show interfaces switchport
Displays the administrative and operational status of a switch port, including VLAN membership, trunking mode, and access VLAN, used to verify VLAN configuration and port security settings.
show interfaces switchportWhen to Use This Command
- Verify that a port is in the correct access VLAN after configuring a new VLAN.
- Check if a trunk port is using the correct native VLAN and allowed VLAN list.
- Troubleshoot why a host cannot communicate across VLANs by confirming port mode and VLAN assignment.
- Audit switch ports for security compliance, ensuring unused ports are in shutdown or access mode with a black-hole VLAN.
Command Examples
Verify Access Port VLAN Assignment
show interfaces switchportName: Fa0/1 Switchport: Enabled Administrative Mode: static access Operational Mode: static access Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native Negotiation of Trunking: On Access Mode VLAN: 10 (VLAN0010) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative Private VLAN Host Association: none Administrative Private VLAN Mapping: none Administrative Private VLAN Trunk Native VLAN: none Administrative Private VLAN Trunk Native VLAN tagging: enabled Administrative Private VLAN Trunk Encapsulation: negotiate Administrative Private VLAN Trunk Normal VLANs: none Administrative Private VLAN Trunk Private VLANs: none Operational Private VLANs: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL Protected: false Unknown unicast blocked: false Unknown multicast blocked: false Appliance trust: none
Name: Fa0/1 — interface being examined. Switchport: Enabled — port is a Layer 2 switchport. Administrative Mode: static access — configured as access port. Operational Mode: static access — actually operating as access port. Access Mode VLAN: 10 (VLAN0010) — port is assigned to VLAN 10. Trunking Native Mode VLAN: 1 — native VLAN is default VLAN 1 (not used on access ports). Voice VLAN: none — no voice VLAN configured. Protected: false — port protection not enabled.
Verify Trunk Port Configuration
show interfaces GigabitEthernet0/1 switchportName: Gi0/1 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 99 (VLAN0099) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative Private VLAN Host Association: none Administrative Private VLAN Mapping: none Administrative Private VLAN Trunk Native VLAN: none Administrative Private VLAN Trunk Native VLAN tagging: enabled Administrative Private VLAN Trunk Encapsulation: negotiate Administrative Private VLAN Trunk Normal VLANs: none Administrative Private VLAN Trunk Private VLANs: none Operational Private VLANs: none Trunking VLANs Enabled: 10,20,30 Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL Protected: false Unknown unicast blocked: false Unknown multicast blocked: false Appliance trust: none
Administrative Mode: trunk — configured as trunk. Operational Mode: trunk — actually trunking. Administrative Trunking Encapsulation: dot1q — using 802.1Q. Trunking Native Mode VLAN: 99 — native VLAN is 99. Trunking VLANs Enabled: 10,20,30 — only VLANs 10, 20, 30 allowed on trunk. This output confirms the trunk is correctly configured with a non-default native VLAN and limited allowed VLANs.
Understanding the Output
The 'show interfaces switchport' command provides a detailed view of a switch port's Layer 2 configuration and operational state. Key fields include: 'Name' — the interface identifier; 'Switchport' — indicates if the port is a Layer 2 switchport (Enabled/Disabled); 'Administrative Mode' — the configured mode (access, trunk, dynamic desirable, dynamic auto); 'Operational Mode' — the actual mode negotiated (access or trunk); 'Access Mode VLAN' — the VLAN assigned to an access port; 'Trunking Native Mode VLAN' — the native VLAN on a trunk (should be changed from default VLAN 1 for security); 'Trunking VLANs Enabled' — list of VLANs allowed on the trunk (should be pruned to only necessary VLANs). For access ports, verify the Access Mode VLAN matches the intended user VLAN. For trunk ports, check that the native VLAN is not VLAN 1 and that only required VLANs are allowed. The 'Operational Mode' should match the 'Administrative Mode'; if not, there may be a DTP negotiation issue. Also watch for 'Protected: false' — if port security or private VLANs are expected, those fields will show relevant values. In a real network, this command is essential for troubleshooting VLAN connectivity and ensuring trunk ports are secure.
CCNA Exam Tips
CCNA exam may ask: 'Which command shows the operational mode of a switch port?' — answer: show interfaces switchport.
Know that 'Administrative Mode' is the configured setting, while 'Operational Mode' is what is actually running after DTP negotiation.
Be able to identify that a trunk port with 'Trunking VLANs Enabled: ALL' is a security risk; the exam may test best practice of limiting allowed VLANs.
Remember that the native VLAN on a trunk should not be VLAN 1; the exam may present a scenario where changing the native VLAN to an unused VLAN improves security.
Common Mistakes
Confusing 'Access Mode VLAN' with 'Trunking Native Mode VLAN' — access VLAN is for access ports, native VLAN is for trunk ports.
Assuming 'Operational Mode' always matches 'Administrative Mode' — DTP misconfiguration can cause a port to operate in a different mode.
Forgetting that a trunk port with 'Trunking VLANs Enabled: ALL' allows all VLANs, which can lead to VLAN hopping attacks if not pruned.
Related Commands
show interfaces trunk
Displays trunk interface status, allowed VLANs, and pruning information for all trunk ports on a Cisco switch, used to verify trunking configuration and VLAN membership.
show vlan
Displays the current VLAN configuration on the switch, including VLAN IDs, names, status, and ports assigned to each VLAN, used to verify VLAN creation and port assignments.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions