SecurityPrivileged EXEC

show port-security

Displays the port security configuration and status on switch interfaces, used to verify and troubleshoot port security settings.

Syntax·Privileged EXEC

show port-security

When to Use This Command

Check if port security is enabled on a specific interface and view the current secure MAC addresses.
Verify the maximum number of secure MAC addresses allowed and the violation mode configured.
Identify interfaces where security violations have occurred and the action taken.
Monitor sticky MAC address learning and aging status.

Command Examples

Basic show port-security output

show port-security

Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)              (Count)
--------------------------------------------------------------------
     Gi0/1              1            1                   0         Shutdown
     Gi0/2              5            3                   2         Restrict
     Gi0/3              2            2                   1         Protect
--------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 6
Max Addresses limit in System (excluding one mac per port) : 1024

The output lists each secure port with its configured maximum secure addresses, current count of learned addresses, number of security violations, and the violation action (Shutdown, Restrict, or Protect). The summary shows total addresses in the system and the system-wide limit.

Show port-security for a specific interface

show port-security interface gigabitEthernet 0/1

Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 0050.7966.6800:10
Security Violation Count   : 0

Shows detailed port security settings for a single interface: whether it's enabled, port status (Secure-up means no violation), violation mode, aging parameters, maximum and current MAC counts, configured vs sticky addresses, last source MAC and VLAN, and violation count.

Understanding the Output

The 'show port-security' command output is a table listing all interfaces with port security enabled. Key columns: Secure Port (interface name), MaxSecureAddr (maximum allowed MAC addresses), CurrentAddr (number of learned MACs), SecurityViolation (count of violations since last reset), Security Action (Shutdown, Restrict, or Protect). A high violation count indicates a security issue (e.g., unauthorized device). The summary line shows total addresses in the system and the system-wide maximum. For interface-specific output, additional fields like Aging Time, Aging Type, Sticky MAC Addresses, and Last Source Address help in detailed troubleshooting. A port status of 'Secure-down' or 'Secure-shutdown' indicates a violation has occurred. Watch for 'Security Violation Count' > 0, which means an unauthorized MAC tried to access the port.

CCNA Exam Tips

CCNA exam may ask which violation mode (Shutdown, Restrict, Protect) disables the port vs. drops traffic but keeps the port up.

Remember that 'Sticky MAC' addresses are dynamically learned and added to the running config; they survive a reload only if saved.

The 'show port-security' command shows only interfaces with port security enabled; if no output, port security is not configured.

Know that 'Security Violation Count' increments for each violation; the port may be in errdisable state if action is Shutdown.

Common Mistakes

Mistake 1: Forgetting that 'Shutdown' mode puts the port in errdisable state; you must manually re-enable it or configure errdisable recovery.

Mistake 2: Assuming 'show port-security' shows all interfaces; it only shows those with port security enabled.

Mistake 3: Confusing 'Sticky MAC' with 'Secure MAC'; sticky MACs are saved in config, secure MACs are not unless sticky is configured.

Related Commands

show port-security address

Displays the secure MAC addresses configured on all switch ports or a specific interface, used to verify port security address learning and aging.

show port-security interface [intf]

Displays port security configuration and status for a specific interface, including secure MAC addresses, violation counts, and action taken.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions