switchport port-security mac-address [mac|sticky]
Configures a specific secure MAC address or enables sticky learning on a switchport for port security.
switchport port-security mac-address [mac|sticky]When to Use This Command
- Assign a known trusted device's MAC address to a port to prevent unauthorized access.
- Use sticky learning to dynamically learn and save MAC addresses of connected devices.
- Configure multiple secure MAC addresses on a trunk port for VoIP and data VLANs.
- Set a specific MAC address on a port connected to a server for enhanced security.
Command Examples
Configure a static secure MAC address
Switch(config-if)# switchport port-security mac-address 0050.7966.6800This command assigns the MAC address 0050.7966.6800 as a secure address on the interface. No output is shown if successful; use 'show port-security interface' to verify.
Enable sticky MAC address learning
Switch(config-if)# switchport port-security mac-address stickyEnables sticky learning: dynamically learned MAC addresses are saved to the running config. No immediate output; verify with 'show port-security interface' or 'show running-config'.
Understanding the Output
The command itself does not produce output. To verify, use 'show port-security interface <interface>'. The output includes fields like 'Secure Address' (list of allowed MACs), 'Maximum Addresses' (max count), 'Current Addresses' (count in use), 'Security Violation Count' (number of violations), and 'Security Action' (shutdown/restrict/protect). A good state shows zero violations and correct MAC count. A bad state shows violations >0 or port in errdisable. Watch for 'Sticky Address' entries if sticky learning is enabled.
CCNA Exam Tips
Remember that 'switchport port-security mac-address sticky' dynamically learns and saves MACs; they appear in running-config as 'switchport port-security mac-address sticky xxxx.xxxx.xxxx'.
The maximum number of secure MACs defaults to 1; use 'switchport port-security maximum <number>' to increase.
If a violation occurs and the action is shutdown, the port enters errdisable state; recover with 'shutdown' then 'no shutdown' or configure errdisable recovery.
Sticky MAC addresses are not saved to startup-config unless you copy running-config to startup-config.
Common Mistakes
Forgetting to enable port security globally with 'switchport port-security' before configuring MAC addresses.
Setting a static MAC address that does not match the connected device, causing a violation and port shutdown.
Not increasing the maximum MAC count when using sticky learning on a trunk port, leading to violations.
Assuming sticky MAC addresses persist across reloads without saving the configuration.
Related Commands
show port-security address
Displays the secure MAC addresses configured on all switch ports or a specific interface, used to verify port security address learning and aging.
show port-security interface [intf]
Displays port security configuration and status for a specific interface, including secure MAC addresses, violation counts, and action taken.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions