full configuration. In summary, this command quickly narrows down whether the problem is Layer 1, Layer 2, or IP configuration.
CCNA Exam Tips
Remember that 'administratively down' means the interface is shut down; use 'no shutdown' to enable it.
On ASA, interfaces are often named GigabitEthernet0/0, etc., and Management0/0 is the dedicated management port.
The 'OK?' column is always 'YES' if the IP is valid; if 'NO', the IP is invalid or duplicate.
Common Mistakes
Confusing 'Status' with 'Protocol': Status is the line protocol (Layer 1), Protocol is the data link (Layer 2).
Forgetting that 'unassigned' means no IP is configured, which is normal for a layer 2 interface but not for a routed interface.
Assuming 'up/up' means the interface is passing traffic; it only indicates Layer 1 and Layer 2 are operational.
Platform Notes
On Cisco ASA Firewalls, the 'show interface ip brief' command is similar to the IOS 'show ip interface brief', but there are key differences. ASA interfaces are named differently (e.g., GigabitEthernet0/0, Management0/0) and may include VLAN interfaces (Vlan1) and redundant interfaces. The ASA also supports 'nameif' for security zone assignment, which is not shown in this command (use 'show interface' for that). In ASA version 9.x and later, the output format is consistent. Unlike IOS, the ASA does not support the 'brief' parameter for other show commands in the same way. For equivalent information on other platforms: on Cisco IOS, use 'show ip interface brief'; on NX-OS, use 'show ip interface brief'; on Juniper Junos, use 'show interfaces terse'. The ASA command does not show the 'method' column in older versions (pre-8.4), but modern versions include it. Also, the ASA may display 'unassigned' for interfaces without IP, while IOS shows 'unassigned' as well. When using multiple context mode, the command only shows interfaces in the current context. For the system context, it shows all interfaces. This command is also available in the ASDM graphical interface under Monitoring > Interfaces. Always ensure you are in the correct context when troubleshooting.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions