Courseiva
SecurityPrivileged EXEC

show port-security address

Displays the secure MAC addresses configured on all switch ports or a specific interface, used to verify port security address learning and aging.

Syntax·Privileged EXEC
show port-security address

When to Use This Command

  • Verify which MAC addresses have been learned on a port with port security enabled after connecting a new device.
  • Troubleshoot a port security violation by checking if the MAC address of an authorized device is present in the table.
  • Monitor the number of secure MAC addresses currently learned on an interface to ensure it does not exceed the maximum limit.
  • Confirm that sticky MAC addresses have been correctly saved to the running configuration.

Command Examples

Display all secure MAC addresses on the switch

show port-security address
               Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan    Mac Address       Type                          Ports   Remaining Age
                                                                   (mins)
----    -----------       ----                          -----   -------------
   1    0050.7966.6800    SecureDynamic                 Gi0/1        -
   1    0050.7966.6801    SecureSticky                  Gi0/2        -
  10    0050.7966.6802    SecureConfigured              Gi0/3        -
  10    0050.7966.6803    SecureDynamic                 Gi0/4       15
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 4
Max Addresses limit in System (excluding one mac per port) : 1024

Vlan: VLAN ID of the secure address. Mac Address: The learned or configured MAC address. Type: How the address was learned (SecureDynamic = dynamically learned, SecureSticky = sticky learning, SecureConfigured = manually configured). Ports: Interface where the address is secured. Remaining Age (mins): Time left before the address ages out (dash means no aging). Total/Max: System-wide counts.

Display secure MAC addresses for a specific interface

show port-security address interface gigabitEthernet 0/1
               Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan    Mac Address       Type                          Ports   Remaining Age
                                                                   (mins)
----    -----------       ----                          -----   -------------
   1    0050.7966.6800    SecureDynamic                 Gi0/1        -
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 1
Max Addresses limit in System (excluding one mac per port) : 1024

Filters output to show only addresses on Gi0/1. Useful for isolating a specific port's security status.

Understanding the Output

The output displays a table of secure MAC addresses learned on switch ports. The 'Vlan' column indicates the VLAN of the address. 'Mac Address' shows the 48-bit MAC in dotted-hex format. 'Type' reveals how the address was learned: SecureDynamic (dynamically learned and will age out), SecureSticky (dynamically learned but saved to config), or SecureConfigured (manually configured via switchport port-security mac-address). 'Ports' lists the interface. 'Remaining Age' shows minutes until the address ages out; a dash means aging is disabled (e.g., for sticky or configured addresses). The bottom lines show total system addresses and the maximum allowed. In a real network, you would check that expected MACs are present, that the count is below the maximum, and that no unauthorized MACs appear. A missing expected MAC could indicate a violation or misconfiguration.

CCNA Exam Tips

1.

CCNA exam may ask you to identify the type of secure MAC address based on output (Dynamic vs Sticky vs Configured).

2.

Remember that SecureSticky addresses appear in the running-config, while SecureDynamic do not.

3.

The 'Remaining Age' column is only populated for dynamically learned addresses; sticky and configured show a dash.

4.

Know that the maximum number of secure MAC addresses per port is configured with 'switchport port-security maximum'.

Common Mistakes

Confusing SecureSticky with SecureConfigured: Sticky addresses are learned dynamically and then saved, while Configured are manually entered.

Assuming all secure MAC addresses are saved to running-config: Only sticky and configured addresses are saved; dynamic ones are lost on reload.

Forgetting that the 'Remaining Age' field shows minutes, not seconds, and that a dash means no aging is configured.

Related Commands

show port-security

Displays the port security configuration and status on switch interfaces, used to verify and troubleshoot port security settings.

show port-security interface [intf]

Displays port security configuration and status for a specific interface, including secure MAC addresses, violation counts, and action taken.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions