The interface configuration on a Cisco ASA looks superficially like an IOS router, but two things are different and both matter. First, every data interface needs a nameif and a security-level before it can pass traffic. Second, the ASA does not run DTP, so an 802.1Q trunk to a switch is configured purely with subinterfaces and a tag-per-subinterface model. This article covers physical interfaces, subinterfaces, VLAN trunks to a Catalyst, and the configuration commands that quietly catch people coming from an IOS background.
This walkthrough uses the same lab as the rest of the cluster (see Cisco ASA: The Complete Reference). For a complete inside/outside/DMZ build that uses these interface commands end-to-end, see the inside/outside/DMZ walkthrough.
Anatomy of an ASA Interface
Every ASA data interface needs four things to be useful:
| Attribute | Command | What it controls |
|---|---|---|
| Logical name | nameif inside | The name every other feature (NAT, ACL, route, log) refers to. Without nameif, no feature can bind to the interface. |
| Security level | security-level 100 | 0-100 trust score. Drives implicit ACL behavior between zones. See security levels. |
| IP address | ip address 10.10.0.254 255.255.255.0 | L3 address (in routed mode). Standby IP added if failover is configured. |
| Operational state | no shutdown | Brings the interface up. ASA interfaces ship in shutdown by default; IOS does the opposite. |
Skip nameif and the interface might be physically up but the ASA refuses to use it for anything. Skip the security-level and the implicit allow/deny rules between this interface and others become unpredictable. Skip no shutdown and the interface stays administratively down, which catches everyone who came from IOS expecting interfaces to be up by default.
Basic Physical Interface (Routed Mode)
Here is the minimum-viable configuration for a routed inside interface, taken from the lab's ASA-PERIM:
ASA-PERIM(config)# interface GigabitEthernet0/1
ASA-PERIM(config-if)# description LAN-to-INSIDE-RTR
ASA-PERIM(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA-PERIM(config-if)# ip address 10.10.0.254 255.255.255.0
ASA-PERIM(config-if)# no shutdown
Notice that nameif inside automatically set security-level 100. The ASA assigns level 100 to any interface named "inside" and level 0 to any interface named "outside" as a convenience. You can override either with an explicit security-level command.
Verify with the standard show interface ip brief:
ASA-PERIM# show interface ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 203.0.113.2 YES manual up up
GigabitEthernet0/1 10.10.0.254 YES manual up up
GigabitEthernet0/2 192.168.50.1 YES manual up up
Management0/0 unassigned YES unset administratively down down
The "Status" column is the line protocol (cabling and physical Layer 1/2). The "Protocol" column is whether the ASA logically considers the interface usable. Both must be "up" for traffic to flow.
The Management Interface
Management0/0 (or whatever the platform calls it: Management0, management0/0, etc.) is special. It defaults to management-only, which means it cannot pass through-traffic. Only traffic destined to or sourced from the ASA itself (SSH, SNMP, syslog, AAA, NTP, AnyConnect on management) uses it.
ASA-PERIM(config)# interface Management0/0
ASA-PERIM(config-if)# nameif management
INFO: Security level for "management" set to 0 by default.
ASA-PERIM(config-if)# security-level 100
ASA-PERIM(config-if)# ip address 10.10.99.1 255.255.255.0
ASA-PERIM(config-if)# management-only
ASA-PERIM(config-if)# no shutdown
Two ASAv-specific quirks worth knowing about Management0/0 because we documented them in the failover articles:
- The ASAv platform refuses to use Management0/0 as the failover LAN interface (
failover lan interface FAIL-LINK Management0/0returnsManagement interface cannot be configured as failover on this platform). Hardware ASA does not have this restriction. See Active/Standby failover. - Management0/0 IS allowed as the stateful failover link on ASAv (
failover link FAIL-LINK Management0/0), but you give up the ability to use it for management once you do.
Subinterfaces for 802.1Q Trunks
The ASA does not run DTP. There is no dynamic trunk negotiation. Instead, you create subinterfaces, each one tied to a single VLAN tag. The physical interface remains untagged (no nameif, no IP); each subinterface gets a name, security level, and IP.
This is the equivalent of a router-on-a-stick configuration, with the same physical wire-up: the ASA interface connects to a switch port configured as a trunk.
ASA Side
ASA-PERIM(config)# interface GigabitEthernet0/3
ASA-PERIM(config-if)# no shutdown
! No nameif, no IP. Parent interface is just a physical link.
!
ASA-PERIM(config)# interface GigabitEthernet0/3.10
ASA-PERIM(config-subif)# vlan 10
ASA-PERIM(config-subif)# nameif user-vlan
ASA-PERIM(config-subif)# security-level 80
ASA-PERIM(config-subif)# ip address 10.20.10.1 255.255.255.0
!
ASA-PERIM(config)# interface GigabitEthernet0/3.20
ASA-PERIM(config-subif)# vlan 20
ASA-PERIM(config-subif)# nameif voice-vlan
ASA-PERIM(config-subif)# security-level 80
ASA-PERIM(config-subif)# ip address 10.20.20.1 255.255.255.0
!
ASA-PERIM(config)# interface GigabitEthernet0/3.30
ASA-PERIM(config-subif)# vlan 30
ASA-PERIM(config-subif)# nameif guest-vlan
ASA-PERIM(config-subif)# security-level 50
ASA-PERIM(config-subif)# ip address 10.20.30.1 255.255.255.0
The numbering convention is parent.tag. Using Gi0/3.10 for VLAN 10 is not required (you could call it Gi0/3.99 and still tag VLAN 10), but matching the subinterface number to the VLAN tag is a strong operational convention. Future-you will thank present-you.
Catalyst Side
The matching switch port:
SW1(config)# interface GigabitEthernet1/0/24
SW1(config-if)# description trunk-to-ASA-PERIM-Gi0/3
SW1(config-if)# switchport
SW1(config-if)# switchport mode trunk
SW1(config-if)# switchport trunk allowed vlan 10,20,30
SW1(config-if)# switchport trunk encapsulation dot1q
SW1(config-if)# switchport nonegotiate
SW1(config-if)# spanning-tree portfast trunk
Why switchport nonegotiate? Because the ASA does not speak DTP. A Cisco switch left in switchport mode trunk still sends DTP frames trying to negotiate; nonegotiate turns that off. Functionally the trunk works either way, but you avoid the trickle of "DTP frame received with bad value" log lines and the slow-converge edge cases.
Native VLAN
The ASA can carry the native (untagged) VLAN as well, but it has to be configured explicitly:
ASA-PERIM(config)# interface GigabitEthernet0/3.99
ASA-PERIM(config-subif)# vlan 99 native
ASA-PERIM(config-subif)# nameif native-vlan
ASA-PERIM(config-subif)# security-level 100
ASA-PERIM(config-subif)# ip address 10.20.99.1 255.255.255.0
The native keyword tells the ASA to send and accept this VLAN's frames untagged. The switch side must agree (switchport trunk native vlan 99). If the two sides disagree on the native VLAN, the trunk still passes most traffic but has spectacular asymmetric forwarding for whatever VLAN ID is mismatched. Always set the native VLAN explicitly on both sides.
IP Addressing Options
Most interfaces get a static IP, but the ASA supports DHCP and PPPoE on the outside interface for situations where the upstream provider hands you an address dynamically.
| Method | Command | Use case |
|---|---|---|
| Static | ip address 10.10.0.254 255.255.255.0 | The default. Every inside, DMZ, or known-static outside. |
| Static + standby | ip address 10.10.0.254 255.255.255.0 standby 10.10.0.253 | Active/standby failover. Standby unit takes the standby IP. See failover. |
| DHCP | ip address dhcp setroute | Outside interface on a small business or branch ASA where the ISP hands out the IP. |
| PPPoE | pppoe client vpdn group ISP + ip address pppoe setroute | DSL or fiber providers that require PPPoE for authentication. |
The setroute keyword installs the default gateway learned from DHCP or PPPoE into the route table; without it, you get the IP but no default route, which is usually not what you want.
Speed, Duplex, and MTU
Defaults are usually right (speed auto, duplex auto, MTU 1500). Touch them only when you have a reason.
ASA-PERIM(config)# interface GigabitEthernet0/0
ASA-PERIM(config-if)# speed 1000
ASA-PERIM(config-if)# duplex full
ASA-PERIM(config-if)# mtu outside 1500
One subtlety: mtu on the ASA is configured per-nameif, not per-interface. If you have a subinterface trunk with multiple nameifs, you set MTU once per nameif. Most environments leave the default 1500 alone unless they are running jumbo frames internally (jumbo-frame reservation is a separate global command that requires a reload to take effect).
Redundant Interfaces and EtherChannel
For physical resiliency below the failover layer, the ASA supports two grouping models:
- Redundant interface: an active/standby pair of physical interfaces presented as a single logical interface. Configured with
interface Redundant Nandmember-interfacecommands. The ASA tracks the active member and switches to the standby on failure. Simple, no LACP. - EtherChannel (port-channel): LACP or static aggregation of multiple physical interfaces into a single logical interface with multiplied bandwidth. Configured with
interface Port-channel Nandchannel-group N mode {active|on}on member interfaces. This is what most modern deployments use.
ASA-PERIM(config)# interface Port-channel1
ASA-PERIM(config-if)# nameif inside
ASA-PERIM(config-if)# security-level 100
ASA-PERIM(config-if)# ip address 10.10.0.254 255.255.255.0
ASA-PERIM(config-if)# no shutdown
!
ASA-PERIM(config)# interface GigabitEthernet0/4
ASA-PERIM(config-if)# channel-group 1 mode active
ASA-PERIM(config-if)# no shutdown
ASA-PERIM(config)# interface GigabitEthernet0/5
ASA-PERIM(config-if)# channel-group 1 mode active
ASA-PERIM(config-if)# no shutdown
The matching switch side runs the same LACP, with both members in channel-group N mode active. The ASA defaults to LACP fast (lacp port-priority) which converges quickly on member failure.
Verification: What "Up" Actually Looks Like
show interface ip brief is the quick health check. show interface on a specific interface gives you everything: counters, last input/output, drops, error-disabled state, and the auto-negotiated speed/duplex. From the lab:
ASA-PERIM# show interface GigabitEthernet0/1 | include is up|line protocol|address|MTU|input rate|output rate
Interface GigabitEthernet0/1 "inside", is up, line protocol is up
Hardware is i82540EM rev03, BW 1000 Mbps, DLY 10 usec
MAC address aabb.cc00.4c10, MTU 1500
IP address 10.10.0.254, subnet mask 255.255.255.0
2 minute input rate 84 pkts/sec, 19872 bits/sec
2 minute output rate 79 pkts/sec, 47104 bits/sec
For a subinterface, the parent interface needs to be up before the subinterface can be up. If Gi0/3 is shutdown, every subinterface on it is also down regardless of its own admin state. Always check the parent first.
For VLAN trunk verification, a helpful one-liner:
ASA-PERIM# show interface | include vlan|nameif|line protocol
Interface GigabitEthernet0/3.10 "user-vlan", is up, line protocol is up
VLAN identifier 10
Interface GigabitEthernet0/3.20 "voice-vlan", is up, line protocol is up
VLAN identifier 20
Interface GigabitEthernet0/3.30 "guest-vlan", is up, line protocol is up
VLAN identifier 30
If a subinterface shows "line protocol is down" on a parent that is up, the most common cause is a VLAN mismatch on the switch side (the trunk is not allowing the tag).
Common Traps
Forgetting nameif. Without nameif, NAT, ACL, route, and almost every other config refuses to bind. The interface looks fine to show interface but is invisible to the policy plane.
Default-shutdown. Coming from IOS, you expect interfaces to be up after configuring an IP. ASA interfaces stay shutdown until you say no shutdown. Configuring an interface and forgetting no shutdown is the single most common "why won't this work" moment for new ASA admins.
Same security-level traffic. Two interfaces at the same security level cannot pass traffic between each other unless you explicitly allow it with same-security-traffic permit inter-interface. See the security levels article for the full rule set.
VLAN tag conflict in subinterfaces. Two subinterfaces on the same physical interface cannot share a VLAN tag. The CLI rejects the second one with %Error: VLAN already in use. Worth knowing because the error happens at vlan command time, after you have already created the subinterface.
Native VLAN mismatch. Worst kind of bug because half the traffic works. Always set the native VLAN explicitly on both sides of every trunk.
Key Takeaways
Every ASA data interface needs nameif, a security-level, an IP address, and no shutdown before it can pass traffic. Subinterfaces handle 802.1Q trunks (one tag per subinterface, each with its own nameif and security level) because the ASA does not run DTP. Match subinterface numbers to VLAN tags as a convention, and always set the native VLAN explicitly on both ends.
For the next step in this cluster, see Cisco ASA Object Groups, which is what makes ACLs and NAT readable once you have multiple interfaces and multiple internal subnets to govern. The full reading order is on the Cisco ASA pillar.
